Merge pull request opencontainers#364 from crosbymichael/masked-paths

Mrunal Patel · Mrunal Patel · commit 93ca97e83ca7 · 2016-04-01T12:02:13.000-07:00
Add masked and readonly paths
diff --git a/config-linux.md b/config-linux.md
@@ -443,7 +443,7 @@ The following parameters can be specified to setup the controller:
 
 ## Sysctl
 
-sysctl allows kernel parameters to be modified at runtime for the container.
+`sysctl` allows kernel parameters to be modified at runtime for the container.
 For more information, see [the man page](http://man7.org/linux/man-pages/man8/sysctl.8.html)
 
 ###### Example
@@ -511,7 +511,7 @@ Operator Constants:
 
 ## Rootfs Mount Propagation
 
-rootfsPropagation sets the rootfs's mount propagation.
+`rootfsPropagation` sets the rootfs's mount propagation.
 Its value is either slave, private, or shared.
 [The kernel doc](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) has more information about mount propagation.
 
@@ -521,6 +521,30 @@ Its value is either slave, private, or shared.
     "rootfsPropagation": "slave",
 ```
 
+## Masked Paths
+
+`maskedPaths` will mask over the provided paths inside the container so that they cannot be read.
+
+###### Example
+
+```json
+    "maskedPaths": [
+        "/proc/kcore"
+    ]
+```
+
+## Readonly Paths
+
+`readonlyPaths` will set the provided paths as readonly inside the container.
+
+###### Example
+
+```json
+    "readonlyPaths": [
+        "/proc/sys"
+    ]
+```
+
 [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 [cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
 [cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt
diff --git a/schema/schema-linux.json b/schema/schema-linux.json
@@ -337,6 +337,14 @@
                         "type": "null"
                     }
                 ]
+            },
+            "maskedPaths": {
+                "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths",
+                "$ref": "defs.json#/definitions/ArrayOfStrings"
+            },
+            "readonlyPaths": {
+                "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
+                "$ref": "defs.json#/definitions/ArrayOfStrings"
             }
         }
     }
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -136,6 +136,10 @@ type Linux struct {
 	Seccomp *Seccomp `json:"seccomp,omitempty"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container.
 	RootfsPropagation string `json:"rootfsPropagation,omitempty"`
+	// MaskedPaths masks over the provided paths inside the container.
+	MaskedPaths []string `json:"maskedPaths,omitempty"`
+	// ReadonlyPaths sets the provided paths as RO inside the container.
+	ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
 }
 
 // Namespace is the configuration for a Linux namespace

Original file line number	Diff line number	Diff line change
`@@ -337,6 +337,14 @@`
`337`	`337`	`"type": "null"`
`338`	`338`	`}`
`339`	`339`	`]`
	`340`	`+ },`
	`341`	`+ "maskedPaths": {`
	`342`	`+ "id": "https://opencontainers.org/schema/bundle/linux/maskedPaths",`
	`343`	`+ "$ref": "defs.json#/definitions/ArrayOfStrings"`
	`344`	`+ },`
	`345`	`+ "readonlyPaths": {`
	`346`	`+ "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",`
	`347`	`+ "$ref": "defs.json#/definitions/ArrayOfStrings"`
`340`	`348`	`}`
`341`	`349`	`}`
`342`	`350`	`}`