diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index bd42622f4f..5f1e44fc47 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -739,9 +739,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", val) } case "unmask": - if hasVal { - s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, val) - } + s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(val, ":")...) case "no-new-privileges": noNewPrivileges := true if hasVal { diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index cc281f0c78..feebd4b624 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -437,7 +437,7 @@ var _ = Describe("Podman run", func() { session.WaitWithDefaultTimeout() Expect(session.OutputToString()).To(BeEmpty()) - session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware", ALPINE, "sleep", "200"}) + session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware:/sys/fs/cgroup", ALPINE, "sleep", "200"}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/sys/firmware"}) @@ -448,6 +448,9 @@ var _ = Describe("Podman run", func() { session.WaitWithDefaultTimeout() Expect(session.OutputToString()).To(Not(BeEmpty())) Expect(session).Should(ExitCleanly()) + session = podmanTest.Podman([]string{"exec", "maskCtr2", "sh", "-c", "awk '$5 ~ /\\/sys\\/fs\\/cgroup/ && $6 ~ /^rw,|,rw,|,rw$|^rw$/ { print }' /proc/self/mountinfo | grep ."}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr3", "--security-opt", "mask=/sys/power/disk", ALPINE, "sleep", "200"}) session.WaitWithDefaultTimeout()