github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 19:01:49 +00:00
Code Issues Projects Releases Wiki Activity

Move /proc/asound from defaultReadonlyPaths to defaultMaskedPaths (align with moby)

Browse Source 
Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
This commit is contained in:
Ming-Wei Shih 2022-08-25 15:40:03 +00:00
parent 76277917b9
commit 532bb2288e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/securitycontext/util.go
View File

@ -212,9 +212,10 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
var ( var (
// These *must* be kept in sync with moby/moby. // These *must* be kept in sync with moby/moby.
// https://github.com/moby/moby/blob/master/oci/defaults.go#L116-L134 // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L123
// @jessfraz will watch changes to those files upstream. // @jessfraz will watch changes to those files upstream.
defaultMaskedPaths = []string{ defaultMaskedPaths = []string{
"/proc/asound",
"/proc/acpi", "/proc/acpi",
"/proc/kcore", "/proc/kcore",
"/proc/keys", "/proc/keys",
@ -226,7 +227,6 @@ var (
"/sys/firmware", "/sys/firmware",
} }
defaultReadonlyPaths = []string{ defaultReadonlyPaths = []string{
"/proc/asound",
"/proc/bus", "/proc/bus",
"/proc/fs", "/proc/fs",
"/proc/irq", "/proc/irq",