linux: add /sys/fs/cgroup if /sys is a bind mount

if /sys is bind mounted from the host then also add an explicit mount for /sys/fs/cgroup so that 'ro' is honored. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-25 03:52:15 +08:00 · 2023-01-03 14:45:34 +01:00
parent 1da081f289
commit cf364703fc
2 changed files with 14 additions and 1 deletions
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -107,11 +107,19 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 		}
 		sysMnt := spec.Mount{
 			Destination: "/sys",
-			Type:        "bind", // should we use a constant for this, like createconfig?
+			Type:        "bind",
 			Source:      "/sys",
 			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
 		}
 		g.AddMount(sysMnt)
+		g.RemoveMount("/sys/fs/cgroup")
+		sysFsCgroupMnt := spec.Mount{
+			Destination: "/sys/fs/cgroup",
+			Type:        "bind",
+			Source:      "/sys/fs/cgroup",
+			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
+		}
+		g.AddMount(sysFsCgroupMnt)
 		if !s.Privileged && isRootless {
 			g.AddLinuxMaskedPaths("/sys/kernel")
 		}
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -974,4 +974,9 @@ EOF
    run_podman 125 create --name "$randomname/" $IMAGE
 }

+@test "podman run --net=host --cgroupns=host with read only cgroupfs" {
+    # verify that the last /sys/fs/cgroup mount is read-only
+    run_podman run --net=host --cgroupns=host --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1 | grep '/sys/fs/cgroup ro'"
+}
+
 # vim: filetype=sh