From 2c9c40dc82141d3876d08fa5421f380b975a387b Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 11 Apr 2019 15:54:35 +0200
Subject: spec: mask /sys/kernel when bind mounting /sys

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/spec/spec.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 33c9fd6f3..0371b6d4d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
 		}
 		g.AddMount(sysMnt)
+		if !config.Privileged && isRootless {
+			g.AddLinuxMaskedPaths("/sys/kernel")
+		}
 	}
 	if isRootless {
 		nGids, err := getAvailableGids()
@@ -500,7 +503,6 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
 			"/proc/scsi",
 			"/sys/firmware",
 			"/sys/fs/selinux",
-			"/sys/kernel",
 		} {
 			g.AddLinuxMaskedPaths(mp)
 		}
-- 
cgit v1.2.3-54-g00ecf