feat: linux masked paths

README.md

@@ -182,6 +182,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [x] kill
 - [x] kill_no_effect
 - [x] linux_devices
+- [x] linux_masked_paths
 - [x] linux_mount_label
 - [x] linux_rootfs_propagation
 - [x] linux_sysctl
@@ -215,7 +216,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [ ] linux_cgroups_relative_memory
 - [ ] linux_cgroups_relative_network
 - [ ] linux_cgroups_relative_pids
-- [ ] linux_masked_paths
 - [ ] linux_ns_itype
 - [ ] linux_ns_nopath
 - [ ] linux_ns_path

container/container_fork.go

@@ -85,6 +85,10 @@ func (c *Container) Fork() error {
 			return err
 		}
 
+		if err := filesystem.MountMaskedPaths(c.Spec.Linux.MaskedPaths); err != nil {
+			return err
+		}
+
 		if c.Spec.Linux.RootfsPropagation != "" {
 			if err := syscall.Mount("", "/", "", filesystem.MountOptions[c.Spec.Linux.RootfsPropagation].Flag, ""); err != nil {
 				return err

container/filesystem/masked_paths.go

@@ -0,0 +1,40 @@
+package filesystem
+
+import (
+	"os"
+	"syscall"
+)
+
+func MountMaskedPaths(paths []string) error {
+	for _, path := range paths {
+		f, err := os.Stat(path)
+		if err != nil {
+			continue
+		}
+
+		if f.IsDir() {
+			if err := mountDevice(Device{
+				Source: "tmpfs",
+				Target: path,
+				Fstype: "tmpfs",
+				Flags:  syscall.MS_RDONLY,
+				Data:   "",
+			}); err != nil {
+				return err
+			}
+		} else {
+			if err := mountDevice(Device{
+				Source: "/dev/null",
+				Target: path,
+				Fstype: "bind",
+				Flags:  syscall.MS_BIND,
+				Data:   "",
+			}); err != nil {
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}

oci.sh

@@ -32,7 +32,7 @@ tests=(
 # "linux_cgroups_relative_network"
 # "linux_cgroups_relative_pids"
   "linux_devices"
-# "linux_masked_paths"
+  "linux_masked_paths"
   "linux_mount_label"
 # "linux_ns_itype" # ???
 # "linux_ns_nopath"