github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Various security related fixes

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2017-08-24 21:52:30 +00:00
parent 8d1b737480
commit e1f74f00a5
2 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/server/container_create.go
View File

@ -180,7 +180,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig, func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig,
sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount) (*runtimespec.Spec, error) { sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount) (*runtimespec.Spec, error) {
// Creates a spec Generator with the default spec. // Creates a spec Generator with the default spec.
spec, err := containerd.GenerateSpec() spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -220,6 +220,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...)) addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...))
if securityContext.GetPrivileged() { if securityContext.GetPrivileged() {
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
return nil, fmt.Errorf("no privileged container allowed in sandbox")
}
if err := setOCIPrivileged(&g, config); err != nil { if err := setOCIPrivileged(&g, config); err != nil {
return nil, err return nil, err
} }
@ -233,13 +236,14 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
securityContext.GetCapabilities(), err) securityContext.GetCapabilities(), err)
} }
// TODO(random-liu): [P1] Set selinux options.
// TODO(random-liu): [P2] Add apparmor and seccomp. // TODO(random-liu): [P2] Add apparmor and seccomp.
}
// TODO: Figure out whether we should set no new privilege for sandbox container by default // TODO: Figure out whether we should set no new privilege for sandbox container by default
g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs()) g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
}
// TODO(random-liu): [P1] Set selinux options.
g.SetRootReadonly(securityContext.GetReadonlyRootfs()) g.SetRootReadonly(securityContext.GetReadonlyRootfs())

18
pkg/server/sandbox_run.go
View File

@ -213,7 +213,7 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
imageConfig *imagespec.ImageConfig, nsPath string) (*runtimespec.Spec, error) { imageConfig *imagespec.ImageConfig, nsPath string) (*runtimespec.Spec, error) {
// Creates a spec Generator with the default spec. // Creates a spec Generator with the default spec.
// TODO(random-liu): [P1] Compare the default settings with docker and containerd default. // TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
spec, err := containerd.GenerateSpec() spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -256,7 +256,8 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
// TODO(random-liu): [P2] Set default cgroup path if cgroup parent is not specified. // TODO(random-liu): [P2] Set default cgroup path if cgroup parent is not specified.
// Set namespace options. // Set namespace options.
nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions() securityContext := config.GetLinux().GetSecurityContext()
nsOptions := securityContext.GetNamespaceOptions()
if nsOptions.GetHostNetwork() { if nsOptions.GetHostNetwork() {
g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck
} else { } else {
@ -273,11 +274,16 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
// TODO(random-liu): [P1] Apply SeLinux options. // TODO(random-liu): [P1] Apply SeLinux options.
// TODO(random-liu): [P1] Set user. // TODO(random-liu): [P1] Set username.
runAsUser := securityContext.GetRunAsUser()
if runAsUser != nil {
g.SetProcessUID(uint32(runAsUser.GetValue()))
}
// TODO(random-liu): [P1] Set supplemental group. supplementalGroups := securityContext.GetSupplementalGroups()
for _, group := range supplementalGroups {
// TODO(random-liu): [P1] Set privileged. g.AddProcessAdditionalGid(uint32(group))
}
// Add sysctls // Add sysctls
sysctls := config.GetLinux().GetSysctls() sysctls := config.GetLinux().GetSysctls()