diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index a83f155fda..a3638ace21 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -685,12 +685,10 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c } if c.HostConfig.Privileged { - if !s.Root.Readonly { - // clear readonly for /sys - for i := range s.Mounts { - if s.Mounts[i].Destination == "/sys" { - clearReadOnly(&s.Mounts[i]) - } + // clear readonly for /sys + for i := range s.Mounts { + if s.Mounts[i].Destination == "/sys" { + clearReadOnly(&s.Mounts[i]) } } s.Linux.ReadonlyPaths = nil diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index a4984862ee..3b6e3cbbdf 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2688,7 +2688,7 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) { if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" { testPriv = false } - testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel") + testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname") } func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {