spec: mask /sys/kernel when bind mounting /sys

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-09-19 23:03:16 +08:00 · 2019-04-11 15:54:35 +02:00
parent 42eb9eaf29
commit 2c9c40dc82
1 changed files with 3 additions and 1 deletions
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
 		}
 		g.AddMount(sysMnt)
 		if !config.Privileged && isRootless {
 			g.AddLinuxMaskedPaths("/sys/kernel")
 		}
 	}
 	if isRootless {
 		nGids, err := getAvailableGids()
@ -500,7 +503,6 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
 			"/proc/scsi",
 			"/sys/firmware",
 			"/sys/fs/selinux",
 			"/sys/kernel",
 		} {
 			g.AddLinuxMaskedPaths(mp)
 		}