summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-12-09 19:25:24 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-12-09 19:26:23 +0100
commit176be90e0a94c7b073b1b4e0da5903b0440748d6 (patch)
tree8b2ea766440058bdaba6c0f12ecb85ae086b4ba8 /pkg
parentb875c5c27c503108f1984256833a9a2da4d0c5d1 (diff)
downloadpodman-176be90e0a94c7b073b1b4e0da5903b0440748d6.tar.gz
podman-176be90e0a94c7b073b1b4e0da5903b0440748d6.tar.bz2
podman-176be90e0a94c7b073b1b4e0da5903b0440748d6.zip
security: honor systempaths=unconfined for ro paths
we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/specgen/generate/config_linux.go23
1 files changed, 12 insertions, 11 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 1808f99b8..e0b039fb7 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -167,22 +167,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask
g.AddLinuxMaskedPaths(mp)
}
}
+ for _, rp := range []string{
+ "/proc/asound",
+ "/proc/bus",
+ "/proc/fs",
+ "/proc/irq",
+ "/proc/sys",
+ "/proc/sysrq-trigger",
+ } {
+ if !util.StringInSlice(rp, unmask) {
+ g.AddLinuxReadonlyPaths(rp)
+ }
+ }
}
if pidModeIsHost && rootless.IsRootless() {
return
}
-
- for _, rp := range []string{
- "/proc/asound",
- "/proc/bus",
- "/proc/fs",
- "/proc/irq",
- "/proc/sys",
- "/proc/sysrq-trigger",
- } {
- g.AddLinuxReadonlyPaths(rp)
- }
}
// mask the paths provided by the user