Merge pull request #2899 from giuseppe/prevent-sys-fs-kernel-paths-in-userns

userns: prevent /sys/kernel/* paths in the container
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2019-04-11 08:30:31 -0700
committer: GitHub <noreply@github.com> 2019-04-11 08:30:31 -0700
commit: b281c34b317ff6f84757b590905c5ef5981863e0 (patch)
tree: 1ca9c59c49e42c3b4d1687e0ced9d6639cc83a7c /pkg/spec/spec.go
parent: 4596c39655f7ff5e741adbc97aaa49bb3a9d453e (diff)
parent: 2c9c40dc82141d3876d08fa5421f380b975a387b (diff)
download: podman-b281c34b317ff6f84757b590905c5ef5981863e0.tar.gz
podman-b281c34b317ff6f84757b590905c5ef5981863e0.tar.bz2
podman-b281c34b317ff6f84757b590905c5ef5981863e0.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 9b6bd089e..0371b6d4d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
 		}
 		g.AddMount(sysMnt)
+		if !config.Privileged && isRootless {
+			g.AddLinuxMaskedPaths("/sys/kernel")
+		}
 	}
 	if isRootless {
 		nGids, err := getAvailableGids()
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2019-04-11 08:30:31 -0700
committer	GitHub <noreply@github.com>	2019-04-11 08:30:31 -0700
commit	b281c34b317ff6f84757b590905c5ef5981863e0 (patch)
tree	1ca9c59c49e42c3b4d1687e0ced9d6639cc83a7c /pkg/spec/spec.go
parent	4596c39655f7ff5e741adbc97aaa49bb3a9d453e (diff)
parent	2c9c40dc82141d3876d08fa5421f380b975a387b (diff)
download	podman-b281c34b317ff6f84757b590905c5ef5981863e0.tar.gz podman-b281c34b317ff6f84757b590905c5ef5981863e0.tar.bz2 podman-b281c34b317ff6f84757b590905c5ef5981863e0.zip