server: fix selinux labels for pod and containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca
parent
daf34b9a31
commit
e3682373d0
2 changed files with 23 additions and 12 deletions
|
|
@ -45,7 +45,7 @@ const (
|
|||
defaultSystemdParent = "system.slice"
|
||||
)
|
||||
|
||||
func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
||||
func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
||||
volumes := []oci.ContainerVolume{}
|
||||
mounts := containerConfig.GetMounts()
|
||||
for _, mount := range mounts {
|
||||
|
|
@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig,
|
|||
|
||||
if mount.SelinuxRelabel {
|
||||
// Need a way in kubernetes to determine if the volume is shared or private
|
||||
if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP {
|
||||
if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, fmt.Errorf("relabel failed %s: %v", src, err)
|
||||
}
|
||||
}
|
||||
|
|
@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
specgen.HostSpecific = true
|
||||
specgen.ClearProcessRlimits()
|
||||
|
||||
containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen)
|
||||
processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
}
|
||||
}
|
||||
specgen.SetProcessSelinuxLabel(sb.ProcessLabel())
|
||||
specgen.SetProcessSelinuxLabel(processLabel)
|
||||
}
|
||||
|
||||
specgen.SetLinuxMountLabel(sb.MountLabel())
|
||||
|
|
@ -818,15 +823,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
options = []string{"ro"}
|
||||
}
|
||||
if sb.ResolvPath() != "" {
|
||||
// TODO: selinux
|
||||
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared)
|
||||
if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// bind mount the pod resolver file
|
||||
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
|
||||
}
|
||||
|
||||
if sb.HostnamePath() != "" {
|
||||
// TODO: selinux
|
||||
if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
|
||||
}
|
||||
|
|
@ -884,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
containerName, containerID,
|
||||
metaname,
|
||||
attempt,
|
||||
sb.MountLabel(),
|
||||
mountLabel,
|
||||
nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -907,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
|
||||
// Add image volumes
|
||||
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil {
|
||||
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -203,8 +203,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}
|
||||
return nil, err
|
||||
}
|
||||
// TODO: selinux
|
||||
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared)
|
||||
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
|
||||
}
|
||||
|
|
@ -464,7 +465,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// TODO: selinux relabel
|
||||
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
|
||||
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
||||
sb.AddHostnamePath(hostnamePath)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue