mirror/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-21 08:03:50 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix SELinux on host shared systems in userns

Browse Source 
Currently if you turn on --net=host on a rootless container
and have selinux-policy installed in the image, tools running with
SELinux will see that the system is SELinux enabled in rootless mode.

This patch mounts a tmpfs over /sys/fs/selinux blocking this behaviour.

This patch also fixes the fact that if you shared --pid=host we were not
masking over certin /proc paths.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2019-03-11 15:13:29 -04:00
parent 7038cac53c
commit de12f45688
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/spec/spec.go
View File

@@ -454,10 +454,6 @@ func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) {
}
func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) {
if config.PidMode.IsHost() && rootless.IsRootless() {
return
}
if !config.Privileged {
for _, mp := range []string{
"/proc/acpi",
@@ -469,10 +465,15 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/fs/selinux",
} {
g.AddLinuxMaskedPaths(mp)
}
if config.PidMode.IsHost() && rootless.IsRootless() {
return
}
for _, rp := range []string{
"/proc/asound",
"/proc/bus",