oci/defaults_linux.go: mask /sys/firmware
On typical x86_64 machines, /sys/firmware can contain SMBIOS and ACPI tables. There is no need to expose the directory to containers. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This commit is contained in:
Akihiro Suda
parent
9bd8c1d332
commit
8b1772c86b
1 changed files with 1 additions and 0 deletions
|
|
@ -83,6 +83,7 @@ func DefaultSpec() specs.Spec {
|
|||
"/proc/timer_list",
|
||||
"/proc/timer_stats",
|
||||
"/proc/sched_debug",
|
||||
"/sys/firmware",
|
||||
},
|
||||
ReadonlyPaths: []string{
|
||||
"/proc/asound",
|
||||
|
|
|
|||
Loading…
Reference in a new issue