Add mask and unmask option to --security-opt

Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
author: Urvashi Mohnani <umohnani@redhat.com> 2020-11-18 21:36:16 -0500
committer: Urvashi Mohnani <umohnani@redhat.com> 2020-12-02 16:07:18 -0500
commit: 0334b6195820f7261f87a4f4e5d739a6d560f4b2 (patch)
tree: ad0667023f0aac28760e9a3bd879099e68684641 /pkg/specgen/generate/oci.go
parent: e3f0b7db7508f1e1ecfdb23adb53531c89a29b99 (diff)
download: podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.gz
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.bz2
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 8454458a8..0368ab205 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -298,7 +298,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 		}
 	}
 
-	BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g)
+	BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), s.Mask, s.Unmask, &g)
 
 	for name, val := range s.Env {
 		g.AddProcessEnv(name, val)
author	Urvashi Mohnani <umohnani@redhat.com>	2020-11-18 21:36:16 -0500
committer	Urvashi Mohnani <umohnani@redhat.com>	2020-12-02 16:07:18 -0500
commit	0334b6195820f7261f87a4f4e5d739a6d560f4b2 (patch)
tree	ad0667023f0aac28760e9a3bd879099e68684641 /pkg/specgen/generate/oci.go
parent	e3f0b7db7508f1e1ecfdb23adb53531c89a29b99 (diff)
download	podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.gz podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.bz2 podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.zip