Check seccomp enable and add unit test for seccomp/apparmor.
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
@@ -22,11 +22,11 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/contrib/seccomp"
|
||||
"github.com/containerd/typeurl"
|
||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||
"github.com/golang/glog"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/runtime-tools/generate"
|
||||
"golang.org/x/net/context"
|
||||
@@ -76,8 +76,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get sandbox image %q: %v", c.config.SandboxImage, err)
|
||||
}
|
||||
securityContext := config.GetLinux().GetSecurityContext()
|
||||
//Create Network Namespace if it is not in host network
|
||||
hostNet := config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostNetwork()
|
||||
hostNet := securityContext.GetNamespaceOptions().GetHostNetwork()
|
||||
if !hostNet {
|
||||
// If it is not in host network namespace then create a namespace and set the sandbox
|
||||
// handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network
|
||||
@@ -125,36 +126,19 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
|
||||
glog.V(4).Infof("Sandbox container spec: %+v", spec)
|
||||
|
||||
var specOpts []containerd.SpecOpts
|
||||
if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
|
||||
if uid := securityContext.GetRunAsUser(); uid != nil {
|
||||
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
|
||||
}
|
||||
|
||||
// Set seccomp profile
|
||||
seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath()
|
||||
if seccompProf == runtimeDefault || seccompProf == dockerDefault {
|
||||
// use correct default profile (Eg. if not configured otherwise, the default is docker/default for pods)
|
||||
seccompProf = seccompDefaultSandboxProfile
|
||||
seccompSpecOpts, err := generateSeccompSpecOpts(
|
||||
securityContext.GetSeccompProfilePath(),
|
||||
securityContext.GetPrivileged(),
|
||||
runcseccomp.IsEnabled())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
|
||||
}
|
||||
|
||||
// TODO (mikebrow): consider a fuction for the logic used in sandbox and container for secccomp
|
||||
// Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged
|
||||
if !seccompEnabled ||
|
||||
seccompProf == unconfinedProfile ||
|
||||
seccompProf == "" ||
|
||||
config.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||
spec.Linux.Seccomp = nil
|
||||
} else {
|
||||
switch seccompProf {
|
||||
case dockerDefault:
|
||||
// Note: WithDefaultProfile specOpts must be added after capabilities
|
||||
specOpts = append(specOpts, seccomp.WithDefaultProfile())
|
||||
default:
|
||||
// Require and Trim default profile name prefix
|
||||
if !strings.HasPrefix(seccompProf, profileNamePrefix) {
|
||||
return nil, fmt.Errorf("invalid seccomp profile %q", seccompProf)
|
||||
}
|
||||
specOpts = append(specOpts, seccomp.WithProfile(strings.TrimPrefix(seccompProf, profileNamePrefix)))
|
||||
}
|
||||
if seccompSpecOpts != nil {
|
||||
specOpts = append(specOpts, seccompSpecOpts)
|
||||
}
|
||||
|
||||
opts := []containerd.NewContainerOpts{
|
||||
|
||||
Reference in New Issue
Block a user