diff options
Diffstat (limited to 'pkg/specgen/generate/config_linux.go')
-rw-r--r-- | pkg/specgen/generate/config_linux.go | 56 |
1 files changed, 33 insertions, 23 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 5c945cff3..6b9e9c4bf 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -10,7 +10,6 @@ import ( "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/rootless" - "github.com/containers/podman/v3/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -151,30 +150,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask "/sys/dev/block", } - unmaskAll := false - if unmask != nil && unmask[0] == "ALL" { - unmaskAll = true - } - if !privileged { - if !unmaskAll { - for _, mp := range defaultMaskPaths { - // check that the path to mask is not in the list of paths to unmask - if !util.StringInSlice(mp, unmask) { - g.AddLinuxMaskedPaths(mp) - } + for _, mp := range defaultMaskPaths { + // check that the path to mask is not in the list of paths to unmask + if shouldMask(mp, unmask) { + g.AddLinuxMaskedPaths(mp) } - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { - if !util.StringInSlice(rp, unmask) { - g.AddLinuxReadonlyPaths(rp) - } + } + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + if shouldMask(rp, unmask) { + g.AddLinuxReadonlyPaths(rp) } } @@ -376,3 +368,21 @@ func supportAmbientCapabilities() bool { err := unix.Prctl(unix.PR_CAP_AMBIENT, unix.PR_CAP_AMBIENT_IS_SET, 0, 0, 0) return err == nil } + +func shouldMask(mask string, unmask []string) bool { + for _, m := range unmask { + if strings.ToLower(m) == "all" { + return false + } + for _, m1 := range strings.Split(m, ":") { + match, err := filepath.Match(m1, mask) + if err != nil { + logrus.Errorf(err.Error()) + } + if match { + return false + } + } + } + return true +} |