Merge pull request #2573 from jpculp/unmask-sys-firmware

host-ctr: Unmask `/sys/firmware` from host containers
bottlerocket-os · Nov 15, 2022 · 0643430 · 0643430
2 parents ce153da + f4c1899
commit 0643430
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/sources/host-ctr/cmd/host-ctr/main.go b/sources/host-ctr/cmd/host-ctr/main.go
@@ -288,6 +288,20 @@ func runCtr(containerdSocket string, namespace string, containerID string, sourc
 			oci.WithHostNamespace(runtimespec.NetworkNamespace),
 			oci.WithHostHostsFile,
 			oci.WithHostResolvconf,
+			// Unmask `/sys/firmware` by passing an alternate list of masked paths
+			// List is based on the DefaultUnixSpec's MaskedPaths for Linux
+			// (https://github.com/containerd/containerd/blob/e9af808/oci/spec.go#L164)
+			oci.WithMaskedPaths([]string{
+				"/proc/acpi",
+				"/proc/asound",
+				"/proc/kcore",
+				"/proc/keys",
+				"/proc/latency_stats",
+				"/proc/timer_list",
+				"/proc/timer_stats",
+				"/proc/sched_debug",
+				"/proc/scsi",
+			}),
 			// Pass proxy environment variables to this container
 			withProxyEnv(),
 			// Add a default set of mounts regardless of the container type