From 5f5d954b6af907cfffb1364526cf0d1d5dcc13b9 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 20 Jul 2020 07:43:21 -0400 Subject: [PATCH] add selinux category range to config This allows an admin to set the upper bounds on the category range for selinux labels. This can be useful when handling allocation of PVs or other volume types that need to be shared with selinux enabled on the hosts and volumes. Signed-off-by: Michael Crosby --- docs/config.md | 4 ++++ pkg/config/config.go | 3 +++ pkg/config/config_unix.go | 13 +++++++------ pkg/server/service_unix.go | 3 +++ vendor.conf | 2 +- 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/docs/config.md b/docs/config.md index 1aacf15f1..e9a32435a 100644 --- a/docs/config.md +++ b/docs/config.md @@ -35,6 +35,10 @@ version = 2 # enable_selinux indicates to enable the selinux support. enable_selinux = false + # selinux_category_range allows the upper bound on the category range to be set. + # if not specified or set to 0, defaults to 1024 from the selinux package. + selinux_category_range = 1024 + # sandbox_image is the image used by sandbox container. sandbox_image = "k8s.gcr.io/pause:3.2" diff --git a/pkg/config/config.go b/pkg/config/config.go index 579d72480..7cfb6d51f 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -198,6 +198,9 @@ type PluginConfig struct { StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"` // EnableSelinux indicates to enable the selinux support. EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"` + // SelinuxCategoryRange allows the upper bound on the category range to be set. + // If not specified or set to 0, defaults to 1024 from the selinux package. + SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"` // SandboxImage is the image used by sandbox container. SandboxImage string `toml:"sandbox_image" json:"sandboxImage"` // StatsCollectPeriod is the period (in seconds) of snapshots stats collection. diff --git a/pkg/config/config_unix.go b/pkg/config/config_unix.go index 906301726..9df456b53 100644 --- a/pkg/config/config_unix.go +++ b/pkg/config/config_unix.go @@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig { }, }, }, - DisableTCPService: true, - StreamServerAddress: "127.0.0.1", - StreamServerPort: "0", - StreamIdleTimeout: streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour - EnableSelinux: false, - EnableTLSStreaming: false, + DisableTCPService: true, + StreamServerAddress: "127.0.0.1", + StreamServerPort: "0", + StreamIdleTimeout: streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour + EnableSelinux: false, + SelinuxCategoryRange: 1024, + EnableTLSStreaming: false, X509KeyPairStreaming: X509KeyPairStreaming{ TLSKeyFile: "", TLSCertFile: "", diff --git a/pkg/server/service_unix.go b/pkg/server/service_unix.go index 44f43f8c4..a1d9c9038 100644 --- a/pkg/server/service_unix.go +++ b/pkg/server/service_unix.go @@ -44,6 +44,9 @@ func (c *criService) initPlatform() error { if !selinux.GetEnabled() { logrus.Warn("Selinux is not supported") } + if r := c.config.SelinuxCategoryRange; r > 0 { + selinux.CategoryRange = uint32(r) + } } else { selinux.SetDisabled() } diff --git a/vendor.conf b/vendor.conf index 35741b13d..df5449187 100644 --- a/vendor.conf +++ b/vendor.conf @@ -1,8 +1,8 @@ # cri dependencies github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/opencontainers/selinux v1.6.0 -github.com/willf/bitset d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg github.com/tchap/go-patricia v2.2.6 +github.com/willf/bitset d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg # containerd dependencies github.com/beorn7/perks v1.0.1