Merge pull request #1605 from dweomer/backport/1.4/selinux-relabel-dev-shm

estesp · web-flow · commit d3c9069794e6 · 2020-11-18T18:31:05.000-05:00
[release/1.4 backport] selinux: relabel /dev/shm
diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go
@@ -101,9 +101,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			sandboxDevShm = devShm
 		}
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: devShm,
-			HostPath:      sandboxDevShm,
-			Readonly:      false,
+			ContainerPath:  devShm,
+			HostPath:       sandboxDevShm,
+			Readonly:       false,
+			SelinuxRelabel: sandboxDevShm != devShm,
 		})
 	}
 	return mounts
diff --git a/pkg/server/container_create_unix_test.go b/pkg/server/container_create_unix_test.go
@@ -457,9 +457,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      true,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -482,9 +483,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -555,9 +557,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -101,9 +101,10 @@ func (c criService) containerMounts(sandboxID string, config runtime.Container`
`101`	`101`	`sandboxDevShm = devShm`
`102`	`102`	`}`
`103`	`103`	`mounts = append(mounts, &runtime.Mount{`
`104`		`- ContainerPath: devShm,`
`105`		`- HostPath: sandboxDevShm,`
`106`		`- Readonly: false,`
	`104`	`+ ContainerPath: devShm,`
	`105`	`+ HostPath: sandboxDevShm,`
	`106`	`+ Readonly: false,`
	`107`	`+ SelinuxRelabel: sandboxDevShm != devShm,`
`107`	`108`	`})`
`108`	`109`	`}`
`109`	`110`	`return mounts`