diff options
Diffstat (limited to 'cmd/kpod')
| -rw-r--r-- | cmd/kpod/spec.go | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index 1ae050d25..581be5241 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -17,6 +17,33 @@ import ( "golang.org/x/sys/unix" ) +func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) { + if !config.privileged { + for _, mp := range []string{ + "/proc/kcore", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + } { + g.AddLinuxMaskedPaths(mp) + } + + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + g.AddLinuxReadonlyPaths(rp) + } + } +} + func addRlimits(config *createConfig, g *generate.Generator) error { var ( ul *units.Ulimit @@ -127,6 +154,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { g.SetProcessApparmorProfile(config.apparmorProfile) g.SetProcessSelinuxLabel(config.processLabel) g.SetLinuxMountLabel(config.mountLabel) + blockAccessToKernelFilesystems(config, &g) // RESOURCES - PIDS if config.resources.pidsLimit != 0 { |