From bbbdd45b2c901aa58a1f40eb93957908df271bf5 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 27 Aug 2018 13:28:08 +0200
Subject: spec: bind mount /sys only when userNS are enabled

Fix the test for checking when /sys must be bind mounted from the
host.  It should be done only when userNS are enabled (the
!UsernsMode.IsHost() check is not enough for that).

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1349
Approved by: rhatdan
---
 pkg/spec/spec.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'pkg/spec')

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 8d8a07a2e..8038dd6ba 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -27,7 +27,10 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 	addCgroup := true
 	canMountSys := true
 
-	if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
+	isRootless := rootless.IsRootless()
+	inUserNS := isRootless || (len(config.IDMappings.UIDMap) > 0 || len(config.IDMappings.GIDMap) > 0) && !config.UsernsMode.IsHost()
+
+	if inUserNS && config.NetMode.IsHost() {
 		canMountSys = false
 	}
 
@@ -56,7 +59,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		}
 		g.AddMount(sysMnt)
 	}
-	if rootless.IsRootless() {
+	if isRootless {
 		g.RemoveMount("/dev/pts")
 		devPts := spec.Mount{
 			Destination: "/dev/pts",
-- 
cgit v1.2.3-54-g00ecf