github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request from GHSA-mvff-h3cj-wj9c

Browse Source 
only relabel cri managed host mounts
This commit is contained in:
Derek McGowan 2022-01-05 09:30:58 -08:00 committed by GitHub
commit 644a01e13b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 57 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/cri/opts/spec_linux.go
View File

@ -224,30 +224,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
} }
} }
const (
etcHosts = "/etc/hosts"
etcHostname = "/etc/hostname"
resolvConfPath = "/etc/resolv.conf"
)
// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
if mountLabel == "" {
return nil
}
for _, m := range s.Mounts {
switch m.Destination {
case etcHosts, etcHostname, resolvConfPath:
if err := label.Relabel(m.Source, mountLabel, false); err != nil {
return err
}
}
}
return nil
}
}
// Ensure mount point on which path is mounted, is shared. // Ensure mount point on which path is mounted, is shared.
func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error { func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
mountInfo, err := lookupMount(path) mountInfo, err := lookupMount(path)

23
pkg/cri/server/container_create_linux.go
View File

@ -68,18 +68,20 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
hostpath := c.getSandboxHostname(sandboxID) hostpath := c.getSandboxHostname(sandboxID)
if _, err := c.os.Stat(hostpath); err == nil { if _, err := c.os.Stat(hostpath); err == nil {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: etcHostname, ContainerPath: etcHostname,
HostPath: hostpath, HostPath: hostpath,
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
} }
if !isInCRIMounts(etcHosts, config.GetMounts()) { if !isInCRIMounts(etcHosts, config.GetMounts()) {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: etcHosts, ContainerPath: etcHosts,
HostPath: c.getSandboxHosts(sandboxID), HostPath: c.getSandboxHosts(sandboxID),
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
@ -87,9 +89,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
// TODO: Need to figure out whether we should always mount it as read-only // TODO: Need to figure out whether we should always mount it as read-only
if !isInCRIMounts(resolvConfPath, config.GetMounts()) { if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
mounts = append(mounts, &runtime.Mount{ mounts = append(mounts, &runtime.Mount{
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: c.getResolvPath(sandboxID), HostPath: c.getResolvPath(sandboxID),
Readonly: securityContext.GetReadonlyRootfs(), Readonly: securityContext.GetReadonlyRootfs(),
SelinuxRelabel: true,
}) })
} }
@ -192,7 +195,7 @@ func (c *criService) containerSpec(
} }
}() }()
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel)) specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
if !c.config.DisableProcMount { if !c.config.DisableProcMount {
// Change the default masked/readonly paths to empty slices // Change the default masked/readonly paths to empty slices

77
pkg/cri/server/container_create_linux_test.go
View File

@ -452,19 +452,22 @@ func TestContainerMounts(t *testing.T) {
}, },
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: true, Readonly: true,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@ -478,19 +481,22 @@ func TestContainerMounts(t *testing.T) {
securityContext: &runtime.LinuxContainerSecurityContext{}, securityContext: &runtime.LinuxContainerSecurityContext{},
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@ -506,19 +512,22 @@ func TestContainerMounts(t *testing.T) {
}, },
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hostname", ContainerPath: "/etc/hostname",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",
@ -557,14 +566,16 @@ func TestContainerMounts(t *testing.T) {
securityContext: &runtime.LinuxContainerSecurityContext{}, securityContext: &runtime.LinuxContainerSecurityContext{},
expectedMounts: []*runtime.Mount{ expectedMounts: []*runtime.Mount{
{ {
ContainerPath: "/etc/hosts", ContainerPath: "/etc/hosts",
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: resolvConfPath, ContainerPath: resolvConfPath,
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"), HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
Readonly: false, Readonly: false,
SelinuxRelabel: true,
}, },
{ {
ContainerPath: "/dev/shm", ContainerPath: "/dev/shm",