Mask over the /sys/fs/selinux in mask branch
This is required so that the mount point shows up when buildah
is vendored into Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Daniel J Walsh
3 years ago
1100 | 1100 |
}
|
1101 | 1101 |
logrus.Debugf("bind mounted %q to %q", "/sys", filepath.Join(spec.Root.Path, "/sys"))
|
1102 | 1102 |
|
1103 | |
// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
|
1104 | |
// attempting to interact with labeling, when they aren't allowed to do so.
|
1105 | |
spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
|
1106 | |
|
1107 | 1103 |
// Bind mount in everything we've been asked to mount.
|
1108 | 1104 |
for _, m := range spec.Mounts {
|
1109 | 1105 |
// Skip anything that we just mounted.
|
1778 | 1778 |
"/proc/sched_debug",
|
1779 | 1779 |
"/proc/scsi",
|
1780 | 1780 |
"/sys/firmware",
|
|
1781 |
"/sys/fs/selinux",
|
1781 | 1782 |
} {
|
1782 | 1783 |
g.AddLinuxMaskedPaths(mp)
|
1783 | 1784 |
}
|
|
2022 | 2023 |
Options: []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"},
|
2023 | 2024 |
},
|
2024 | 2025 |
}
|
2025 | |
// Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys.
|
|
2026 |
// Cover up /sys/fs/cgroup, if it exist in our source for /sys.
|
2026 | 2027 |
if _, err := os.Stat("/sys/fs/cgroup"); err == nil {
|
2027 | 2028 |
spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup")
|
2028 | |
}
|
2029 | |
if _, err := os.Stat("/sys/fs/selinux"); err == nil {
|
2030 | |
spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
|
2031 | 2029 |
}
|
2032 | 2030 |
// Keep anything that isn't under /dev, /proc, or /sys.
|
2033 | 2031 |
for i := range spec.Mounts {
|