Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
1f863846f5
commit
26645c90ac
6 changed files with 43 additions and 25 deletions
|
|
@ -15,6 +15,7 @@ const (
|
|||
conmonPath = "/usr/libexec/ocid/conmon"
|
||||
pausePath = "/usr/libexec/ocid/pause"
|
||||
seccompProfilePath = "/etc/ocid/seccomp.json"
|
||||
apparmorProfileName = "crio-default"
|
||||
)
|
||||
|
||||
var commentedConfigTemplate = template.Must(template.New("config").Parse(`
|
||||
|
|
@ -64,6 +65,10 @@ selinux = {{ .SELinux }}
|
|||
# default for the runtime.
|
||||
seccomp_profile = "{{ .SeccompProfile }}"
|
||||
|
||||
# apparmor_profile is the apparmor profile name which is used as the
|
||||
# default for the runtime.
|
||||
apparmor_profile = "{{ .ApparmorProfile }}"
|
||||
|
||||
# The "ocid.image" table contains settings pertaining to the
|
||||
# management of OCI images.
|
||||
[ocid.image]
|
||||
|
|
@ -96,6 +101,7 @@ func DefaultConfig() *server.Config {
|
|||
},
|
||||
SELinux: selinux.SelinuxEnabled(),
|
||||
SeccompProfile: seccompProfilePath,
|
||||
ApparmorProfile: apparmorProfileName,
|
||||
},
|
||||
ImageConfig: server.ImageConfig{
|
||||
Pause: pausePath,
|
||||
|
|
|
|||
|
|
@ -59,6 +59,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
|||
if ctx.GlobalIsSet("seccomp-profile") {
|
||||
config.SeccompProfile = ctx.GlobalString("seccomp-profile")
|
||||
}
|
||||
if ctx.GlobalIsSet("apparmor-profile") {
|
||||
config.ApparmorProfile = ctx.GlobalString("apparmor-profile")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -135,6 +138,10 @@ func main() {
|
|||
Name: "seccomp-profile",
|
||||
Usage: "default seccomp profile path",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "apparmor-profile",
|
||||
Usage: "default apparmor profile name (default: \"crio-default\")",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
Name: "selinux",
|
||||
Usage: "enable selinux support",
|
||||
|
|
|
|||
|
|
@ -57,24 +57,6 @@ func IsEnabled() bool {
|
|||
return apparmor.IsEnabled()
|
||||
}
|
||||
|
||||
// GetAppArmorProfileName gets the profile name for the given container.
|
||||
func GetAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
if profile == ProfileRuntimeDefault {
|
||||
// If the value is runtime/default, then return default profile.
|
||||
logrus.Infof("get default profile name")
|
||||
return defaultApparmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
|
||||
return profileName
|
||||
}
|
||||
|
||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||
// pod annotations
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
|
|
|
|||
|
|
@ -68,6 +68,10 @@ type RuntimeConfig struct {
|
|||
// SeccompProfile is the seccomp json profile path which is used as the
|
||||
// default for the runtime.
|
||||
SeccompProfile string `toml:"seccomp_profile"`
|
||||
|
||||
// ApparmorProfile is the apparmor profile name which is used as the
|
||||
// default for the runtime.
|
||||
ApparmorProfile string `toml:"apparmor_profile"`
|
||||
}
|
||||
|
||||
// ImageConfig represents the "ocid.image" TOML config table.
|
||||
|
|
|
|||
|
|
@ -186,7 +186,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
|
|||
|
||||
// set this container's apparmor profile if it is set by sandbox
|
||||
if s.appArmorEnabled {
|
||||
appArmorProfileName := apparmor.GetAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
appArmorProfileName := s.getAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||
if appArmorProfileName != "" {
|
||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||
}
|
||||
|
|
@ -383,3 +383,20 @@ func (s *Server) generateContainerIDandName(podName string, name string, attempt
|
|||
}
|
||||
return id, name, err
|
||||
}
|
||||
|
||||
// getAppArmorProfileName gets the profile name for the given container.
|
||||
func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||
profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||
|
||||
if profile == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
if profile == apparmor.ProfileRuntimeDefault {
|
||||
// If the value is runtime/default, then return default profile.
|
||||
return s.appArmorProfile
|
||||
}
|
||||
|
||||
profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix)
|
||||
return profileName
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ type Server struct {
|
|||
seccompProfile seccomp.Seccomp
|
||||
|
||||
appArmorEnabled bool
|
||||
appArmorProfile string
|
||||
}
|
||||
|
||||
func (s *Server) loadContainer(id string) error {
|
||||
|
|
@ -300,6 +301,7 @@ func New(config *Config) (*Server, error) {
|
|||
if s.appArmorEnabled {
|
||||
apparmor.InstallDefaultAppArmorProfile()
|
||||
}
|
||||
s.appArmorProfile = config.ApparmorProfile
|
||||
|
||||
s.podIDIndex = truncindex.NewTruncIndex([]string{})
|
||||
s.podNameIndex = registrar.NewRegistrar()
|
||||
|
|
|
|||
Loading…
Reference in a new issue