diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 89aa607593..a2d3e69eb8 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -679,6 +679,8 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc } } + c.addMaskedPaths(&g) + return g.Config, cleanupFunc, nil } diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go index fe3d238d75..e277aaca92 100644 --- a/libpod/container_internal_freebsd.go +++ b/libpod/container_internal_freebsd.go @@ -385,3 +385,7 @@ func (c *Container) getPlatformRunPath() (string, error) { } return runPath, nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + // There are currently no FreeBSD-specific masked paths +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 2a9bb9f86a..4f1f3790dc 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -805,3 +805,9 @@ func (c *Container) makePlatformMtabLink(etcInTheContainerFd, rootUID, rootGID i func (c *Container) getPlatformRunPath() (string, error) { return "/run", nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + if !c.config.Privileged { + g.AddLinuxMaskedPaths("/sys/devices/virtual/powercap") + } +} diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index ae8db35d9a..a74ecf78a7 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -413,6 +413,29 @@ var _ = Describe("Podman run", func() { Expect(session.OutputToString()).To(Not(BeEmpty())) }) + It("podman run powercap is masked", func() { + Skip("CI VMs do not have access to powercap") + + testCtr1 := "testctr" + run := podmanTest.Podman([]string{"run", "-d", "--name", testCtr1, ALPINE, "top"}) + run.WaitWithDefaultTimeout() + Expect(run).Should(ExitCleanly()) + + exec := podmanTest.Podman([]string{"exec", "-ti", testCtr1, "ls", "/sys/devices/virtual/powercap"}) + exec.WaitWithDefaultTimeout() + Expect(exec).To(ExitWithError()) + + testCtr2 := "testctr2" + run2 := podmanTest.Podman([]string{"run", "-d", "--privileged", "--name", testCtr2, ALPINE, "top"}) + run2.WaitWithDefaultTimeout() + Expect(run2).Should(ExitCleanly()) + + exec2 := podmanTest.Podman([]string{"exec", "-ti", testCtr2, "ls", "/sys/devices/virtual/powercap"}) + exec2.WaitWithDefaultTimeout() + Expect(exec2).Should(ExitCleanly()) + Expect(exec2.OutputToString()).Should(Not(BeEmpty())) + }) + It("podman run security-opt unmask on /sys/fs/cgroup", func() { SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")