podman
1//go:build !remote
2
3package generate
4
5import (
6"github.com/containers/common/libimage"
7"github.com/containers/common/pkg/config"
8"github.com/containers/podman/v5/libpod"
9"github.com/containers/podman/v5/pkg/specgen"
10"github.com/opencontainers/runtime-tools/generate"
11)
12
13// setLabelOpts sets the label options of the SecurityConfig according to the
14// input.
15func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig specgen.Namespace, ipcConfig specgen.Namespace) error {
16return nil
17}
18
19func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *libimage.Image, rtc *config.Config) error {
20// If this is a privileged container, change the devfs ruleset to expose all devices.
21if s.IsPrivileged() {
22for k, m := range g.Config.Mounts {
23if m.Type == "devfs" {
24m.Options = []string{
25"ruleset=0",
26}
27g.Config.Mounts[k] = m
28}
29}
30}
31
32if s.ReadOnlyFilesystem != nil {
33g.SetRootReadonly(*s.ReadOnlyFilesystem)
34}
35
36return nil
37}
38