Skip to content

Commit

Permalink
Merge pull request #3614 from giuseppe/rootless-fresh-sys-mount-if-po…
Browse files Browse the repository at this point in the history
…ssible

rootless: do not bind mount /sys if not needed
  • Loading branch information
openshift-merge-robot authored Nov 4, 2021
2 parents 96e1871 + b798e6a commit e3283ab
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
7 changes: 7 additions & 0 deletions run_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -2164,6 +2164,13 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string
return err
}

// If the container has a network namespace, we can create a fresh /sys mount
for _, ns := range spec.Linux.Namespaces {
if ns.Type == specs.NetworkNamespace {
return nil
}
}

// Replace /sys with a read-only bind mount.
mounts := []specs.Mount{
{
Expand Down
5 changes: 5 additions & 0 deletions tests/namespaces.bats
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ load helpers
run_buildah run $RUNOPTS --net=host "$ctr" readlink /proc/self/ns/net
expect_output "$mynetns"

# Check that we are not bind mounting /sys from the host with --net=container
host_sys=$(grep "/sys " /proc/self/mountinfo | cut -d ' ' -f 3)
run_buildah run $RUNOPTS --net=container "$ctr" sh -c 'grep "/sys " /proc/self/mountinfo | cut -d " " -f 3'
assert "$output" != "$host_sys"

# Create a container that doesn't use that mapping.
run_buildah from --signature-policy ${TESTSDIR}/policy.json --quiet alpine
ctr="$output"
Expand Down

0 comments on commit e3283ab

Please sign in to comment.