diff options
| author | Matthew Heon <mheon@redhat.com> | 2019-07-16 15:00:41 -0400 |
|---|---|---|
| committer | Matthew Heon <mheon@redhat.com> | 2019-07-17 16:48:38 -0400 |
| commit | c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 (patch) | |
| tree | 912709f28548ec28002786bd5c9a32904538ee7e | |
| parent | 156b6ef22230b296a06b50196e0191d191e15749 (diff) | |
| download | podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.gz podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.bz2 podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.zip | |
Populate inspect with security-opt settings
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
| -rw-r--r-- | libpod/container_inspect.go | 32 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 19 |
2 files changed, 50 insertions, 1 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 7273a9005..c4d2af66e 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -58,6 +58,24 @@ const ( // If an annotation with this key is found in the OCI spec, it will be // used in the output of Inspect(). InspectAnnotationInit = "io.podman.annotations.init" + // InspectAnnotationLabel is used by Inspect to identify containers with + // special SELinux-related settings. It is used to populate the output + // of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationLabel = "io.podman.annotations.label" + // InspectAnnotationSeccomp is used by Inspect to identify containers + // with special Seccomp-related settings. It is used to populate the + // output of the SecurityOpt setting in Inspect. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationSeccomp = "io.podman.annotations.seccomp" + // InspectAnnotationApparmor is used by Inspect to identify containers + // with special Apparmor-related settings. It is used to populate the + // output of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationApparmor = "io.podman.annotations.apparmor" // InspectResponseTrue is a boolean True response for an inspect // annotation. @@ -275,7 +293,6 @@ type InspectContainerHostConfig struct { ReadonlyRootfs bool `json:"ReadonlyRootfs"` // SecurityOpt is a list of security-related options that are set in the // container. - // TODO. SecurityOpt []string `json:"SecurityOpt"` // Tmpfs is a list of tmpfs filesystems that will be mounted into the // container. @@ -965,10 +982,14 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named hostConfig.GroupAdd = append(hostConfig.GroupAdd, group) } + hostConfig.SecurityOpt = []string{} if ctrSpec.Process != nil { if ctrSpec.Process.OOMScoreAdj != nil { hostConfig.OomScoreAdj = *ctrSpec.Process.OOMScoreAdj } + if ctrSpec.Process.NoNewPrivileges { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") + } } hostConfig.ReadonlyRootfs = ctrSpec.Root.Readonly @@ -995,6 +1016,15 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named if ctrSpec.Annotations[InspectAnnotationInit] == InspectResponseTrue { hostConfig.Init = true } + if label, ok := ctrSpec.Annotations[InspectAnnotationLabel]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label)) + } + if seccomp, ok := ctrSpec.Annotations[InspectAnnotationSeccomp]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp)) + } + if apparmor, ok := ctrSpec.Annotations[InspectAnnotationApparmor]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor)) + } } // Resource limits diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index ca627f3aa..41054633f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -455,6 +455,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse } + for _, opt := range config.SecurityOpts { + // Split on both : and = + splitOpt := strings.Split(opt, "=") + if len(splitOpt) == 1 { + splitOpt = strings.Split(opt, ":") + } + if len(splitOpt) < 2 { + continue + } + switch splitOpt[0] { + case "label": + configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1] + case "seccomp": + configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1] + case "apparmor": + configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1] + } + } + return configSpec, nil } |