server: fix selinux labels for pod and containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
daf34b9a31
commit
e3682373d0
2 changed files with 23 additions and 12 deletions
|
@ -45,7 +45,7 @@ const (
|
||||||
defaultSystemdParent = "system.slice"
|
defaultSystemdParent = "system.slice"
|
||||||
)
|
)
|
||||||
|
|
||||||
func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
||||||
volumes := []oci.ContainerVolume{}
|
volumes := []oci.ContainerVolume{}
|
||||||
mounts := containerConfig.GetMounts()
|
mounts := containerConfig.GetMounts()
|
||||||
for _, mount := range mounts {
|
for _, mount := range mounts {
|
||||||
|
@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig,
|
||||||
|
|
||||||
if mount.SelinuxRelabel {
|
if mount.SelinuxRelabel {
|
||||||
// Need a way in kubernetes to determine if the volume is shared or private
|
// Need a way in kubernetes to determine if the volume is shared or private
|
||||||
if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP {
|
if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
return nil, fmt.Errorf("relabel failed %s: %v", src, err)
|
return nil, fmt.Errorf("relabel failed %s: %v", src, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
specgen.HostSpecific = true
|
specgen.HostSpecific = true
|
||||||
specgen.ClearProcessRlimits()
|
specgen.ClearProcessRlimits()
|
||||||
|
|
||||||
containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen)
|
processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
specgen.SetProcessSelinuxLabel(sb.ProcessLabel())
|
specgen.SetProcessSelinuxLabel(processLabel)
|
||||||
}
|
}
|
||||||
|
|
||||||
specgen.SetLinuxMountLabel(sb.MountLabel())
|
specgen.SetLinuxMountLabel(sb.MountLabel())
|
||||||
|
@ -818,15 +823,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
options = []string{"ro"}
|
options = []string{"ro"}
|
||||||
}
|
}
|
||||||
if sb.ResolvPath() != "" {
|
if sb.ResolvPath() != "" {
|
||||||
// TODO: selinux
|
if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared)
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
// bind mount the pod resolver file
|
// bind mount the pod resolver file
|
||||||
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
|
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
|
||||||
}
|
}
|
||||||
|
|
||||||
if sb.HostnamePath() != "" {
|
if sb.HostnamePath() != "" {
|
||||||
// TODO: selinux
|
if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
|
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
|
||||||
}
|
}
|
||||||
|
@ -884,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
containerName, containerID,
|
containerName, containerID,
|
||||||
metaname,
|
metaname,
|
||||||
attempt,
|
attempt,
|
||||||
sb.MountLabel(),
|
mountLabel,
|
||||||
nil)
|
nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -907,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add image volumes
|
// Add image volumes
|
||||||
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil {
|
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -203,8 +203,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
// TODO: selinux
|
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared)
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
|
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
|
||||||
}
|
}
|
||||||
|
@ -464,7 +465,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
|
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
// TODO: selinux relabel
|
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
|
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
|
||||||
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
||||||
sb.AddHostnamePath(hostnamePath)
|
sb.AddHostnamePath(hostnamePath)
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue