Skip to content

Commit b582da4

Browse files
yoheiuedayoheiueda
committed
Set masked and readonly paths based on default Unix spec
The default values of masked and readonly paths are defined in populateDefaultUnixSpec, and are used when a sandbox is created. It is not, however, used for new containers. If a container definition does not contain a security context specifying masked/readonly paths, a container created from it does not have masked and readonly paths. This patch applies the default values to masked and readonly paths of a new container, when any specific values are not specified. Fixes #1569 Signed-off-by: Yohei Ueda <[email protected]>
1 parent 35e623e commit b582da4

2 files changed

Lines changed: 9 additions & 5 deletions

File tree

pkg/server/container_create_unix.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -182,11 +182,15 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
182182
if !c.config.DisableProcMount {
183183
// Apply masked paths if specified.
184184
// If the container is privileged, this will be cleared later on.
185-
specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
185+
if maskedPaths := securityContext.GetMaskedPaths(); maskedPaths != nil {
186+
specOpts = append(specOpts, oci.WithMaskedPaths(maskedPaths))
187+
}
186188

187189
// Apply readonly paths if specified.
188190
// If the container is privileged, this will be cleared later on.
189-
specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
191+
if readonlyPaths := securityContext.GetReadonlyPaths(); readonlyPaths != nil {
192+
specOpts = append(specOpts, oci.WithReadonlyPaths(readonlyPaths))
193+
}
190194
}
191195

192196
if securityContext.GetPrivileged() {

pkg/server/container_create_unix_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -959,12 +959,12 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
959959
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
960960
privileged: false,
961961
},
962-
"should always apply CRI specified paths when disable_proc_mount = false": {
962+
"should apply default if not specified when disable_proc_mount = false": {
963963
disableProcMount: false,
964964
masked: nil,
965965
readonly: nil,
966-
expectedMasked: nil,
967-
expectedReadonly: nil,
966+
expectedMasked: defaultSpec.Linux.MaskedPaths,
967+
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
968968
privileged: false,
969969
},
970970
"should be able to specify empty paths": {

0 commit comments

Comments
 (0)