security: honor systempaths=unconfined for ro paths

we must honor systempaths=unconfined also for read-only paths, as
Docker does:

proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

1 files changed, 12 insertions, 11 deletions

diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 1808f99b8..e0b039fb7 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask
 					g.AddLinuxMaskedPaths(mp)
 				}
 			}
+			for _, rp := range []string{
+				"/proc/asound",
+				"/proc/bus",
+				"/proc/fs",
+				"/proc/irq",
+				"/proc/sys",
+				"/proc/sysrq-trigger",
+			} {
+				if !util.StringInSlice(rp, unmask) {
+					g.AddLinuxReadonlyPaths(rp)
+				}
+			}
 		}
 
 		if pidModeIsHost && rootless.IsRootless() {
 			return
 		}
-
-		for _, rp := range []string{
-			"/proc/asound",
-			"/proc/bus",
-			"/proc/fs",
-			"/proc/irq",
-			"/proc/sys",
-			"/proc/sysrq-trigger",
-		} {
-			g.AddLinuxReadonlyPaths(rp)
-		}
 	}
 
 	// mask the paths provided by the user