Merge pull request #20509 from openshift-cherrypick-robot/cherry-pick-20501-to-v4.7

[v4.7] Mask /sys/devices/virtual/powercap
2025-08-23 09:18:19 +08:00 · 2023-10-27 12:00:22 -04:00
parent afb7d7e52b bd86a52f09
commit 801ca64d44
4 changed files with 35 additions and 0 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -679,6 +679,8 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 		}
 	}

+	c.addMaskedPaths(&g)
+
 	return g.Config, cleanupFunc, nil
 }

--- a/libpod/container_internal_freebsd.go
+++ b/libpod/container_internal_freebsd.go
@ -385,3 +385,7 @@ func (c *Container) getPlatformRunPath() (string, error) {
 	}
 	return runPath, nil
 }
+
+func (c *Container) addMaskedPaths(g *generate.Generator) {
+	// There are currently no FreeBSD-specific masked paths
+}
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@ -805,3 +805,9 @@ func (c *Container) makePlatformMtabLink(etcInTheContainerFd, rootUID, rootGID i
 func (c *Container) getPlatformRunPath() (string, error) {
 	return "/run", nil
 }
+
+func (c *Container) addMaskedPaths(g *generate.Generator) {
+	if !c.config.Privileged {
+		g.AddLinuxMaskedPaths("/sys/devices/virtual/powercap")
+	}
+}
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -413,6 +413,29 @@ var _ = Describe("Podman run", func() {
 		Expect(session.OutputToString()).To(Not(BeEmpty()))
 	})

+	It("podman run powercap is masked", func() {
+		Skip("CI VMs do not have access to powercap")
+
+		testCtr1 := "testctr"
+		run := podmanTest.Podman([]string{"run", "-d", "--name", testCtr1, ALPINE, "top"})
+		run.WaitWithDefaultTimeout()
+		Expect(run).Should(ExitCleanly())
+
+		exec := podmanTest.Podman([]string{"exec", "-ti", testCtr1, "ls", "/sys/devices/virtual/powercap"})
+		exec.WaitWithDefaultTimeout()
+		Expect(exec).To(ExitWithError())
+
+		testCtr2 := "testctr2"
+		run2 := podmanTest.Podman([]string{"run", "-d", "--privileged", "--name", testCtr2, ALPINE, "top"})
+		run2.WaitWithDefaultTimeout()
+		Expect(run2).Should(ExitCleanly())
+
+		exec2 := podmanTest.Podman([]string{"exec", "-ti", testCtr2, "ls", "/sys/devices/virtual/powercap"})
+		exec2.WaitWithDefaultTimeout()
+		Expect(exec2).Should(ExitCleanly())
+		Expect(exec2.OutputToString()).Should(Not(BeEmpty()))
+	})
+
 	It("podman run security-opt unmask on /sys/fs/cgroup", func() {

 		SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")