Merge pull request #4952 from crosbymichael/label-etc-files

estesp · web-flow · commit 1230bd63031b · 2021-01-19T16:21:35.000-05:00
[cri] label etc files for selinux containers
diff --git a/pkg/cri/opts/spec_linux.go b/pkg/cri/opts/spec_linux.go
@@ -242,6 +242,30 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 	}
 }
 
+const (
+	etcHosts       = "/etc/hosts"
+	etcHostname    = "/etc/hostname"
+	resolvConfPath = "/etc/resolv.conf"
+)
+
+// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
+func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
+		if mountLabel == "" {
+			return nil
+		}
+		for _, m := range s.Mounts {
+			switch m.Destination {
+			case etcHosts, etcHostname, resolvConfPath:
+				if err := label.Relabel(m.Source, mountLabel, false); err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+}
+
 // Ensure mount point on which path is mounted, is shared.
 func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
 	mountInfo, err := lookupMount(path)
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -183,7 +183,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		}
 	}()
 
-	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
+	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
 
 	if !c.config.DisableProcMount {
 		// Apply masked paths if specified.

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3`
`183`	`183`	`}`
`184`	`184`	`}()`
`185`	`185`
`186`		`- specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))`
	`186`	`+ specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))`
`187`	`187`
`188`	`188`	`if !c.config.DisableProcMount {`
`189`	`189`	`// Apply masked paths if specified.`