Merge pull request #857 from egernst/untrusted-priv

sandbox: separate host accessing workload and privileged
2018-07-24 12:11:41 -07:00 · 2018-07-24 12:11:41 -07:00 · a0cfc8c1d2
commit a0cfc8c1d2
parent 2be13a8a30 9a01272dc2
2 changed files with 21 additions and 15 deletions
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@ -583,13 +583,10 @@ func untrustedWorkload(config *runtime.PodSandboxConfig) bool {
 	return config.GetAnnotations()[annotations.UntrustedWorkload] == "true"
 }
-// hostPrivilegedSandbox returns true if the sandbox configuration
+// hostAccessingSandbox returns true if the sandbox configuration
-// requires additional host privileges for the sandbox.
+// requires additional host access for the sandbox.
-func hostPrivilegedSandbox(config *runtime.PodSandboxConfig) bool {
+func hostAccessingSandbox(config *runtime.PodSandboxConfig) bool {
 	securityContext := config.GetLinux().GetSecurityContext()
 	if securityContext.GetPrivileged() {
 		return true
 	}
 	namespaceOptions := securityContext.GetNamespaceOptions()
 	if namespaceOptions.GetNetwork() == runtime.NamespaceMode_NODE ||
@ -607,9 +604,13 @@ func hostPrivilegedSandbox(config *runtime.PodSandboxConfig) bool {
 func (c *criService) getSandboxRuntime(config *runtime.PodSandboxConfig) (criconfig.Runtime, error) {
 	untrusted := false
 	if untrustedWorkload(config) {
-		// TODO(random-liu): Figure out we should return error or not.
+		//  If the untrusted workload is requesting access to the host/node, this request will fail.
-		if hostPrivilegedSandbox(config) {
+		//
-			return criconfig.Runtime{}, errors.New("untrusted workload with host privilege is not allowed")
+		//  Note: If the workload is marked untrusted but requests privileged, this can be granted, as the
 		// runtime may support this.  For example, in a virtual-machine isolated runtime, privileged
 		// is a supported option, granting the workload to access the entire guest VM instead of host.
 		if hostAccessingSandbox(config) {
 			return criconfig.Runtime{}, errors.New("untrusted workload with host access is not allowed")
 		}
 		untrusted = true
 	}
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@ -474,7 +474,7 @@ func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
 	}
 }
-func TestHostPrivilegedSandbox(t *testing.T) {
+func TestHostAccessingSandbox(t *testing.T) {
 	privilegedContext := &runtime.PodSandboxConfig{
 		Linux: &runtime.LinuxPodSandboxConfig{
 			SecurityContext: &runtime.LinuxSandboxSecurityContext{
@ -507,14 +507,14 @@ func TestHostPrivilegedSandbox(t *testing.T) {
 		want   bool
 	}{
 		{"Security Context is nil", nil, false},
-		{"Security Context is privileged", privilegedContext, true},
+		{"Security Context is privileged", privilegedContext, false},
 		{"Security Context is not privileged", nonPrivilegedContext, false},
 		{"Security Context namespace host access", hostNamespace, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := hostPrivilegedSandbox(tt.config); got != tt.want {
+			if got := hostAccessingSandbox(tt.config); got != tt.want {
-				t.Errorf("hostPrivilegedSandbox() = %v, want %v", got, tt.want)
+				t.Errorf("hostAccessingSandbox() = %v, want %v", got, tt.want)
 			}
 		})
 	}
@ -540,11 +540,16 @@ func TestGetSandboxRuntime(t *testing.T) {
 		expectErr                bool
 		expectedRuntime          criconfig.Runtime
 	}{
-		"should return error if untrusted workload requires host privilege": {
+		"should return error if untrusted workload requires host access": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Linux: &runtime.LinuxPodSandboxConfig{
 					SecurityContext: &runtime.LinuxSandboxSecurityContext{
-						Privileged: true,
+						Privileged: false,
 						NamespaceOptions: &runtime.NamespaceOption{
 							Network: runtime.NamespaceMode_NODE,
 							Pid:     runtime.NamespaceMode_NODE,
 							Ipc:     runtime.NamespaceMode_NODE,
 						},
 					},
 				},
 				Annotations: map[string]string{