From cf364703fc3f94cd759cc683e3ab9083e8ecc324 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 3 Jan 2023 14:45:34 +0100 Subject: [PATCH] linux: add /sys/fs/cgroup if /sys is a bind mount if /sys is bind mounted from the host then also add an explicit mount for /sys/fs/cgroup so that 'ro' is honored. Signed-off-by: Giuseppe Scrivano --- pkg/specgen/generate/oci_linux.go | 10 +++++++++- test/system/030-run.bats | 5 +++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go index 7410575ed8..2c023a7e16 100644 --- a/pkg/specgen/generate/oci_linux.go +++ b/pkg/specgen/generate/oci_linux.go @@ -107,11 +107,19 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } sysMnt := spec.Mount{ Destination: "/sys", - Type: "bind", // should we use a constant for this, like createconfig? + Type: "bind", Source: "/sys", Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, } g.AddMount(sysMnt) + g.RemoveMount("/sys/fs/cgroup") + sysFsCgroupMnt := spec.Mount{ + Destination: "/sys/fs/cgroup", + Type: "bind", + Source: "/sys/fs/cgroup", + Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, + } + g.AddMount(sysFsCgroupMnt) if !s.Privileged && isRootless { g.AddLinuxMaskedPaths("/sys/kernel") } diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 3866a82018..3094cf3211 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -974,4 +974,9 @@ EOF run_podman 125 create --name "$randomname/" $IMAGE } +@test "podman run --net=host --cgroupns=host with read only cgroupfs" { + # verify that the last /sys/fs/cgroup mount is read-only + run_podman run --net=host --cgroupns=host --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1 | grep '/sys/fs/cgroup ro'" +} + # vim: filetype=sh