test filtering of container create masks when privileged

Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2019-03-13 14:52:22 -05:00 · 2019-03-13 14:52:22 -05:00 · bf4e7a885c
commit bf4e7a885c
parent f5ff4394b9
2 changed files with 32 additions and 1 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -372,6 +372,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	// Apply masked paths if specified.
 	// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
 	// When `MaskedPaths` is specified, but length is zero, clear masked path list.
+	// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
 	if securityContext.GetMaskedPaths() != nil {
 		g.Config.Linux.MaskedPaths = nil
 		for _, path := range securityContext.GetMaskedPaths() {
@ -380,6 +381,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	}

 	// Apply readonly paths if specified.
+	// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
 	if securityContext.GetReadonlyPaths() != nil {
 		g.Config.Linux.ReadonlyPaths = nil
 		for _, path := range securityContext.GetReadonlyPaths() {
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -1017,30 +1017,59 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
 		readonly         []string
 		expectedMasked   []string
 		expectedReadonly []string
+		privileged       bool
 	}{
 		"should apply default if not specified": {
 			expectedMasked:   defaultSpec.Linux.MaskedPaths,
 			expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
+			privileged:       false,
 		},
 		"should be able to specify empty paths": {
 			masked:           []string{},
 			readonly:         []string{},
 			expectedMasked:   nil,
 			expectedReadonly: nil,
+			privileged:       false,
 		},
 		"should apply CRI specified paths": {
 			masked:           []string{"/proc"},
 			readonly:         []string{"/sys"},
 			expectedMasked:   []string{"/proc"},
 			expectedReadonly: []string{"/sys"},
+			privileged:       false,
+		},
+		"default should be nil for privileged": {
+			expectedMasked:   nil,
+			expectedReadonly: nil,
+			privileged:       true,
+		},
+		"should be able to specify empty paths, esp. if privileged": {
+			masked:           []string{},
+			readonly:         []string{},
+			expectedMasked:   nil,
+			expectedReadonly: nil,
+			privileged:       true,
+		},
+		"should not apply CRI specified paths if privileged": {
+			masked:           []string{"/proc"},
+			readonly:         []string{"/sys"},
+			expectedMasked:   nil,
+			expectedReadonly: nil,
+			privileged:       true,
 		},
 	} {
 		t.Logf("TestCase %q", desc)
 		config.Linux.SecurityContext.MaskedPaths = test.masked
 		config.Linux.SecurityContext.ReadonlyPaths = test.readonly
+		config.Linux.SecurityContext.Privileged = test.privileged
+		sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
+			Privileged: test.privileged,
+		}
 		spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
 		require.NoError(t, err)
-		specCheck(t, testID, testSandboxID, testPid, spec)
+		if !test.privileged { // specCheck presumes an unprivileged container
+			specCheck(t, testID, testSandboxID, testPid, spec)
+		}
 		assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
 		assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
 	}