security: honor systempaths=unconfined for ro paths

we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-10-25 02:04:43 +08:00 · 2020-12-09 19:25:24 +01:00
parent b875c5c27c
commit 176be90e0a
4 changed files with 23 additions and 15 deletions
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -272,6 +272,13 @@ var _ = Describe("Podman run", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session.OutputToString()).To(Not(BeEmpty()))
 		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr5", "--security-opt", "systempaths=unconfined", ALPINE, "grep", "/proc", "/proc/self/mounts"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		stdoutLines := session.OutputToStringArray()
+		Expect(stdoutLines).Should(HaveLen(1))
+
 	})

 	It("podman run seccomp test", func() {