summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-12-09 15:04:41 -0500
committerGitHub <noreply@github.com>2020-12-09 15:04:41 -0500
commit059c2ee739c156287237c07e07f497602bd9958d (patch)
tree168f9e79a11e855d1bd46d93aa04211d106aab52 /pkg/specgen/generate
parent4511cb3852cae5ca2ef3ee66c8e21699075b4e78 (diff)
parent176be90e0a94c7b073b1b4e0da5903b0440748d6 (diff)
downloadpodman-059c2ee739c156287237c07e07f497602bd9958d.tar.gz
podman-059c2ee739c156287237c07e07f497602bd9958d.tar.bz2
podman-059c2ee739c156287237c07e07f497602bd9958d.zip
Merge pull request #8669 from giuseppe/unmask-also-cover-ro-paths
security: honor systempaths=unconfined for ro paths
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/config_linux.go23
1 files changed, 12 insertions, 11 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 1808f99b8..e0b039fb7 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask
g.AddLinuxMaskedPaths(mp)
}
}
+ for _, rp := range []string{
+ "/proc/asound",
+ "/proc/bus",
+ "/proc/fs",
+ "/proc/irq",
+ "/proc/sys",
+ "/proc/sysrq-trigger",
+ } {
+ if !util.StringInSlice(rp, unmask) {
+ g.AddLinuxReadonlyPaths(rp)
+ }
+ }
}
if pidModeIsHost && rootless.IsRootless() {
return
}
-
- for _, rp := range []string{
- "/proc/asound",
- "/proc/bus",
- "/proc/fs",
- "/proc/irq",
- "/proc/sys",
- "/proc/sysrq-trigger",
- } {
- g.AddLinuxReadonlyPaths(rp)
- }
}
// mask the paths provided by the user