Merge pull request from GHSA-mvff-h3cj-wj9c
only relabel cri managed host mounts
This commit is contained in:
Derek McGowan
GitHub
commit
644a01e13b
@ -224,30 +224,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
|
||||||
etcHosts = "/etc/hosts"
|
|
||||||
etcHostname = "/etc/hostname"
|
|
||||||
resolvConfPath = "/etc/resolv.conf"
|
|
||||||
)
|
|
||||||
|
|
||||||
// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
|
|
||||||
func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
|
|
||||||
return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
|
|
||||||
if mountLabel == "" {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
for _, m := range s.Mounts {
|
|
||||||
switch m.Destination {
|
|
||||||
case etcHosts, etcHostname, resolvConfPath:
|
|
||||||
if err := label.Relabel(m.Source, mountLabel, false); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Ensure mount point on which path is mounted, is shared.
|
// Ensure mount point on which path is mounted, is shared.
|
||||||
func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
|
func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
|
||||||
mountInfo, err := lookupMount(path)
|
mountInfo, err := lookupMount(path)
|
||||||
|
|||||||
@ -71,6 +71,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
|
|||||||
ContainerPath: etcHostname,
|
ContainerPath: etcHostname,
|
||||||
HostPath: hostpath,
|
HostPath: hostpath,
|
||||||
Readonly: securityContext.GetReadonlyRootfs(),
|
Readonly: securityContext.GetReadonlyRootfs(),
|
||||||
|
SelinuxRelabel: true,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -80,6 +81,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
|
|||||||
ContainerPath: etcHosts,
|
ContainerPath: etcHosts,
|
||||||
HostPath: c.getSandboxHosts(sandboxID),
|
HostPath: c.getSandboxHosts(sandboxID),
|
||||||
Readonly: securityContext.GetReadonlyRootfs(),
|
Readonly: securityContext.GetReadonlyRootfs(),
|
||||||
|
SelinuxRelabel: true,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -90,6 +92,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
|
|||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: c.getResolvPath(sandboxID),
|
HostPath: c.getResolvPath(sandboxID),
|
||||||
Readonly: securityContext.GetReadonlyRootfs(),
|
Readonly: securityContext.GetReadonlyRootfs(),
|
||||||
|
SelinuxRelabel: true,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -192,7 +195,7 @@ func (c *criService) containerSpec(
|
|||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
|
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
|
||||||
|
|
||||||
if !c.config.DisableProcMount {
|
if !c.config.DisableProcMount {
|
||||||
// Change the default masked/readonly paths to empty slices
|
// Change the default masked/readonly paths to empty slices
|
||||||
|
|||||||
@ -455,16 +455,19 @@ func TestContainerMounts(t *testing.T) {
|
|||||||
ContainerPath: "/etc/hostname",
|
ContainerPath: "/etc/hostname",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||||
Readonly: true,
|
Readonly: true,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/etc/hosts",
|
ContainerPath: "/etc/hosts",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||||
Readonly: true,
|
Readonly: true,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||||
Readonly: true,
|
Readonly: true,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/dev/shm",
|
ContainerPath: "/dev/shm",
|
||||||
@ -481,16 +484,19 @@ func TestContainerMounts(t *testing.T) {
|
|||||||
ContainerPath: "/etc/hostname",
|
ContainerPath: "/etc/hostname",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/etc/hosts",
|
ContainerPath: "/etc/hosts",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/dev/shm",
|
ContainerPath: "/dev/shm",
|
||||||
@ -509,16 +515,19 @@ func TestContainerMounts(t *testing.T) {
|
|||||||
ContainerPath: "/etc/hostname",
|
ContainerPath: "/etc/hostname",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/etc/hosts",
|
ContainerPath: "/etc/hosts",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/dev/shm",
|
ContainerPath: "/dev/shm",
|
||||||
@ -560,11 +569,13 @@ func TestContainerMounts(t *testing.T) {
|
|||||||
ContainerPath: "/etc/hosts",
|
ContainerPath: "/etc/hosts",
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
||||||
Readonly: false,
|
Readonly: false,
|
||||||
|
SelinuxRelabel: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ContainerPath: "/dev/shm",
|
ContainerPath: "/dev/shm",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user