maskedPaths and readonlyPaths: skip unexistent paths

alban · alban · commit c5e0999ee558 · 2018-08-15T15:33:46.000+02:00
runc ignores unexistent paths in maskedPaths and readonlyPaths. That's
useful for blocking /proc/latency_stats (default in buildah) because
this path is not existing on all kernels.

In this case, no error should be generated. Other errors should be
generated. For example, using readonlyPaths on a unbindable path fails
and this error must be generated, otherwise the path would silently stay
read-write.

Signed-off-by: Alban Crequy &lt;alban@kinvolk.io&gt;
diff --git a/config-linux.md b/config-linux.md
@@ -635,6 +635,7 @@ The following parameters can be specified to set up seccomp:
 
 **`maskedPaths`** (array of strings, OPTIONAL) will mask over the provided paths inside the container so that they cannot be read.
     The values MUST be absolute paths in the [container namespace](glossary.md#container_namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example
 
@@ -648,6 +649,7 @@ The following parameters can be specified to set up seccomp:
 
 **`readonlyPaths`** (array of strings, OPTIONAL) will set the provided paths as readonly inside the container.
     The values MUST be absolute paths in the [container namespace](glossary.md#container-namespace).
+    Unexistent paths MUST be skipped without generating an error.
 
 ### Example
 
