only relabel cri managed host mounts

Co-authored-by: Samuel Karp <skarp@amazon.com> Signed-off-by: Michael Crosby <michael@thepasture.io> Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-11-09 19:45:40 +00:00 · 2021-11-09 19:45:40 +00:00 · 9b0303913f
commit 9b0303913f
parent 432ddecaae
3 changed files with 57 additions and 67 deletions
--- a/pkg/cri/opts/spec_linux.go
+++ b/pkg/cri/opts/spec_linux.go
@ -224,30 +224,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 	}
 }

-const (
-	etcHosts       = "/etc/hosts"
-	etcHostname    = "/etc/hostname"
-	resolvConfPath = "/etc/resolv.conf"
-)
-
-// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
-func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
-	return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
-		if mountLabel == "" {
-			return nil
-		}
-		for _, m := range s.Mounts {
-			switch m.Destination {
-			case etcHosts, etcHostname, resolvConfPath:
-				if err := label.Relabel(m.Source, mountLabel, false); err != nil {
-					return err
-				}
-			}
-		}
-		return nil
-	}
-}
-
 // Ensure mount point on which path is mounted, is shared.
 func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
 	mountInfo, err := lookupMount(path)
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@ -71,6 +71,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 				ContainerPath:  etcHostname,
 				HostPath:       hostpath,
 				Readonly:       securityContext.GetReadonlyRootfs(),
+				SelinuxRelabel: true,
 			})
 		}
 	}
@ -80,6 +81,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			ContainerPath:  etcHosts,
 			HostPath:       c.getSandboxHosts(sandboxID),
 			Readonly:       securityContext.GetReadonlyRootfs(),
+			SelinuxRelabel: true,
 		})
 	}

@ -90,6 +92,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			ContainerPath:  resolvConfPath,
 			HostPath:       c.getResolvPath(sandboxID),
 			Readonly:       securityContext.GetReadonlyRootfs(),
+			SelinuxRelabel: true,
 		})
 	}

@ -192,7 +195,7 @@ func (c *criService) containerSpec(
 		}
 	}()

-	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
+	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))

 	if !c.config.DisableProcMount {
 		// Change the default masked/readonly paths to empty slices
--- a/pkg/cri/server/container_create_linux_test.go
+++ b/pkg/cri/server/container_create_linux_test.go
@ -455,16 +455,19 @@ func TestContainerMounts(t *testing.T) {
 					ContainerPath:  "/etc/hostname",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
 					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/etc/hosts",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
 					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  resolvConfPath,
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
 					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",
@ -481,16 +484,19 @@ func TestContainerMounts(t *testing.T) {
 					ContainerPath:  "/etc/hostname",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/etc/hosts",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  resolvConfPath,
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",
@ -509,16 +515,19 @@ func TestContainerMounts(t *testing.T) {
 					ContainerPath:  "/etc/hostname",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/etc/hosts",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  resolvConfPath,
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath: "/dev/shm",
@ -560,11 +569,13 @@ func TestContainerMounts(t *testing.T) {
 					ContainerPath:  "/etc/hosts",
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  resolvConfPath,
 					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
 					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",