Merge pull request #3614 from giuseppe/rootless-fresh-sys-mount-if-po…

…ssible rootless: do not bind mount /sys if not needed
containers · Nov 4, 2021 · e3283ab · e3283ab
2 parents 96e1871 + b798e6a
commit e3283ab
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/run_linux.go b/run_linux.go
@@ -2164,6 +2164,13 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string
 		return err
 	}
 
+	// If the container has a network namespace, we can create a fresh /sys mount
+	for _, ns := range spec.Linux.Namespaces {
+		if ns.Type == specs.NetworkNamespace {
+			return nil
+		}
+	}
+
 	// Replace /sys with a read-only bind mount.
 	mounts := []specs.Mount{
 		{

diff --git a/tests/namespaces.bats b/tests/namespaces.bats
@@ -50,6 +50,11 @@ load helpers
   run_buildah run $RUNOPTS --net=host "$ctr" readlink /proc/self/ns/net
   expect_output "$mynetns"
 
+  # Check that we are not bind mounting /sys from the host with --net=container
+  host_sys=$(grep "/sys " /proc/self/mountinfo | cut -d ' ' -f 3)
+  run_buildah run $RUNOPTS --net=container "$ctr" sh -c 'grep "/sys " /proc/self/mountinfo | cut -d " " -f 3'
+  assert "$output" != "$host_sys"
+
   # Create a container that doesn't use that mapping.
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --quiet alpine
   ctr="$output"