Fix parsing of paths for unmask

This fixes an issue where multiple paths separated by a colon were treated as a single path, contrary to what docs say and unlike how mask option works. Test was updated with a case that fails without this commit. Signed-off-by: Šimon Škoda <ver4a@uncontrol.me>
2025-05-17 15:18:43 +08:00 · 2025-05-09 11:22:12 +00:00
parent e138304f33
commit 7a161115f9
2 changed files with 5 additions and 4 deletions
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@ -739,9 +739,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 				return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", val)
 			}
 		case "unmask":
-			if hasVal {
-				s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, val)
-			}
+			s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(val, ":")...)
 		case "no-new-privileges":
 			noNewPrivileges := true
 			if hasVal {