github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Fix apparmor for privileged.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2019-08-19 15:26:31 -07:00
parent f1d492b0cd
commit 10acd8e769
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/server/container_create.go
View File

@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
if !c.config.DisableProcMount { if !c.config.DisableProcMount {
// Apply masked paths if specified. // Apply masked paths if specified.
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() // If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths())) specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
// Apply readonly paths if specified. // Apply readonly paths if specified.
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() // If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths())) specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
} }
@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
return nil, nil return nil, nil
} }
switch apparmorProf { switch apparmorProf {
case runtimeDefault: // Based on kubernetes#51746, default apparmor profile should be applied
// for when apparmor is not specified.
case runtimeDefault, "":
if privileged {
// Do not set apparmor profile when container is privileged
return nil, nil
}
// TODO (mikebrow): delete created apparmor default profile // TODO (mikebrow): delete created apparmor default profile
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
case unconfinedProfile: case unconfinedProfile:
return nil, nil return nil, nil
case "":
// Based on kubernetes#51746, default apparmor profile should be applied
// for non-privileged container when apparmor is not specified.
if privileged {
return nil, nil
}
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
default: default:
// Require and Trim default profile name prefix // Require and Trim default profile name prefix
if !strings.HasPrefix(apparmorProf, profileNamePrefix) { if !strings.HasPrefix(apparmorProf, profileNamePrefix) {

9
pkg/server/container_create_test.go
View File

@ -1080,10 +1080,19 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
profile: runtimeDefault, profile: runtimeDefault,
specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName), specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
}, },
"should not apparmor when apparmor is default and privileged is true": {
profile: runtimeDefault,
privileged: true,
},
"should set specified profile when local profile is specified": { "should set specified profile when local profile is specified": {
profile: profileNamePrefix + "test-profile", profile: profileNamePrefix + "test-profile",
specOpts: apparmor.WithProfile("test-profile"), specOpts: apparmor.WithProfile("test-profile"),
}, },
"should set apparmor when local profile is specified and privileged is true": {
profile: profileNamePrefix + "test-profile",
privileged: true,
specOpts: apparmor.WithProfile("test-profile"),
},
"should return error if specified profile is invalid": { "should return error if specified profile is invalid": {
profile: "test-profile", profile: "test-profile",
expectErr: true, expectErr: true,