Skip to content

Commit a5b29a0

Browse files
ver4aver4a
committed
Fix parsing of paths for unmask
This fixes an issue where multiple paths separated by a colon were treated as a single path, contrary to what docs say and unlike how mask option works. Test was updated with a case that fails without this commit. Signed-off-by: Šimon Škoda <[email protected]>
1 parent e138304 commit a5b29a0

File tree

2 files changed

+5
-4
lines changed

2 files changed

+5
-4
lines changed

pkg/specgenutil/specgen.go

+1-3
Original file line numberDiff line numberDiff line change
@@ -739,9 +739,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
739739
return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", val)
740740
}
741741
case "unmask":
742-
if hasVal {
743-
s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, val)
744-
}
742+
s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(val, ":")...)
745743
case "no-new-privileges":
746744
noNewPrivileges := true
747745
if hasVal {

test/e2e/run_test.go

+4-1
Original file line numberDiff line numberDiff line change
@@ -437,7 +437,7 @@ var _ = Describe("Podman run", func() {
437437
session.WaitWithDefaultTimeout()
438438
Expect(session.OutputToString()).To(BeEmpty())
439439

440-
session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware", ALPINE, "sleep", "200"})
440+
session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware:/sys/fs/cgroup", ALPINE, "sleep", "200"})
441441
session.WaitWithDefaultTimeout()
442442
Expect(session).Should(ExitCleanly())
443443
session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/sys/firmware"})
@@ -448,6 +448,9 @@ var _ = Describe("Podman run", func() {
448448
session.WaitWithDefaultTimeout()
449449
Expect(session.OutputToString()).To(Not(BeEmpty()))
450450
Expect(session).Should(ExitCleanly())
451+
session = podmanTest.Podman([]string{"exec", "maskCtr2", "sh", "-c", "awk '$5 ~ /\\/sys\\/fs\\/cgroup/ && $6 ~ /^rw,|,rw,|,rw$|^rw$/ { print }' /proc/self/mountinfo | grep ."})
452+
session.WaitWithDefaultTimeout()
453+
Expect(session).Should(ExitCleanly())
451454

452455
session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr3", "--security-opt", "mask=/sys/power/disk", ALPINE, "sleep", "200"})
453456
session.WaitWithDefaultTimeout()

0 commit comments

Comments
 (0)