opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-09-19 21:50:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

spec: mask /sys/kernel when bind mounting /sys

Browse Source 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2019-04-11 15:54:35 +02:00
parent 42eb9eaf29
commit 2c9c40dc82
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/spec/spec.go
View File

@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
}
g.AddMount(sysMnt)
if !config.Privileged && isRootless {
g.AddLinuxMaskedPaths("/sys/kernel")
}
}
if isRootless {
nGids, err := getAvailableGids()
@ -500,7 +503,6 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
"/proc/scsi",
"/sys/firmware",
"/sys/fs/selinux",
"/sys/kernel",
} {
g.AddLinuxMaskedPaths(mp)
}