From c5e0999ee5583cac13d5101aab5962abec6990e8 Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban@kinvolk.io>
Date: Thu, 2 Aug 2018 12:23:27 +0200
Subject: [PATCH] maskedPaths and readonlyPaths: skip unexistent paths

runc ignores unexistent paths in maskedPaths and readonlyPaths. That's
useful for blocking /proc/latency_stats (default in buildah) because
this path is not existing on all kernels.

In this case, no error should be generated. Other errors should be
generated. For example, using readonlyPaths on a unbindable path fails
and this error must be generated, otherwise the path would silently stay
read-write.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
---
 config-linux.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config-linux.md b/config-linux.md
index e3d4100ab..a003f488d 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -635,6 +635,7 @@ The following parameters can be specified to set up seccomp:
 
 **`maskedPaths`** (array of strings, OPTIONAL) will mask over the provided paths inside the container so that they cannot be read.
     The values MUST be absolute paths in the [container namespace](glossary.md#container_namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example
 
@@ -648,6 +649,7 @@ The following parameters can be specified to set up seccomp:
 
 **`readonlyPaths`** (array of strings, OPTIONAL) will set the provided paths as readonly inside the container.
     The values MUST be absolute paths in the [container namespace](glossary.md#container-namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example