diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-12-09 15:04:41 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-09 15:04:41 -0500 |
| commit | 059c2ee739c156287237c07e07f497602bd9958d (patch) | |
| tree | 168f9e79a11e855d1bd46d93aa04211d106aab52 /pkg/specgen/generate | |
| parent | 4511cb3852cae5ca2ef3ee66c8e21699075b4e78 (diff) | |
| parent | 176be90e0a94c7b073b1b4e0da5903b0440748d6 (diff) | |
| download | podman-059c2ee739c156287237c07e07f497602bd9958d.tar.gz podman-059c2ee739c156287237c07e07f497602bd9958d.tar.bz2 podman-059c2ee739c156287237c07e07f497602bd9958d.zip | |
Merge pull request #8669 from giuseppe/unmask-also-cover-ro-paths
security: honor systempaths=unconfined for ro paths
Diffstat (limited to 'pkg/specgen/generate')
| -rw-r--r-- | pkg/specgen/generate/config_linux.go | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 1808f99b8..e0b039fb7 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask g.AddLinuxMaskedPaths(mp) } } + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + if !util.StringInSlice(rp, unmask) { + g.AddLinuxReadonlyPaths(rp) + } + } } if pidModeIsHost && rootless.IsRootless() { return } - - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { - g.AddLinuxReadonlyPaths(rp) - } } // mask the paths provided by the user |