server: more fixes for selinux and privileged mode

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-20 15:19:58 +02:00 · 2017-09-20 15:19:58 +02:00 · 6c871769b4
commit 6c871769b4
parent 7b0bde4362
2 changed files with 58 additions and 27 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -525,12 +525,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	specgen.HostSpecific = true
 	specgen.ClearProcessRlimits()

+	var readOnlyRootfs bool
+	var privileged bool
+	if containerConfig.GetLinux().GetSecurityContext() != nil {
+		if containerConfig.GetLinux().GetSecurityContext().Privileged {
+			privileged = true
+		}
+
+		if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
+			readOnlyRootfs = true
+			specgen.SetRootReadonly(true)
+		}
+	}
+
 	mountLabel := sb.MountLabel()
 	processLabel := sb.ProcessLabel()
 	selinuxConfig := containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions()
 	if selinuxConfig != nil {
 		var err error
-		processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig)
+		processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig, privileged)
 		if err != nil {
 			return nil, err
 		}
@ -570,19 +583,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		}
 	}

-	var readOnlyRootfs bool
-	var privileged bool
-	if containerConfig.GetLinux().GetSecurityContext() != nil {
-		if containerConfig.GetLinux().GetSecurityContext().Privileged {
-			privileged = true
-		}
-
-		if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
-			readOnlyRootfs = true
-			specgen.SetRootReadonly(true)
-		}
-	}
-
 	// set this container's apparmor profile if it is set by sandbox
 	if s.appArmorEnabled && !privileged {
 		appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
@ -673,6 +673,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		if privileged {
 			// this is setting correct capabilities as well for privileged mode
 			specgen.SetupPrivileged(true)
+			setOCIBindMountsPrivileged(&specgen)
 		} else {
 			toCAPPrefixed := func(cap string) string {
 				if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
@ -720,10 +721,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 					}
 				}
 			}
-			specgen.SetProcessSelinuxLabel(processLabel)
 		}
-
-		specgen.SetLinuxMountLabel(sb.MountLabel())
+		specgen.SetProcessSelinuxLabel(processLabel)
+		specgen.SetLinuxMountLabel(mountLabel)

 		if containerConfig.GetLinux().GetSecurityContext() != nil &&
 			!containerConfig.GetLinux().GetSecurityContext().Privileged {
@ -1107,3 +1107,28 @@ func getUserInfo(rootfs string, userName string) (uint32, uint32, []uint32, erro

 	return uid, gid, additionalGids, nil
 }
+
+func setOCIBindMountsPrivileged(g *generate.Generator) {
+	spec := g.Spec()
+	// clear readonly for /sys and cgroup
+	for i, m := range spec.Mounts {
+		if spec.Mounts[i].Destination == "/sys" && !spec.Root.Readonly {
+			clearReadOnly(&spec.Mounts[i])
+		}
+		if m.Type == "cgroup" {
+			clearReadOnly(&spec.Mounts[i])
+		}
+	}
+	spec.Linux.ReadonlyPaths = nil
+	spec.Linux.MaskedPaths = nil
+}
+
+func clearReadOnly(m *rspec.Mount) {
+	var opt []string
+	for _, o := range m.Options {
+		if o != "ro" {
+			opt = append(opt, o)
+		}
+	}
+	m.Options = opt
+}
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@ -247,16 +247,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		return nil, fmt.Errorf("requested logDir for sbox id %s is a relative path: %s", id, logDir)
 	}

-	// Don't use SELinux separation with Host Pid or IPC Namespace,
-	if !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid && !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
-		processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions())
-		if err != nil {
-			return nil, err
-		}
-		g.SetProcessSelinuxLabel(processLabel)
-		g.SetLinuxMountLabel(mountLabel)
+	privileged := s.privilegedSandbox(req)
+
+	processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged)
+	if err != nil {
+		return nil, err
 	}

+	// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
+	if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
+		processLabel, mountLabel = "", ""
+	}
+	g.SetProcessSelinuxLabel(processLabel)
+	g.SetLinuxMountLabel(mountLabel)
+
 	// create shm mount for the pod containers.
 	var shmPath string
 	if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
@ -308,7 +312,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	}
 	g.SetHostname(hostname)

-	privileged := s.privilegedSandbox(req)
 	trusted := s.trustedSandbox(req)
 	g.AddAnnotation(annotations.Metadata, string(metadataJSON))
 	g.AddAnnotation(annotations.Labels, string(labelsJSON))
@ -557,7 +560,10 @@ func (s *Server) setPodSandboxMountLabel(id, mountLabel string) error {
 	return s.StorageRuntimeServer().SetContainerMetadata(id, storageMetadata)
 }

-func getSELinuxLabels(selinuxOptions *pb.SELinuxOption) (processLabel string, mountLabel string, err error) {
+func getSELinuxLabels(selinuxOptions *pb.SELinuxOption, privileged bool) (processLabel string, mountLabel string, err error) {
+	if privileged {
+		return "", "", nil
+	}
 	labels := []string{}
 	if selinuxOptions != nil {
 		if selinuxOptions.User != "" {