From e1f74f00a5fbb4830476651168eb56f7f01933f1 Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Thu, 24 Aug 2017 21:52:30 +0000 Subject: [PATCH] Various security related fixes Signed-off-by: Lantao Liu --- pkg/server/container_create.go | 14 +++++++++----- pkg/server/sandbox_run.go | 18 ++++++++++++------ 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index 8cc74b5c5..bc617bf6d 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -180,7 +180,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount) (*runtimespec.Spec, error) { // Creates a spec Generator with the default spec. - spec, err := containerd.GenerateSpec() + spec, err := containerd.GenerateSpec(context.Background(), nil, nil) if err != nil { return nil, err } @@ -220,6 +220,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...)) if securityContext.GetPrivileged() { + if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() { + return nil, fmt.Errorf("no privileged container allowed in sandbox") + } if err := setOCIPrivileged(&g, config); err != nil { return nil, err } @@ -233,14 +236,15 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 securityContext.GetCapabilities(), err) } - // TODO(random-liu): [P1] Set selinux options. - // TODO(random-liu): [P2] Add apparmor and seccomp. - // TODO: Figure out whether we should set no new privilege for sandbox container by default - g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs()) } + // TODO: Figure out whether we should set no new privilege for sandbox container by default + g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs()) + + // TODO(random-liu): [P1] Set selinux options. + g.SetRootReadonly(securityContext.GetReadonlyRootfs()) setOCILinuxResource(&g, config.GetLinux().GetResources()) diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index f01be8458..944a62732 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -213,7 +213,7 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r imageConfig *imagespec.ImageConfig, nsPath string) (*runtimespec.Spec, error) { // Creates a spec Generator with the default spec. // TODO(random-liu): [P1] Compare the default settings with docker and containerd default. - spec, err := containerd.GenerateSpec() + spec, err := containerd.GenerateSpec(context.Background(), nil, nil) if err != nil { return nil, err } @@ -256,7 +256,8 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r // TODO(random-liu): [P2] Set default cgroup path if cgroup parent is not specified. // Set namespace options. - nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions() + securityContext := config.GetLinux().GetSecurityContext() + nsOptions := securityContext.GetNamespaceOptions() if nsOptions.GetHostNetwork() { g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck } else { @@ -273,11 +274,16 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r // TODO(random-liu): [P1] Apply SeLinux options. - // TODO(random-liu): [P1] Set user. + // TODO(random-liu): [P1] Set username. + runAsUser := securityContext.GetRunAsUser() + if runAsUser != nil { + g.SetProcessUID(uint32(runAsUser.GetValue())) + } - // TODO(random-liu): [P1] Set supplemental group. - - // TODO(random-liu): [P1] Set privileged. + supplementalGroups := securityContext.GetSupplementalGroups() + for _, group := range supplementalGroups { + g.AddProcessAdditionalGid(uint32(group)) + } // Add sysctls sysctls := config.GetLinux().GetSysctls()