cri: set default masked/readonly paths to empty paths
Fixes #5029. Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
This commit is contained in:
Yohei Ueda
parent
af4c55fa4a
commit
07f1df4541
@ -195,6 +195,11 @@ func (c *criService) containerSpec(
|
|||||||
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
|
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
|
||||||
|
|
||||||
if !c.config.DisableProcMount {
|
if !c.config.DisableProcMount {
|
||||||
|
// Change the default masked/readonly paths to empty slices
|
||||||
|
// See https://github.com/containerd/containerd/issues/5029
|
||||||
|
// TODO: Provide an option to set default paths to the ones in oci.populateDefaultUnixSpec()
|
||||||
|
specOpts = append(specOpts, oci.WithMaskedPaths([]string{}), oci.WithReadonlyPaths([]string{}))
|
||||||
|
|
||||||
// Apply masked paths if specified.
|
// Apply masked paths if specified.
|
||||||
// If the container is privileged, this will be cleared later on.
|
// If the container is privileged, this will be cleared later on.
|
||||||
if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil {
|
if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil {
|
||||||
|
|||||||
@ -1118,8 +1118,8 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
|
|||||||
disableProcMount: false,
|
disableProcMount: false,
|
||||||
masked: nil,
|
masked: nil,
|
||||||
readonly: nil,
|
readonly: nil,
|
||||||
expectedMasked: defaultSpec.Linux.MaskedPaths,
|
expectedMasked: []string{},
|
||||||
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
|
expectedReadonly: []string{},
|
||||||
privileged: false,
|
privileged: false,
|
||||||
},
|
},
|
||||||
"should be able to specify empty paths": {
|
"should be able to specify empty paths": {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user