github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

test filtering of container create masks when privileged

Browse Source 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown
2019-03-13 14:52:22 -05:00
parent f5ff4394b9
commit bf4e7a885c
2 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/server/container_create.go
View File

@@ -372,6 +372,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
// Apply masked paths if specified.
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
if securityContext.GetMaskedPaths() != nil {
g.Config.Linux.MaskedPaths = nil
for _, path := range securityContext.GetMaskedPaths() {
@@ -380,6 +381,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
}
// Apply readonly paths if specified.
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
if securityContext.GetReadonlyPaths() != nil {
g.Config.Linux.ReadonlyPaths = nil
for _, path := range securityContext.GetReadonlyPaths() {