diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-02-28 00:45:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-28 00:45:13 +0100 |
| commit | 6f0dbd004fecadb6d0d07bb8012231d25d61684f (patch) | |
| tree | 1cf9c7e91e1d3cf23295b68b725310166e047721 | |
| parent | cd060d0b54cbe4f4db1f62f7b7e904ede378f08f (diff) | |
| parent | 80bad464f911c236bea121b343d23a8d165fc933 (diff) | |
| download | podman-6f0dbd004fecadb6d0d07bb8012231d25d61684f.tar.gz podman-6f0dbd004fecadb6d0d07bb8012231d25d61684f.tar.bz2 podman-6f0dbd004fecadb6d0d07bb8012231d25d61684f.zip | |
Merge pull request #2474 from giuseppe/fix-fips-mode-with-namespaces
secrets: fix fips-mode with user namespaces
| -rw-r--r-- | pkg/secrets/secrets.go | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index 242953609..3b64f8952 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/storage/pkg/idtools" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre // Add FIPS mode secret if /etc/system-fips exists on the host _, err := os.Stat("/etc/system-fips") if err == nil { - if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil { + if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { logrus.Errorf("error adding FIPS mode secret to container: %v", err) } } else if os.IsNotExist(err) { @@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr // root filesystem if /etc/system-fips exists on hosts. // This enables the container to be FIPS compliant and run openssl in // FIPS mode as the host is also in FIPS mode. -func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error { +func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { secretsDir := "/run/secrets" ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { - if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { return errors.Wrapf(err, "making container directory on host failed") } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { + return errors.Wrap(err, "error applying correct labels") + } } fipsFile := filepath.Join(ctrDirOnHost, "system-fips") // In the event of restart, it is possible for the FIPS mode file to already exist @@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error if !mountExists(*mounts, secretsDir) { m := rspec.Mount{ - Source: ctrDirOnHost, + Source: filepath.Join(mountPrefix, secretsDir), Destination: secretsDir, Type: "bind", Options: []string{"bind", "rprivate"}, |