Add spec support for masked and readonly paths

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-01 13:04:47 -07:00 · 2016-04-01 13:04:47 -07:00 · df25eddce6
parent 1117a7cbf9
commit df25eddce6
2 changed files with 16 additions and 19 deletions
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@ -41,23 +41,6 @@ var mountPropagationMapping = map[string]int{
 	"":         syscall.MS_PRIVATE | syscall.MS_REC,
 }

-var (
-	maskedPaths = []string{
-		"/proc/kcore",
-		"/proc/latency_stats",
-		"/proc/timer_stats",
-		"/proc/sched_debug",
-	}
-	readonlyPaths = []string{
-		"/proc/asound",
-		"/proc/bus",
-		"/proc/fs",
-		"/proc/irq",
-		"/proc/sys",
-		"/proc/sysrq-trigger",
-	}
-)
-
 var allowedDevices = []*configs.Device{
 	// allow mknod for any device
 	{
@ -226,8 +209,8 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	}
 	config.Cgroups = c
 	// set extra path masking for libcontainer for the various unsafe places in proc
-	config.MaskPaths = maskedPaths
-	config.ReadonlyPaths = readonlyPaths
+	config.MaskPaths = spec.Linux.MaskedPaths
+	config.ReadonlyPaths = spec.Linux.ReadonlyPaths
 	if spec.Linux.Seccomp != nil {
 		seccomp, err := setupSeccomp(spec.Linux.Seccomp)
 		if err != nil {
--- a/spec.go
+++ b/spec.go
@ -141,6 +141,20 @@ container on your host.`,
 				},
 			},
 			Linux: specs.Linux{
+				MaskedPaths: []string{
+					"/proc/kcore",
+					"/proc/latency_stats",
+					"/proc/timer_stats",
+					"/proc/sched_debug",
+				},
+				ReadonlyPaths: []string{
+					"/proc/asound",
+					"/proc/bus",
+					"/proc/fs",
+					"/proc/irq",
+					"/proc/sys",
+					"/proc/sysrq-trigger",
+				},
 				Resources: &specs.Resources{
 					Devices: []specs.DeviceCgroup{
 						{