github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1240 from Random-Liu/fix-apparmor-privileged

Browse Source 
Fix apparmor for privileged.
This commit is contained in:
Lantao Liu 2019-08-20 10:13:28 -07:00 committed by GitHub
commit eed3956689
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/server/container_create.go
View File

@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
if !c.config.DisableProcMount { if !c.config.DisableProcMount {
// Apply masked paths if specified. // Apply masked paths if specified.
// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() // If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths())) specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
// Apply readonly paths if specified. // Apply readonly paths if specified.
// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() // If the container is privileged, this will be cleared later on.
specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths())) specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
} }
@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
return nil, nil return nil, nil
} }
switch apparmorProf { switch apparmorProf {
case runtimeDefault: // Based on kubernetes#51746, default apparmor profile should be applied
// for when apparmor is not specified.
case runtimeDefault, "":
if privileged {
// Do not set apparmor profile when container is privileged
return nil, nil
}
// TODO (mikebrow): delete created apparmor default profile // TODO (mikebrow): delete created apparmor default profile
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
case unconfinedProfile: case unconfinedProfile:
return nil, nil return nil, nil
case "":
// Based on kubernetes#51746, default apparmor profile should be applied
// for non-privileged container when apparmor is not specified.
if privileged {
return nil, nil
}
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
default: default:
// Require and Trim default profile name prefix // Require and Trim default profile name prefix
if !strings.HasPrefix(apparmorProf, profileNamePrefix) { if !strings.HasPrefix(apparmorProf, profileNamePrefix) {

9
pkg/server/container_create_test.go
View File

@ -1080,10 +1080,19 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
profile: runtimeDefault, profile: runtimeDefault,
specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName), specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
}, },
"should not apparmor when apparmor is default and privileged is true": {
profile: runtimeDefault,
privileged: true,
},
"should set specified profile when local profile is specified": { "should set specified profile when local profile is specified": {
profile: profileNamePrefix + "test-profile", profile: profileNamePrefix + "test-profile",
specOpts: apparmor.WithProfile("test-profile"), specOpts: apparmor.WithProfile("test-profile"),
}, },
"should set apparmor when local profile is specified and privileged is true": {
profile: profileNamePrefix + "test-profile",
privileged: true,
specOpts: apparmor.WithProfile("test-profile"),
},
"should return error if specified profile is invalid": { "should return error if specified profile is invalid": {
profile: "test-profile", profile: "test-profile",
expectErr: true, expectErr: true,