vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

server: more fixes for selinux and privileged mode

Browse source 
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-09-20 15:19:58 +02:00
parent 7b0bde4362
commit 6c871769b4
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
2 changed files with 58 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

59
server/container_create.go
View file

@ -525,12 +525,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
specgen.HostSpecific = true specgen.HostSpecific = true
specgen.ClearProcessRlimits() specgen.ClearProcessRlimits()
var readOnlyRootfs bool
var privileged bool
if containerConfig.GetLinux().GetSecurityContext() != nil {
if containerConfig.GetLinux().GetSecurityContext().Privileged {
privileged = true
}
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
readOnlyRootfs = true
specgen.SetRootReadonly(true)
}
}
mountLabel := sb.MountLabel() mountLabel := sb.MountLabel()
processLabel := sb.ProcessLabel() processLabel := sb.ProcessLabel()
selinuxConfig := containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions() selinuxConfig := containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions()
if selinuxConfig != nil { if selinuxConfig != nil {
var err error var err error
processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig) processLabel, mountLabel, err = getSELinuxLabels(selinuxConfig, privileged)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -570,19 +583,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
} }
var readOnlyRootfs bool
var privileged bool
if containerConfig.GetLinux().GetSecurityContext() != nil {
if containerConfig.GetLinux().GetSecurityContext().Privileged {
privileged = true
}
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
readOnlyRootfs = true
specgen.SetRootReadonly(true)
}
}
// set this container's apparmor profile if it is set by sandbox // set this container's apparmor profile if it is set by sandbox
if s.appArmorEnabled && !privileged { if s.appArmorEnabled && !privileged {
appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name) appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name)
@ -673,6 +673,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
if privileged { if privileged {
// this is setting correct capabilities as well for privileged mode // this is setting correct capabilities as well for privileged mode
specgen.SetupPrivileged(true) specgen.SetupPrivileged(true)
setOCIBindMountsPrivileged(&specgen)
} else { } else {
toCAPPrefixed := func(cap string) string { toCAPPrefixed := func(cap string) string {
if !strings.HasPrefix(strings.ToLower(cap), "cap_") { if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
@ -720,10 +721,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
} }
} }
specgen.SetProcessSelinuxLabel(processLabel)
} }
specgen.SetProcessSelinuxLabel(processLabel)
specgen.SetLinuxMountLabel(sb.MountLabel()) specgen.SetLinuxMountLabel(mountLabel)
if containerConfig.GetLinux().GetSecurityContext() != nil && if containerConfig.GetLinux().GetSecurityContext() != nil &&
!containerConfig.GetLinux().GetSecurityContext().Privileged { !containerConfig.GetLinux().GetSecurityContext().Privileged {
@ -1107,3 +1107,28 @@ func getUserInfo(rootfs string, userName string) (uint32, uint32, []uint32, erro
return uid, gid, additionalGids, nil return uid, gid, additionalGids, nil
} }
func setOCIBindMountsPrivileged(g *generate.Generator) {
spec := g.Spec()
// clear readonly for /sys and cgroup
for i, m := range spec.Mounts {
if spec.Mounts[i].Destination == "/sys" && !spec.Root.Readonly {
clearReadOnly(&spec.Mounts[i])
}
if m.Type == "cgroup" {
clearReadOnly(&spec.Mounts[i])
}
}
spec.Linux.ReadonlyPaths = nil
spec.Linux.MaskedPaths = nil
}
func clearReadOnly(m *rspec.Mount) {
var opt []string
for _, o := range m.Options {
if o != "ro" {
opt = append(opt, o)
}
}
m.Options = opt
}

26
server/sandbox_run.go
View file

@ -247,16 +247,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, fmt.Errorf("requested logDir for sbox id %s is a relative path: %s", id, logDir) return nil, fmt.Errorf("requested logDir for sbox id %s is a relative path: %s", id, logDir)
} }
// Don't use SELinux separation with Host Pid or IPC Namespace, privileged := s.privilegedSandbox(req)
if !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid && !req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions()) processLabel, mountLabel, err = getSELinuxLabels(req.GetConfig().GetLinux().GetSecurityContext().GetSelinuxOptions(), privileged)
if err != nil { if err != nil {
return nil, err return nil, err
}
g.SetProcessSelinuxLabel(processLabel)
g.SetLinuxMountLabel(mountLabel)
} }
// Don't use SELinux separation with Host Pid or IPC Namespace or privileged.
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostPid || req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
processLabel, mountLabel = "", ""
}
g.SetProcessSelinuxLabel(processLabel)
g.SetLinuxMountLabel(mountLabel)
// create shm mount for the pod containers. // create shm mount for the pod containers.
var shmPath string var shmPath string
if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc { if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostIpc {
@ -308,7 +312,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
g.SetHostname(hostname) g.SetHostname(hostname)
privileged := s.privilegedSandbox(req)
trusted := s.trustedSandbox(req) trusted := s.trustedSandbox(req)
g.AddAnnotation(annotations.Metadata, string(metadataJSON)) g.AddAnnotation(annotations.Metadata, string(metadataJSON))
g.AddAnnotation(annotations.Labels, string(labelsJSON)) g.AddAnnotation(annotations.Labels, string(labelsJSON))
@ -557,7 +560,10 @@ func (s *Server) setPodSandboxMountLabel(id, mountLabel string) error {
return s.StorageRuntimeServer().SetContainerMetadata(id, storageMetadata) return s.StorageRuntimeServer().SetContainerMetadata(id, storageMetadata)
} }
func getSELinuxLabels(selinuxOptions *pb.SELinuxOption) (processLabel string, mountLabel string, err error) { func getSELinuxLabels(selinuxOptions *pb.SELinuxOption, privileged bool) (processLabel string, mountLabel string, err error) {
if privileged {
return "", "", nil
}
labels := []string{} labels := []string{}
if selinuxOptions != nil { if selinuxOptions != nil {
if selinuxOptions.User != "" { if selinuxOptions.User != "" {