github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add MaskedPaths and ReadonlyPaths support.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2018-09-04 23:47:44 -07:00
parent 4a65865eaa
commit 3e4cec8739
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/server/container_create.go
View File

@ -355,6 +355,24 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts) return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts)
} }
// Apply masked paths if specified.
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
if securityContext.GetMaskedPaths() != nil {
g.Config.Linux.MaskedPaths = nil
for _, path := range securityContext.GetMaskedPaths() {
g.AddLinuxMaskedPaths(path)
}
}
// Apply readonly paths if specified.
if securityContext.GetReadonlyPaths() != nil {
g.Config.Linux.ReadonlyPaths = nil
for _, path := range securityContext.GetReadonlyPaths() {
g.AddLinuxReadonlyPaths(path)
}
}
if securityContext.GetPrivileged() { if securityContext.GetPrivileged() {
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() { if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
return nil, errors.New("no privileged container allowed in sandbox") return nil, errors.New("no privileged container allowed in sandbox")

43
pkg/server/container_create_test.go
View File

@ -248,7 +248,6 @@ func TestContainerCapabilities(t *testing.T) {
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil) spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
require.NoError(t, err) require.NoError(t, err)
specCheck(t, testID, testSandboxID, testPid, spec) specCheck(t, testID, testSandboxID, testPid, spec)
t.Log(spec.Process.Capabilities.Bounding)
for _, include := range test.includes { for _, include := range test.includes {
assert.Contains(t, spec.Process.Capabilities.Bounding, include) assert.Contains(t, spec.Process.Capabilities.Bounding, include)
assert.Contains(t, spec.Process.Capabilities.Effective, include) assert.Contains(t, spec.Process.Capabilities.Effective, include)
@ -913,3 +912,45 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
} }
} }
} }
func TestMaskedAndReadonlyPaths(t *testing.T) {
testID := "test-id"
testSandboxID := "sandbox-id"
testPid := uint32(1234)
config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
c := newTestCRIService()
defaultSpec, err := defaultRuntimeSpec(testID)
require.NoError(t, err)
for desc, test := range map[string]struct {
masked []string
readonly []string
expectedMasked []string
expectedReadonly []string
}{
"should apply default if not specified": {
expectedMasked: defaultSpec.Linux.MaskedPaths,
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
},
"should be able to specify empty paths": {
masked: []string{},
readonly: []string{},
expectedMasked: nil,
expectedReadonly: nil,
},
"should apply CRI specified paths": {
masked: []string{"/proc"},
readonly: []string{"/sys"},
expectedMasked: []string{"/proc"},
expectedReadonly: []string{"/sys"},
},
} {
t.Logf("TestCase %q", desc)
config.Linux.SecurityContext.MaskedPaths = test.masked
config.Linux.SecurityContext.ReadonlyPaths = test.readonly
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
require.NoError(t, err)
specCheck(t, testID, testSandboxID, testPid, spec)
assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
}
}