From 1d455a31a9748514d31742b9251d116c0532fa4f Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Fri, 12 May 2017 12:47:40 +0200
Subject: [PATCH] server: add RO and masked paths on container creation

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 server/container_create.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/server/container_create.go b/server/container_create.go
index 3b7ce7e8..7d77eec1 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -462,6 +462,27 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		specgen.SetProcessSelinuxLabel(sb.processLabel)
 		specgen.SetLinuxMountLabel(sb.mountLabel)
 
+		for _, mp := range []string{
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/sys/firmware",
+		} {
+			specgen.AddLinuxMaskedPaths(mp)
+		}
+
+		for _, rp := range []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		} {
+			specgen.AddLinuxReadonlyPaths(rp)
+		}
 	}
 	// Join the namespace paths for the pod sandbox container.
 	podInfraState := s.runtime.ContainerStatus(sb.infraContainer)