From 176be90e0a94c7b073b1b4e0da5903b0440748d6 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 9 Dec 2020 19:25:24 +0100
Subject: security: honor systempaths=unconfined for ro paths

we must honor systempaths=unconfined also for read-only paths, as
Docker does:

proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 test/e2e/run_test.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'test/e2e')

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index f73a15633..dbdd6a072 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -272,6 +272,13 @@ var _ = Describe("Podman run", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session.OutputToString()).To(Not(BeEmpty()))
 		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr5", "--security-opt", "systempaths=unconfined", ALPINE, "grep", "/proc", "/proc/self/mounts"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		stdoutLines := session.OutputToStringArray()
+		Expect(stdoutLines).Should(HaveLen(1))
+
 	})
 
 	It("podman run seccomp test", func() {
-- 
cgit v1.2.3-54-g00ecf