Skip to content

Commit 9b03039

Browse files
crosbymichaelsamuelkarp
crosbymichael
and
samuelkarp
committed
only relabel cri managed host mounts
Co-authored-by: Samuel Karp <[email protected]> Signed-off-by: Michael Crosby <[email protected]> Signed-off-by: Samuel Karp <[email protected]>
1 parent 432ddec commit 9b03039

3 files changed

Lines changed: 57 additions & 67 deletions

File tree

pkg/cri/opts/spec_linux.go

Lines changed: 0 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -224,30 +224,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
224224
}
225225
}
226226

227-
const (
228-
etcHosts = "/etc/hosts"
229-
etcHostname = "/etc/hostname"
230-
resolvConfPath = "/etc/resolv.conf"
231-
)
232-
233-
// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
234-
func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
235-
return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
236-
if mountLabel == "" {
237-
return nil
238-
}
239-
for _, m := range s.Mounts {
240-
switch m.Destination {
241-
case etcHosts, etcHostname, resolvConfPath:
242-
if err := label.Relabel(m.Source, mountLabel, false); err != nil {
243-
return err
244-
}
245-
}
246-
}
247-
return nil
248-
}
249-
}
250-
251227
// Ensure mount point on which path is mounted, is shared.
252228
func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
253229
mountInfo, err := lookupMount(path)

pkg/cri/server/container_create_linux.go

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -68,28 +68,31 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
6868
hostpath := c.getSandboxHostname(sandboxID)
6969
if _, err := c.os.Stat(hostpath); err == nil {
7070
mounts = append(mounts, &runtime.Mount{
71-
ContainerPath: etcHostname,
72-
HostPath: hostpath,
73-
Readonly: securityContext.GetReadonlyRootfs(),
71+
ContainerPath: etcHostname,
72+
HostPath: hostpath,
73+
Readonly: securityContext.GetReadonlyRootfs(),
74+
SelinuxRelabel: true,
7475
})
7576
}
7677
}
7778

7879
if !isInCRIMounts(etcHosts, config.GetMounts()) {
7980
mounts = append(mounts, &runtime.Mount{
80-
ContainerPath: etcHosts,
81-
HostPath: c.getSandboxHosts(sandboxID),
82-
Readonly: securityContext.GetReadonlyRootfs(),
81+
ContainerPath: etcHosts,
82+
HostPath: c.getSandboxHosts(sandboxID),
83+
Readonly: securityContext.GetReadonlyRootfs(),
84+
SelinuxRelabel: true,
8385
})
8486
}
8587

8688
// Mount sandbox resolv.config.
8789
// TODO: Need to figure out whether we should always mount it as read-only
8890
if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
8991
mounts = append(mounts, &runtime.Mount{
90-
ContainerPath: resolvConfPath,
91-
HostPath: c.getResolvPath(sandboxID),
92-
Readonly: securityContext.GetReadonlyRootfs(),
92+
ContainerPath: resolvConfPath,
93+
HostPath: c.getResolvPath(sandboxID),
94+
Readonly: securityContext.GetReadonlyRootfs(),
95+
SelinuxRelabel: true,
9396
})
9497
}
9598

@@ -192,7 +195,7 @@ func (c *criService) containerSpec(
192195
}
193196
}()
194197

195-
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
198+
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
196199

197200
if !c.config.DisableProcMount {
198201
// Change the default masked/readonly paths to empty slices

pkg/cri/server/container_create_linux_test.go

Lines changed: 44 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -452,19 +452,22 @@ func TestContainerMounts(t *testing.T) {
452452
},
453453
expectedMounts: []*runtime.Mount{
454454
{
455-
ContainerPath: "/etc/hostname",
456-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
457-
Readonly: true,
455+
ContainerPath: "/etc/hostname",
456+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
457+
Readonly: true,
458+
SelinuxRelabel: true,
458459
},
459460
{
460-
ContainerPath: "/etc/hosts",
461-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
462-
Readonly: true,
461+
ContainerPath: "/etc/hosts",
462+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
463+
Readonly: true,
464+
SelinuxRelabel: true,
463465
},
464466
{
465-
ContainerPath: resolvConfPath,
466-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
467-
Readonly: true,
467+
ContainerPath: resolvConfPath,
468+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
469+
Readonly: true,
470+
SelinuxRelabel: true,
468471
},
469472
{
470473
ContainerPath: "/dev/shm",
@@ -478,19 +481,22 @@ func TestContainerMounts(t *testing.T) {
478481
securityContext: &runtime.LinuxContainerSecurityContext{},
479482
expectedMounts: []*runtime.Mount{
480483
{
481-
ContainerPath: "/etc/hostname",
482-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
483-
Readonly: false,
484+
ContainerPath: "/etc/hostname",
485+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
486+
Readonly: false,
487+
SelinuxRelabel: true,
484488
},
485489
{
486-
ContainerPath: "/etc/hosts",
487-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
488-
Readonly: false,
490+
ContainerPath: "/etc/hosts",
491+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
492+
Readonly: false,
493+
SelinuxRelabel: true,
489494
},
490495
{
491-
ContainerPath: resolvConfPath,
492-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
493-
Readonly: false,
496+
ContainerPath: resolvConfPath,
497+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
498+
Readonly: false,
499+
SelinuxRelabel: true,
494500
},
495501
{
496502
ContainerPath: "/dev/shm",
@@ -506,19 +512,22 @@ func TestContainerMounts(t *testing.T) {
506512
},
507513
expectedMounts: []*runtime.Mount{
508514
{
509-
ContainerPath: "/etc/hostname",
510-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
511-
Readonly: false,
515+
ContainerPath: "/etc/hostname",
516+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
517+
Readonly: false,
518+
SelinuxRelabel: true,
512519
},
513520
{
514-
ContainerPath: "/etc/hosts",
515-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
516-
Readonly: false,
521+
ContainerPath: "/etc/hosts",
522+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
523+
Readonly: false,
524+
SelinuxRelabel: true,
517525
},
518526
{
519-
ContainerPath: resolvConfPath,
520-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
521-
Readonly: false,
527+
ContainerPath: resolvConfPath,
528+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
529+
Readonly: false,
530+
SelinuxRelabel: true,
522531
},
523532
{
524533
ContainerPath: "/dev/shm",
@@ -557,14 +566,16 @@ func TestContainerMounts(t *testing.T) {
557566
securityContext: &runtime.LinuxContainerSecurityContext{},
558567
expectedMounts: []*runtime.Mount{
559568
{
560-
ContainerPath: "/etc/hosts",
561-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
562-
Readonly: false,
569+
ContainerPath: "/etc/hosts",
570+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
571+
Readonly: false,
572+
SelinuxRelabel: true,
563573
},
564574
{
565-
ContainerPath: resolvConfPath,
566-
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
567-
Readonly: false,
575+
ContainerPath: resolvConfPath,
576+
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
577+
Readonly: false,
578+
SelinuxRelabel: true,
568579
},
569580
{
570581
ContainerPath: "/dev/shm",

0 commit comments

Comments
 (0)