From 1aec120d5ff98d5f7f2895c1fd0394347d164f4a Mon Sep 17 00:00:00 2001 From: Yanqiang Miao Date: Wed, 23 Aug 2017 09:45:44 +0800 Subject: [PATCH] Support NoNewPrivileges fixes #117 Signed-off-by: Yanqiang Miao --- hack/test-e2e-node.sh | 1 - pkg/server/container_create.go | 3 +++ pkg/server/container_create_test.go | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/hack/test-e2e-node.sh b/hack/test-e2e-node.sh index a55528507..c584798a0 100755 --- a/hack/test-e2e-node.sh +++ b/hack/test-e2e-node.sh @@ -22,7 +22,6 @@ DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]" DEFAULT_SKIP+="|runAsUser" DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod" DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod" -DEFAULT_SKIP+="|AllowPrivilegeEscalation" DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod" DEFAULT_SKIP+="|querying\s\/stats\/summary" DEFAULT_SKIP+="|set\sto\sthe\smanifest\sdigest" diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index e32b34290..949b3ae21 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -214,6 +214,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 // TODO(random-liu): [P1] Set selinux options. // TODO(random-liu): [P2] Add apparmor and seccomp. + + // TODO: Figure out whether we should set no new privilege for sandbox container by default + g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs()) } g.SetRootReadonly(securityContext.GetReadonlyRootfs()) diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go index d661a1be4..6d2d80c68 100644 --- a/pkg/server/container_create_test.go +++ b/pkg/server/container_create_test.go @@ -90,6 +90,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox DropCapabilities: []string{"CHOWN"}, }, SupplementalGroups: []int64{1111, 2222}, + NoNewPrivs: true, }, }, } @@ -146,6 +147,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111)) assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222)) + t.Logf("Check no_new_privs") + assert.Equal(t, spec.Process.NoNewPrivileges, true) + t.Logf("Check cgroup path") assert.Equal(t, getCgroupsPath("/test/cgroup/parent", id), spec.Linux.CgroupsPath)