userns: prevent /sys/kernel/* paths in the container

when we run in a user namespace, there are cases where we have not enough privileges to mount a fresh sysfs on /sys. To circumvent this limitation, we rbind /sys from the host. This carries inside of the container also some mounts we probably don't want to. We are also limited by the kernel to use rbind instead of bind, as allowing a bind would uncover paths that were not previously visible. This is a slimmed down version of the intermediate mount namespace logic we had before, where we only set /sys to slave, so the umounts done to the storage by the cleanup process are propagated back to the host. We also don't setup any new directory, so there is no additional cleanup to do. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-12-09 23:27:09 +08:00 · 2019-04-11 11:51:02 +02:00
parent 6cd6eb6768
commit b7800889fb
2 changed files with 61 additions and 0 deletions
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -31,4 +31,12 @@ echo $rand        |   0 | $rand
    done < <(parse_table "$tests")
 }

+@test "podman run - uidmapping has no /sys/kernel mounts" {
+      run_podman $expected_rc run --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
+      is "$output" "" "podman run $cmd - output"
+
+      run_podman $expected_rc run --net host --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
+      is "$output" "" "podman run $cmd - output"
+}
+
 # vim: filetype=sh