diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index b702a86b2e..d4e1ca5776 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -680,6 +680,8 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc } } + c.addMaskedPaths(&g) + return g.Config, cleanupFunc, nil } diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go index f4a3b9a855..2ecb931f2d 100644 --- a/libpod/container_internal_freebsd.go +++ b/libpod/container_internal_freebsd.go @@ -385,3 +385,7 @@ func (c *Container) getPlatformRunPath() (string, error) { } return runPath, nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + // There are currently no FreeBSD-specific masked paths +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f96d1a8d9e..45452a9c2a 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -805,3 +805,9 @@ func (c *Container) makePlatformMtabLink(etcInTheContainerFd, rootUID, rootGID i func (c *Container) getPlatformRunPath() (string, error) { return "/run", nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + if !c.config.Privileged { + g.AddLinuxMaskedPaths("/sys/devices/virtual/powercap") + } +} diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 423c2e44c4..df3572a915 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -414,6 +414,29 @@ var _ = Describe("Podman run", func() { Expect(session.OutputToString()).To(Not(BeEmpty())) }) + It("podman run powercap is masked", func() { + Skip("CI VMs do not have access to powercap") + + testCtr1 := "testctr" + run := podmanTest.Podman([]string{"run", "-d", "--name", testCtr1, ALPINE, "top"}) + run.WaitWithDefaultTimeout() + Expect(run).Should(ExitCleanly()) + + exec := podmanTest.Podman([]string{"exec", "-ti", testCtr1, "ls", "/sys/devices/virtual/powercap"}) + exec.WaitWithDefaultTimeout() + Expect(exec).To(ExitWithError()) + + testCtr2 := "testctr2" + run2 := podmanTest.Podman([]string{"run", "-d", "--privileged", "--name", testCtr2, ALPINE, "top"}) + run2.WaitWithDefaultTimeout() + Expect(run2).Should(ExitCleanly()) + + exec2 := podmanTest.Podman([]string{"exec", "-ti", testCtr2, "ls", "/sys/devices/virtual/powercap"}) + exec2.WaitWithDefaultTimeout() + Expect(exec2).Should(ExitCleanly()) + Expect(exec2.OutputToString()).Should(Not(BeEmpty())) + }) + It("podman run security-opt unmask on /sys/fs/cgroup", func() { SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")