From bf00c976dd7509b7d84d1fa5254f1ac26fc494e5 Mon Sep 17 00:00:00 2001
From: baude <bbaude@redhat.com>
Date: Wed, 31 Jan 2018 14:21:47 -0600
Subject: sysfs should be mounted rw for privileged

sysfs should be mounted rw for a privileged container.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #279
Approved by: rhatdan
---
 cmd/podman/spec.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index d21d8b6da..56e8c8d05 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -156,12 +156,24 @@ func addDevice(g *generate.Generator, device string) error {
 
 // Parses information needed to create a container into an OCI runtime spec
 func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
+	cgroupPerm := "ro"
 	g := generate.New()
+	if config.Privileged {
+		cgroupPerm = "rw"
+		g.RemoveMount("/sys")
+		sysMnt := spec.Mount{
+			Destination: "/sys",
+			Type:        "sysfs",
+			Source:      "sysfs",
+			Options:     []string{"nosuid", "noexec", "nodev", "rw"},
+		}
+		g.AddMount(sysMnt)
+	}
 	cgroupMnt := spec.Mount{
 		Destination: "/sys/fs/cgroup",
 		Type:        "cgroup",
 		Source:      "cgroup",
-		Options:     []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+		Options:     []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm},
 	}
 	g.AddMount(cgroupMnt)
 	g.SetProcessCwd(config.WorkDir)
-- 
cgit v1.2.3-54-g00ecf