diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 996a350911..021f58a3fe 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -541,6 +541,10 @@ The current default value is `none`. Set the log-driver Podman uses when running the container. Equivalent to the Podman `--log-driver` option. +### `Mask=` + +Specify the paths to mask separated by a colon. `Mask=/path/1:/path/2`. A masked path cannot be accessed inside the container. + ### `Network=` Specify a custom network for the container. This has the same format as the `--network` option @@ -584,6 +588,16 @@ entry from the unit file takes precedence This key can be listed multiple times. +### `Unmask=` + +Specify the paths to unmask separated by a colon. unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): + +If set to `ALL`, Podman will unmask all the paths that are masked or made read-only by default. + +The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux. + +The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup. + ### `UserNS=` Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index a01bf64219..11a6011ba1 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -65,6 +65,7 @@ const ( KeyExitCodePropagation = "ExitCodePropagation" KeyLabel = "Label" KeyLogDriver = "LogDriver" + KeyMask = "Mask" KeyMount = "Mount" KeyNetwork = "Network" KeyNetworkDisableDNS = "DisableDNS" @@ -100,6 +101,7 @@ const ( KeyTimezone = "Timezone" KeyTmpfs = "Tmpfs" KeyType = "Type" + KeyUnmask = "Unmask" KeyUser = "User" KeyUserNS = "UserNS" KeyVolatileTmp = "VolatileTmp" @@ -136,11 +138,12 @@ var ( KeyHealthStartupTimeout: true, KeyHealthTimeout: true, KeyHostName: true, - KeyImage: true, - KeyIP: true, KeyIP6: true, + KeyIP: true, + KeyImage: true, KeyLabel: true, KeyLogDriver: true, + KeyMask: true, KeyMount: true, KeyNetwork: true, KeyNoNewPrivileges: true, @@ -156,15 +159,16 @@ var ( KeyRootfs: true, KeyRunInit: true, KeySeccompProfile: true, + KeySecret: true, KeySecurityLabelDisable: true, KeySecurityLabelFileType: true, KeySecurityLabelLevel: true, KeySecurityLabelNested: true, KeySecurityLabelType: true, - KeySecret: true, KeySysctl: true, - KeyTmpfs: true, KeyTimezone: true, + KeyTmpfs: true, + KeyUnmask: true, KeyUser: true, KeyUserNS: true, KeyVolatileTmp: true, @@ -591,6 +595,16 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile annotations := container.LookupAllKeyVal(ContainerGroup, KeyAnnotation) podman.addAnnotations(annotations) + masks := container.LookupAllArgs(ContainerGroup, KeyMask) + for _, mask := range masks { + podman.add("--security-opt", fmt.Sprintf("mask=%s", mask)) + } + + unmasks := container.LookupAllArgs(ContainerGroup, KeyUnmask) + for _, unmask := range unmasks { + podman.add("--security-opt", fmt.Sprintf("unmask=%s", unmask)) + } + envFiles := container.LookupAllArgs(ContainerGroup, KeyEnvironmentFile) for _, envFile := range envFiles { filePath, err := getAbsolutePath(container, envFile) diff --git a/test/e2e/quadlet/mask.container b/test/e2e/quadlet/mask.container new file mode 100644 index 0000000000..3bf206e22b --- /dev/null +++ b/test/e2e/quadlet/mask.container @@ -0,0 +1,8 @@ +## assert-podman-final-args localhost/imagename +## assert-podman-args --security-opt mask=/proc/sys/foo:/proc/sys/bar +## assert-podman-args --security-opt mask=/proc/sys/foobar + +[Container] +Image=localhost/imagename +Mask=/proc/sys/foo:/proc/sys/bar +Mask=/proc/sys/foobar diff --git a/test/e2e/quadlet/unmask.container b/test/e2e/quadlet/unmask.container new file mode 100644 index 0000000000..97cb8f2605 --- /dev/null +++ b/test/e2e/quadlet/unmask.container @@ -0,0 +1,8 @@ +## assert-podman-final-args localhost/imagename +## assert-podman-args --security-opt unmask=/proc/sys/foo:/proc/sys/bar +## assert-podman-args --security-opt unmask=all + +[Container] +Image=localhost/imagename +Unmask=/proc/sys/foo:/proc/sys/bar +Unmask=all diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index 176a5ecc93..00c74511f9 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -551,6 +551,7 @@ var _ = Describe("quadlet system generator", func() { Entry("ip.container", "ip.container"), Entry("label.container", "label.container"), Entry("logdriver.container", "logdriver.container"), + Entry("mask.container", "mask.container"), Entry("mount.container", "mount.container"), Entry("name.container", "name.container"), Entry("nestedselinux.container", "nestedselinux.container"), @@ -579,6 +580,7 @@ var _ = Describe("quadlet system generator", func() { Entry("shortname.container", "shortname.container"), Entry("sysctl.container", "sysctl.container"), Entry("timezone.container", "timezone.container"), + Entry("unmask.container", "unmask.container"), Entry("user.container", "user.container"), Entry("volume.container", "volume.container"), Entry("workingdir.container", "workingdir.container"),