From 0ddb42b4f7bffe8f0d3f8415717b94beed8a8545 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 15 Aug 2018 17:08:27 +0200
Subject: spec: bind mount /sys only for rootless containers

root can always mount a new instance.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1279
Approved by: rhatdan
---
 pkg/spec/spec.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index bceae4677..231cb59fc 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -35,7 +35,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			Options:     []string{"nosuid", "noexec", "nodev", "rw"},
 		}
 		g.AddMount(sysMnt)
-	} else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
+	} else if rootless.IsRootless() && !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
 		addCgroup = false
 		g.RemoveMount("/sys")
 		sysMnt := spec.Mount{
-- 
cgit v1.2.3-54-g00ecf