test filtering of container create masks when privileged
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown
parent
f5ff4394b9
commit
bf4e7a885c
@ -372,6 +372,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
|
|||||||
// Apply masked paths if specified.
|
// Apply masked paths if specified.
|
||||||
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
|
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
|
||||||
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
|
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
|
||||||
|
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
|
||||||
if securityContext.GetMaskedPaths() != nil {
|
if securityContext.GetMaskedPaths() != nil {
|
||||||
g.Config.Linux.MaskedPaths = nil
|
g.Config.Linux.MaskedPaths = nil
|
||||||
for _, path := range securityContext.GetMaskedPaths() {
|
for _, path := range securityContext.GetMaskedPaths() {
|
||||||
@ -380,6 +381,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Apply readonly paths if specified.
|
// Apply readonly paths if specified.
|
||||||
|
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
|
||||||
if securityContext.GetReadonlyPaths() != nil {
|
if securityContext.GetReadonlyPaths() != nil {
|
||||||
g.Config.Linux.ReadonlyPaths = nil
|
g.Config.Linux.ReadonlyPaths = nil
|
||||||
for _, path := range securityContext.GetReadonlyPaths() {
|
for _, path := range securityContext.GetReadonlyPaths() {
|
||||||
|
|||||||
@ -1017,30 +1017,59 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
|
|||||||
readonly []string
|
readonly []string
|
||||||
expectedMasked []string
|
expectedMasked []string
|
||||||
expectedReadonly []string
|
expectedReadonly []string
|
||||||
|
privileged bool
|
||||||
}{
|
}{
|
||||||
"should apply default if not specified": {
|
"should apply default if not specified": {
|
||||||
expectedMasked: defaultSpec.Linux.MaskedPaths,
|
expectedMasked: defaultSpec.Linux.MaskedPaths,
|
||||||
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
|
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
|
||||||
|
privileged: false,
|
||||||
},
|
},
|
||||||
"should be able to specify empty paths": {
|
"should be able to specify empty paths": {
|
||||||
masked: []string{},
|
masked: []string{},
|
||||||
readonly: []string{},
|
readonly: []string{},
|
||||||
expectedMasked: nil,
|
expectedMasked: nil,
|
||||||
expectedReadonly: nil,
|
expectedReadonly: nil,
|
||||||
|
privileged: false,
|
||||||
},
|
},
|
||||||
"should apply CRI specified paths": {
|
"should apply CRI specified paths": {
|
||||||
masked: []string{"/proc"},
|
masked: []string{"/proc"},
|
||||||
readonly: []string{"/sys"},
|
readonly: []string{"/sys"},
|
||||||
expectedMasked: []string{"/proc"},
|
expectedMasked: []string{"/proc"},
|
||||||
expectedReadonly: []string{"/sys"},
|
expectedReadonly: []string{"/sys"},
|
||||||
|
privileged: false,
|
||||||
|
},
|
||||||
|
"default should be nil for privileged": {
|
||||||
|
expectedMasked: nil,
|
||||||
|
expectedReadonly: nil,
|
||||||
|
privileged: true,
|
||||||
|
},
|
||||||
|
"should be able to specify empty paths, esp. if privileged": {
|
||||||
|
masked: []string{},
|
||||||
|
readonly: []string{},
|
||||||
|
expectedMasked: nil,
|
||||||
|
expectedReadonly: nil,
|
||||||
|
privileged: true,
|
||||||
|
},
|
||||||
|
"should not apply CRI specified paths if privileged": {
|
||||||
|
masked: []string{"/proc"},
|
||||||
|
readonly: []string{"/sys"},
|
||||||
|
expectedMasked: nil,
|
||||||
|
expectedReadonly: nil,
|
||||||
|
privileged: true,
|
||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
t.Logf("TestCase %q", desc)
|
t.Logf("TestCase %q", desc)
|
||||||
config.Linux.SecurityContext.MaskedPaths = test.masked
|
config.Linux.SecurityContext.MaskedPaths = test.masked
|
||||||
config.Linux.SecurityContext.ReadonlyPaths = test.readonly
|
config.Linux.SecurityContext.ReadonlyPaths = test.readonly
|
||||||
|
config.Linux.SecurityContext.Privileged = test.privileged
|
||||||
|
sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
||||||
|
Privileged: test.privileged,
|
||||||
|
}
|
||||||
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
|
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
if !test.privileged { // specCheck presumes an unprivileged container
|
||||||
|
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||||
|
}
|
||||||
assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
|
assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
|
||||||
assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
|
assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user