github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

defaultMaskedPaths must be kept in sync with moby/moby.

Browse Source
This commit is contained in:
carlory
2024-07-09 13:22:29 +08:00
parent 3125877de0
commit f0c2afa19f
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/securitycontext/util.go
View File

@@ -188,7 +188,7 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
var ( var (
// These *must* be kept in sync with moby/moby. // These *must* be kept in sync with moby/moby.
// https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L123 // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L124
// @jessfraz will watch changes to those files upstream. // @jessfraz will watch changes to those files upstream.
defaultMaskedPaths = []string{ defaultMaskedPaths = []string{
"/proc/asound", "/proc/asound",
@@ -201,6 +201,7 @@ var (
"/proc/sched_debug", "/proc/sched_debug",
"/proc/scsi", "/proc/scsi",
"/sys/firmware", "/sys/firmware",
"/sys/devices/virtual/powercap",
} }
defaultReadonlyPaths = []string{ defaultReadonlyPaths = []string{
"/proc/bus", "/proc/bus",