Security Option unmask missing from Podman build command

[jensrudolf]

Issue Description

Good Afternoon.

Support for unmask as security option via --security-opt flag was implemented in containers/podman#8408. However, it seems to be missing from the build subcommand as documentation only states

• apparmor
• label
• seccomp

and specifying this option results in

$ podman build --security-opt unmask=ALL -f context/Containerfile context
Error: invalid --security-opt 2: "unmask=ALL"

Running ``podman build` in a Podman-in-Podman scenarion (e.g. CI pipeline) requires this in order to avoid having to mount /proc to /proc via command line which does not allow for unmasking selective paths.

Steps to reproduce the issue

podman build --security-opt unmask=/proc -f Containerfile

Describe the results you received

Error: invalid --security-opt 2: "unmask=ALL

Describe the results you expected

Podman builds the container image.

podman info output

$ podman info
host:
  arch: amd64
  buildahVersion: 1.37.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.46
    systemPercent: 0.22
    userPercent: 0.32
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: file
  freeLocks: 2048
  hostname: runner-smfycxu4q-project-809-concurrent-0
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-503.14.1.el9_5.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 8688377856
  memTotal: 16499392512
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241030.gee7d0b6-1.fc40.x86_64
    version: |
      pasta 0^20241030.gee7d0b6-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4249358336
  swapTotal: 4294963200
  uptime: 20h 4m 57.00s (Approximately 0.83 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions:
    vfs.imagestore: /usr/lib/containers/storage
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 519676362752
  graphRootUsed: 11840548864
  graphStatus: {}
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.5
  Built: 1729814400
  BuiltTime: Fri Oct 25 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.5

Podman in a container

Yes

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Podman called from ansible-builder within quay.io/containers/community-ansible-dev-tools:lastest running in a GitLab CI pipeline job using Docker Executor with Podman 5.2.2 as container engine on a RHEL9 host.

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting