github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Fix a privileged check.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2018-01-27 02:25:52 +00:00
parent 9f6315bc88
commit 4dfd8250fd
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/server/container_create.go
View File

@ -324,7 +324,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxID string
} }
if securityContext.GetPrivileged() { if securityContext.GetPrivileged() {
if !securityContext.GetPrivileged() { if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
return nil, fmt.Errorf("no privileged container allowed in sandbox") return nil, fmt.Errorf("no privileged container allowed in sandbox")
} }
if err := setOCIPrivileged(&g, config); err != nil { if err := setOCIPrivileged(&g, config); err != nil {

46
pkg/server/container_create_test.go
View File

@ -329,6 +329,52 @@ func TestContainerSpecWithExtraMounts(t *testing.T) {
assert.Contains(t, mounts[1].Options, "rw") assert.Contains(t, mounts[1].Options, "rw")
} }
func TestContainerAndSandboxPrivileged(t *testing.T) {
testID := "test-id"
testSandboxID := "sandbox-id"
testPid := uint32(1234)
config, sandboxConfig, imageConfig, _ := getCreateContainerTestData()
c := newTestCRIContainerdService()
for desc, test := range map[string]struct {
containerPrivileged bool
sandboxPrivileged bool
expectError bool
}{
"privileged container in non-privileged sandbox should fail": {
containerPrivileged: true,
sandboxPrivileged: false,
expectError: true,
},
"privileged container in privileged sandbox should be fine": {
containerPrivileged: true,
sandboxPrivileged: true,
expectError: false,
},
"non-privileged container in privileged sandbox should be fine": {
containerPrivileged: false,
sandboxPrivileged: true,
expectError: false,
},
"non-privileged container in non-privileged sandbox should be fine": {
containerPrivileged: false,
sandboxPrivileged: false,
expectError: false,
},
} {
t.Logf("TestCase %q", desc)
config.Linux.SecurityContext.Privileged = test.containerPrivileged
sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
Privileged: test.sandboxPrivileged,
}
_, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
if test.expectError {
assert.Error(t, err)
} else {
assert.NoError(t, err)
}
}
}
func TestContainerSpecCommand(t *testing.T) { func TestContainerSpecCommand(t *testing.T) {
for desc, test := range map[string]struct { for desc, test := range map[string]struct {
criEntrypoint []string criEntrypoint []string