github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Set masked and readonly paths based on default Unix spec

Browse Source 
The default values of masked and readonly paths are defined
in populateDefaultUnixSpec, and are used when a sandbox is
created.  It is not, however, used for new containers.  If
a container definition does not contain a security context
specifying masked/readonly paths, a container created from
it does not have masked and readonly paths.

This patch applies the default values to masked and
readonly paths of a new container, when any specific values
are not specified.

Fixes #1569

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
This commit is contained in:
Yohei Ueda 2020-09-09 21:23:05 +09:00
parent 35e623e6bf
commit b582da4438
No known key found for this signature in database
GPG Key ID: 38F36806B36F6BCD
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/server/container_create_unix.go
View File

@ -182,11 +182,15 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
if !c.config.DisableProcMount {
// Apply masked paths if specified.
// If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil {
specOpts = append(specOpts, oci.WithMaskedPaths(maskedPaths))
}
// Apply readonly paths if specified.
// If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
if readonlyPaths := securityContext.GetReadonlyPaths(); readonlyPaths != nil {
specOpts = append(specOpts, oci.WithReadonlyPaths(readonlyPaths))
}
}
if securityContext.GetPrivileged() {

6
pkg/server/container_create_unix_test.go
View File

@ -959,12 +959,12 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
privileged: false,
},
"should always apply CRI specified paths when disable_proc_mount = false": {
"should apply default if not specified when disable_proc_mount = false": {
disableProcMount: false,
masked: nil,
readonly: nil,
expectedMasked: nil,
expectedReadonly: nil,
expectedMasked: defaultSpec.Linux.MaskedPaths,
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
privileged: false,
},
"should be able to specify empty paths": {