maskedPaths and readonlyPaths: skip unexistent paths

runc ignores unexistent paths in maskedPaths and readonlyPaths. That's useful for blocking /proc/latency_stats (default in buildah) because this path is not existing on all kernels. In this case, no error should be generated. Other errors should be generated. For example, using readonlyPaths on a unbindable path fails and this error must be generated, otherwise the path would silently stay read-write. Signed-off-by: Alban Crequy <[email protected]>
opencontainers · Aug 15, 2018 · c5e0999 · c5e0999
1 parent d810dbc
commit c5e0999
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/config-linux.md b/config-linux.md
@@ -635,6 +635,7 @@ The following parameters can be specified to set up seccomp:
 
 **`maskedPaths`** (array of strings, OPTIONAL) will mask over the provided paths inside the container so that they cannot be read.
     The values MUST be absolute paths in the [container namespace](glossary.md#container_namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example
 
@@ -648,6 +649,7 @@ The following parameters can be specified to set up seccomp:
 
 **`readonlyPaths`** (array of strings, OPTIONAL) will set the provided paths as readonly inside the container.
     The values MUST be absolute paths in the [container namespace](glossary.md#container-namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example