diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-12-09 19:25:24 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-12-09 19:26:23 +0100 |
commit | 176be90e0a94c7b073b1b4e0da5903b0440748d6 (patch) | |
tree | 8b2ea766440058bdaba6c0f12ecb85ae086b4ba8 /pkg | |
parent | b875c5c27c503108f1984256833a9a2da4d0c5d1 (diff) | |
download | podman-176be90e0a94c7b073b1b4e0da5903b0440748d6.tar.gz podman-176be90e0a94c7b073b1b4e0da5903b0440748d6.tar.bz2 podman-176be90e0a94c7b073b1b4e0da5903b0440748d6.zip |
security: honor systempaths=unconfined for ro paths
we must honor systempaths=unconfined also for read-only paths, as
Docker does:
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/specgen/generate/config_linux.go | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 1808f99b8..e0b039fb7 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask g.AddLinuxMaskedPaths(mp) } } + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + if !util.StringInSlice(rp, unmask) { + g.AddLinuxReadonlyPaths(rp) + } + } } if pidModeIsHost && rootless.IsRootless() { return } - - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { - g.AddLinuxReadonlyPaths(rp) - } } // mask the paths provided by the user |