Merge pull request #4952 from crosbymichael/label-etc-files

[cri] label etc files for selinux containers
2021-01-19 16:21:35 -05:00
parent 9c3f171391 a731039238
commit 1230bd6303
2 changed files with 25 additions and 1 deletions
--- a/pkg/cri/opts/spec_linux.go
+++ b/pkg/cri/opts/spec_linux.go
@@ -242,6 +242,30 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 	}
 }

+const (
+	etcHosts       = "/etc/hosts"
+	etcHostname    = "/etc/hostname"
+	resolvConfPath = "/etc/resolv.conf"
+)
+
+// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
+func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
+		if mountLabel == "" {
+			return nil
+		}
+		for _, m := range s.Mounts {
+			switch m.Destination {
+			case etcHosts, etcHostname, resolvConfPath:
+				if err := label.Relabel(m.Source, mountLabel, false); err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+}
+
 // Ensure mount point on which path is mounted, is shared.
 func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
 	mountInfo, err := lookupMount(path)
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@@ -183,7 +183,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		}
 	}()

-	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
+	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))

 	if !c.config.DisableProcMount {
 		// Apply masked paths if specified.