From 239bd57662162e9754421a31db9cf529cee8d701 Mon Sep 17 00:00:00 2001 From: Urvashi Mohnani Date: Mon, 7 Dec 2020 10:57:46 -0500 Subject: Add systempaths=unconfined option Add the systempaths=unconfined option to --security-opt to match the docker options for unmasking all the paths that are masked by default. Add the mask and unmask options to the podman create doc. Signed-off-by: Urvashi Mohnani --- cmd/podman/common/specgen.go | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'cmd') diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index e0da142ad..c416d0d7b 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -531,6 +531,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string case "seccomp": s.SeccompProfilePath = con[1] s.Annotations[define.InspectAnnotationSeccomp] = con[1] + // this option is for docker compatibility, it is the same as unmask=ALL + case "systempaths": + if con[1] == "unconfined" { + s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, []string{"ALL"}...) + } else { + return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", con[1]) + } case "unmask": s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(con[1], ":")...) default: -- cgit v1.2.3-54-g00ecf