sysfs should be mounted rw for privileged

sysfs should be mounted rw for a privileged container. Signed-off-by: baude <bbaude@redhat.com> Closes: #279 Approved by: rhatdan
2025-06-19 00:06:43 +08:00 · 2018-01-31 14:21:47 -06:00
parent 3609b82fe6
commit bf00c976dd
3 changed files with 53 additions and 2 deletions
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@ -156,12 +156,24 @@ func addDevice(g *generate.Generator, device string) error {
 // Parses information needed to create a container into an OCI runtime spec
 func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	cgroupPerm := "ro"
 	g := generate.New()
 	if config.Privileged {
 		cgroupPerm = "rw"
 		g.RemoveMount("/sys")
 		sysMnt := spec.Mount{
 			Destination: "/sys",
 			Type:        "sysfs",
 			Source:      "sysfs",
 			Options:     []string{"nosuid", "noexec", "nodev", "rw"},
 		}
 		g.AddMount(sysMnt)
 	}
 	cgroupMnt := spec.Mount{
 		Destination: "/sys/fs/cgroup",
 		Type:        "cgroup",
 		Source:      "cgroup",
-		Options:     []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+		Options:     []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm},
 	}
 	g.AddMount(cgroupMnt)
 	g.SetProcessCwd(config.WorkDir)
--- a/test/e2e/privileged_test.go
+++ b/test/e2e/privileged_test.go
@ -0,0 +1,39 @@
 package integration
 import (
 	"os"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
 var _ = Describe("Podman privileged container tests", func() {
 	var (
 		tempdir    string
 		err        error
 		podmanTest PodmanTest
 	)
 	BeforeEach(func() {
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {
 			os.Exit(1)
 		}
 		podmanTest = PodmanCreate(tempdir)
 		podmanTest.RestoreAllArtifacts()
 	})
 	AfterEach(func() {
 		podmanTest.Cleanup()
 	})
 	It("podman privileged make sure sys is mounted rw", func() {
 		session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "mount"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 		ok, lines := session.GrepString("sysfs")
 		Expect(ok).To(BeTrue())
 		Expect(lines[0]).To(ContainSubstring("sysfs (rw,"))
 	})
 })
--- a/test/e2e/rm_test.go
+++ b/test/e2e/rm_test.go
@ -45,7 +45,7 @@ var _ = Describe("Podman rm", func() {
 		result := podmanTest.Podman([]string{"rm", cid})
 		result.WaitWithDefaultTimeout()
-		Expect(result.ExitCode()).To(Not(Equal(0)))
+		Expect(result.ExitCode()).To(Equal(125))
 	})
 	It("podman rm created container", func() {