summaryrefslogtreecommitdiff
path: root/pkg/spec/config_linux.go
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2020-10-01 15:18:11 -0500
committerbaude <bbaude@redhat.com>2020-10-01 15:18:11 -0500
commitf0c71168481e525414a38dc3eaf5a027afe2d4e7 (patch)
tree3be3d290633ff11a5ee4fd80225ace250a298806 /pkg/spec/config_linux.go
parent5d22eb02f95f28a87ed263afe28b7ff4bf2f6fee (diff)
downloadpodman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.gz
podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.tar.bz2
podman-f0c71168481e525414a38dc3eaf5a027afe2d4e7.zip
fix compat api privileged and entrypoint code
when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side. the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls". Signed-off-by: baude <bbaude@redhat.com>
Diffstat (limited to 'pkg/spec/config_linux.go')
-rw-r--r--pkg/spec/config_linux.go3
1 files changed, 3 insertions, 0 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index d03663f12..319cce61f 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -200,6 +200,9 @@ func getDevices(path string) ([]*configs.Device, error) {
}
case f.Name() == "console":
continue
+ case f.Mode()&os.ModeSymlink != 0:
+ // do not add symlink'd devices to privileged devices
+ continue
}
device, err := devices.DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
if err != nil {