Various security related fixes

Signed-off-by: Lantao Liu <lantaol@google.com>

pkg/server/container_create.go

@@ -180,7 +180,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig,
 	sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount) (*runtimespec.Spec, error) {
 	// Creates a spec Generator with the default spec.
-	spec, err := containerd.GenerateSpec()
+	spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -220,6 +220,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...))
 
 	if securityContext.GetPrivileged() {
+		if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
+			return nil, fmt.Errorf("no privileged container allowed in sandbox")
+		}
 		if err := setOCIPrivileged(&g, config); err != nil {
 			return nil, err
 		}
@@ -233,14 +236,15 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 				securityContext.GetCapabilities(), err)
 		}
 
-		// TODO(random-liu): [P1] Set selinux options.
-
 		// TODO(random-liu): [P2] Add apparmor and seccomp.
 
-		// TODO: Figure out whether we should set no new privilege for sandbox container by default
-		g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
 	}
 
+	// TODO: Figure out whether we should set no new privilege for sandbox container by default
+	g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
+
+	// TODO(random-liu): [P1] Set selinux options.
+
 	g.SetRootReadonly(securityContext.GetReadonlyRootfs())
 
 	setOCILinuxResource(&g, config.GetLinux().GetResources())

pkg/server/sandbox_run.go

@@ -213,7 +213,7 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 	imageConfig *imagespec.ImageConfig, nsPath string) (*runtimespec.Spec, error) {
 	// Creates a spec Generator with the default spec.
 	// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
-	spec, err := containerd.GenerateSpec()
+	spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -256,7 +256,8 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 	// TODO(random-liu): [P2] Set default cgroup path if cgroup parent is not specified.
 
 	// Set namespace options.
-	nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions()
+	securityContext := config.GetLinux().GetSecurityContext()
+	nsOptions := securityContext.GetNamespaceOptions()
 	if nsOptions.GetHostNetwork() {
 		g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck
 	} else {
@@ -273,11 +274,16 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 
 	// TODO(random-liu): [P1] Apply SeLinux options.
 
-	// TODO(random-liu): [P1] Set user.
+	// TODO(random-liu): [P1] Set username.
+	runAsUser := securityContext.GetRunAsUser()
+	if runAsUser != nil {
+		g.SetProcessUID(uint32(runAsUser.GetValue()))
+	}
 
-	// TODO(random-liu): [P1] Set supplemental group.
-
-	// TODO(random-liu): [P1] Set privileged.
+	supplementalGroups := securityContext.GetSupplementalGroups()
+	for _, group := range supplementalGroups {
+		g.AddProcessAdditionalGid(uint32(group))
+	}
 
 	// Add sysctls
 	sysctls := config.GetLinux().GetSysctls()