Various security related fixes
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
parent
8d1b737480
commit
e1f74f00a5
@ -180,7 +180,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
|
||||
func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig,
|
||||
sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount) (*runtimespec.Spec, error) {
|
||||
// Creates a spec Generator with the default spec.
|
||||
spec, err := containerd.GenerateSpec()
|
||||
spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -220,6 +220,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
|
||||
addOCIBindMounts(&g, append(extraMounts, config.GetMounts()...))
|
||||
|
||||
if securityContext.GetPrivileged() {
|
||||
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||
return nil, fmt.Errorf("no privileged container allowed in sandbox")
|
||||
}
|
||||
if err := setOCIPrivileged(&g, config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -233,14 +236,15 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
|
||||
securityContext.GetCapabilities(), err)
|
||||
}
|
||||
|
||||
// TODO(random-liu): [P1] Set selinux options.
|
||||
|
||||
// TODO(random-liu): [P2] Add apparmor and seccomp.
|
||||
|
||||
// TODO: Figure out whether we should set no new privilege for sandbox container by default
|
||||
g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
|
||||
}
|
||||
|
||||
// TODO: Figure out whether we should set no new privilege for sandbox container by default
|
||||
g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
|
||||
|
||||
// TODO(random-liu): [P1] Set selinux options.
|
||||
|
||||
g.SetRootReadonly(securityContext.GetReadonlyRootfs())
|
||||
|
||||
setOCILinuxResource(&g, config.GetLinux().GetResources())
|
||||
|
||||
@ -213,7 +213,7 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
|
||||
imageConfig *imagespec.ImageConfig, nsPath string) (*runtimespec.Spec, error) {
|
||||
// Creates a spec Generator with the default spec.
|
||||
// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
|
||||
spec, err := containerd.GenerateSpec()
|
||||
spec, err := containerd.GenerateSpec(context.Background(), nil, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -256,7 +256,8 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
|
||||
// TODO(random-liu): [P2] Set default cgroup path if cgroup parent is not specified.
|
||||
|
||||
// Set namespace options.
|
||||
nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions()
|
||||
securityContext := config.GetLinux().GetSecurityContext()
|
||||
nsOptions := securityContext.GetNamespaceOptions()
|
||||
if nsOptions.GetHostNetwork() {
|
||||
g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck
|
||||
} else {
|
||||
@ -273,11 +274,16 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
|
||||
|
||||
// TODO(random-liu): [P1] Apply SeLinux options.
|
||||
|
||||
// TODO(random-liu): [P1] Set user.
|
||||
// TODO(random-liu): [P1] Set username.
|
||||
runAsUser := securityContext.GetRunAsUser()
|
||||
if runAsUser != nil {
|
||||
g.SetProcessUID(uint32(runAsUser.GetValue()))
|
||||
}
|
||||
|
||||
// TODO(random-liu): [P1] Set supplemental group.
|
||||
|
||||
// TODO(random-liu): [P1] Set privileged.
|
||||
supplementalGroups := securityContext.GetSupplementalGroups()
|
||||
for _, group := range supplementalGroups {
|
||||
g.AddProcessAdditionalGid(uint32(group))
|
||||
}
|
||||
|
||||
// Add sysctls
|
||||
sysctls := config.GetLinux().GetSysctls()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user