Merge pull request #18894 from rhatdan/umask

Add quadlet container support for Mask,Umask options

docs/source/markdown/podman-systemd.unit.5.md

@@ -541,6 +541,10 @@ The current default value is `none`.
 Set the log-driver Podman uses when running the container.
 Equivalent to the Podman `--log-driver` option.
 
+### `Mask=`
+
+Specify the paths to mask separated by a colon. `Mask=/path/1:/path/2`.  A masked path cannot be accessed inside the container.
+
 ### `Network=`
 
 Specify a custom network for the container. This has the same format as the `--network` option
@@ -584,6 +588,16 @@ entry from the unit file takes precedence
 
 This key can be listed multiple times.
 
+### `Unmask=`
+
+Specify the paths to unmask separated by a colon. unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*):
+
+If set to `ALL`, Podman will unmask all the paths that are masked or made read-only by default.
+
+The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.
+
+The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
+
 ### `UserNS=`
 
 Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and

pkg/systemd/quadlet/quadlet.go

@@ -65,6 +65,7 @@ const (
 	KeyExitCodePropagation   = "ExitCodePropagation"
 	KeyLabel                 = "Label"
 	KeyLogDriver             = "LogDriver"
+	KeyMask                  = "Mask"
 	KeyMount                 = "Mount"
 	KeyNetwork               = "Network"
 	KeyNetworkDisableDNS     = "DisableDNS"
@@ -100,6 +101,7 @@ const (
 	KeyTimezone              = "Timezone"
 	KeyTmpfs                 = "Tmpfs"
 	KeyType                  = "Type"
+	KeyUnmask                = "Unmask"
 	KeyUser                  = "User"
 	KeyUserNS                = "UserNS"
 	KeyVolatileTmp           = "VolatileTmp"
@@ -136,11 +138,12 @@ var (
 		KeyHealthStartupTimeout:  true,
 		KeyHealthTimeout:         true,
 		KeyHostName:              true,
-		KeyImage:                 true,
-		KeyIP:                    true,
 		KeyIP6:                   true,
+		KeyIP:                    true,
+		KeyImage:                 true,
 		KeyLabel:                 true,
 		KeyLogDriver:             true,
+		KeyMask:                  true,
 		KeyMount:                 true,
 		KeyNetwork:               true,
 		KeyNoNewPrivileges:       true,
@@ -156,15 +159,16 @@ var (
 		KeyRootfs:                true,
 		KeyRunInit:               true,
 		KeySeccompProfile:        true,
+		KeySecret:                true,
 		KeySecurityLabelDisable:  true,
 		KeySecurityLabelFileType: true,
 		KeySecurityLabelLevel:    true,
 		KeySecurityLabelNested:   true,
 		KeySecurityLabelType:     true,
-		KeySecret:                true,
 		KeySysctl:                true,
-		KeyTmpfs:                 true,
 		KeyTimezone:              true,
+		KeyTmpfs:                 true,
+		KeyUnmask:                true,
 		KeyUser:                  true,
 		KeyUserNS:                true,
 		KeyVolatileTmp:           true,
@@ -591,6 +595,16 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 	annotations := container.LookupAllKeyVal(ContainerGroup, KeyAnnotation)
 	podman.addAnnotations(annotations)
 
+	masks := container.LookupAllArgs(ContainerGroup, KeyMask)
+	for _, mask := range masks {
+		podman.add("--security-opt", fmt.Sprintf("mask=%s", mask))
+	}
+
+	unmasks := container.LookupAllArgs(ContainerGroup, KeyUnmask)
+	for _, unmask := range unmasks {
+		podman.add("--security-opt", fmt.Sprintf("unmask=%s", unmask))
+	}
+
 	envFiles := container.LookupAllArgs(ContainerGroup, KeyEnvironmentFile)
 	for _, envFile := range envFiles {
 		filePath, err := getAbsolutePath(container, envFile)

test/e2e/quadlet/mask.container

@@ -0,0 +1,8 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args --security-opt mask=/proc/sys/foo:/proc/sys/bar
+## assert-podman-args --security-opt mask=/proc/sys/foobar
+
+[Container]
+Image=localhost/imagename
+Mask=/proc/sys/foo:/proc/sys/bar
+Mask=/proc/sys/foobar

test/e2e/quadlet/unmask.container

@@ -0,0 +1,8 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args --security-opt unmask=/proc/sys/foo:/proc/sys/bar
+## assert-podman-args --security-opt unmask=all
+
+[Container]
+Image=localhost/imagename
+Unmask=/proc/sys/foo:/proc/sys/bar
+Unmask=all

test/e2e/quadlet_test.go

@@ -551,6 +551,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("ip.container", "ip.container"),
 		Entry("label.container", "label.container"),
 		Entry("logdriver.container", "logdriver.container"),
+		Entry("mask.container", "mask.container"),
 		Entry("mount.container", "mount.container"),
 		Entry("name.container", "name.container"),
 		Entry("nestedselinux.container", "nestedselinux.container"),
@@ -579,6 +580,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("shortname.container", "shortname.container"),
 		Entry("sysctl.container", "sysctl.container"),
 		Entry("timezone.container", "timezone.container"),
+		Entry("unmask.container", "unmask.container"),
 		Entry("user.container", "user.container"),
 		Entry("volume.container", "volume.container"),
 		Entry("workingdir.container", "workingdir.container"),