spec: bind mount /sys only for rootless containers

root can always mount a new instance. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1279 Approved by: rhatdan
2024-10-20 17:23:30 +00:00 · 2018-08-15 17:08:27 +02:00 · 2018-08-15 17:08:27 +02:00 · 0ddb42b4f7
parent 883aea51a3
commit 0ddb42b4f7
1 changed files with 1 additions and 1 deletions
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -35,7 +35,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			Options:     []string{"nosuid", "noexec", "nodev", "rw"},
 		}
 		g.AddMount(sysMnt)
-	} else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
+	} else if rootless.IsRootless() && !config.UsernsMode.IsHost() && config.NetMode.IsHost() {
 		addCgroup = false
 		g.RemoveMount("/sys")
 		sysMnt := spec.Mount{