executor/oci: remove /proc masks for NoProcessSandBox mode

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-05-08 22:04:07 +09:00 · 2019-05-08 22:04:07 +09:00 · 38d16c97cf
parent 97b4b9a6db
commit 38d16c97cf
1 changed files with 17 additions and 0 deletions
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@ -95,6 +95,23 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		Options:     []string{"ro", "nosuid", "noexec", "nodev"},
 	})

+	if processMode == NoProcessSandbox {
+		var maskedPaths []string
+		for _, s := range s.Linux.MaskedPaths {
+			if !hasPrefix(s, "/proc") {
+				maskedPaths = append(maskedPaths, s)
+			}
+		}
+		s.Linux.MaskedPaths = maskedPaths
+		var readonlyPaths []string
+		for _, s := range s.Linux.ReadonlyPaths {
+			if !hasPrefix(s, "/proc") {
+				readonlyPaths = append(readonlyPaths, s)
+			}
+		}
+		s.Linux.ReadonlyPaths = readonlyPaths
+	}
+
 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
 		//make sysfs rw mount for insecure mode.
 		for _, m := range s.Mounts {