Merge pull request #15895 from dcermak/don-expose-dev-for-privileged

Don't mount /dev/ inside privileged containers running systemd
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2022-09-22 19:03:15 +0200
committer: GitHub <noreply@github.com> 2022-09-22 19:03:15 +0200
commit: 08993516a939576fa009db6e7ed32524026a822d (patch)
tree: 05fd47ec0708f53e095004af48b853cd41316d57 /libpod
parent: 8bf3535447fe9f482b329e962e173ade26456e6d (diff)
parent: 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (diff)
download: podman-08993516a939576fa009db6e7ed32524026a822d.tar.gz
podman-08993516a939576fa009db6e7ed32524026a822d.tar.bz2
podman-08993516a939576fa009db6e7ed32524026a822d.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index 874e9affe..29107d4b6 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// If the flag to mount all devices is set for a privileged container, add
 	// all the devices from the host's machine into the container
 	if c.config.MountAllDevices {
-		if err := util.AddPrivilegedDevices(&g); err != nil {
+		systemdMode := false
+		if c.config.Systemd != nil {
+			systemdMode = *c.config.Systemd
+		}
+		if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil {
 			return nil, err
 		}
 	}
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2022-09-22 19:03:15 +0200
committer	GitHub <noreply@github.com>	2022-09-22 19:03:15 +0200
commit	08993516a939576fa009db6e7ed32524026a822d (patch)
tree	05fd47ec0708f53e095004af48b853cd41316d57 /libpod
parent	8bf3535447fe9f482b329e962e173ade26456e6d (diff)
parent	5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (diff)
download	podman-08993516a939576fa009db6e7ed32524026a822d.tar.gz podman-08993516a939576fa009db6e7ed32524026a822d.tar.bz2 podman-08993516a939576fa009db6e7ed32524026a822d.zip