Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Commit 3e4cec8

Browse files
Random-LiuRandom-Liu
committed
Add MaskedPaths and ReadonlyPaths support.
Signed-off-by: Lantao Liu <[email protected]>
1 parent 4a65865 commit 3e4cec8

2 files changed

Lines changed: 60 additions & 1 deletion

File tree

pkg/server/container_create.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,24 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
355355
return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts)
356356
}
357357

358+
// Apply masked paths if specified.
359+
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
360+
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
361+
if securityContext.GetMaskedPaths() != nil {
362+
g.Config.Linux.MaskedPaths = nil
363+
for _, path := range securityContext.GetMaskedPaths() {
364+
g.AddLinuxMaskedPaths(path)
365+
}
366+
}
367+
368+
// Apply readonly paths if specified.
369+
if securityContext.GetReadonlyPaths() != nil {
370+
g.Config.Linux.ReadonlyPaths = nil
371+
for _, path := range securityContext.GetReadonlyPaths() {
372+
g.AddLinuxReadonlyPaths(path)
373+
}
374+
}
375+
358376
if securityContext.GetPrivileged() {
359377
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
360378
return nil, errors.New("no privileged container allowed in sandbox")

pkg/server/container_create_test.go

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,6 @@ func TestContainerCapabilities(t *testing.T) {
248248
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
249249
require.NoError(t, err)
250250
specCheck(t, testID, testSandboxID, testPid, spec)
251-
t.Log(spec.Process.Capabilities.Bounding)
252251
for _, include := range test.includes {
253252
assert.Contains(t, spec.Process.Capabilities.Bounding, include)
254253
assert.Contains(t, spec.Process.Capabilities.Effective, include)
@@ -913,3 +912,45 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
913912
}
914913
}
915914
}
915+
916+
func TestMaskedAndReadonlyPaths(t *testing.T) {
917+
testID := "test-id"
918+
testSandboxID := "sandbox-id"
919+
testPid := uint32(1234)
920+
config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
921+
c := newTestCRIService()
922+
defaultSpec, err := defaultRuntimeSpec(testID)
923+
require.NoError(t, err)
924+
for desc, test := range map[string]struct {
925+
masked []string
926+
readonly []string
927+
expectedMasked []string
928+
expectedReadonly []string
929+
}{
930+
"should apply default if not specified": {
931+
expectedMasked: defaultSpec.Linux.MaskedPaths,
932+
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
933+
},
934+
"should be able to specify empty paths": {
935+
masked: []string{},
936+
readonly: []string{},
937+
expectedMasked: nil,
938+
expectedReadonly: nil,
939+
},
940+
"should apply CRI specified paths": {
941+
masked: []string{"/proc"},
942+
readonly: []string{"/sys"},
943+
expectedMasked: []string{"/proc"},
944+
expectedReadonly: []string{"/sys"},
945+
},
946+
} {
947+
t.Logf("TestCase %q", desc)
948+
config.Linux.SecurityContext.MaskedPaths = test.masked
949+
config.Linux.SecurityContext.ReadonlyPaths = test.readonly
950+
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
951+
require.NoError(t, err)
952+
specCheck(t, testID, testSandboxID, testPid, spec)
953+
assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
954+
assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
955+
}
956+
}

0 commit comments

Comments
 (0)