diff options
| author | Valentin Rothberg <rothberg@redhat.com> | 2020-02-18 15:01:18 +0100 |
|---|---|---|
| committer | Valentin Rothberg <rothberg@redhat.com> | 2020-02-19 11:04:02 +0100 |
| commit | 58cbbbc56e9f1cee4992ae4f4d3971c0e336ecd2 (patch) | |
| tree | 9c27e95ba0d8e1f0dfabbb4ec2ade0ca52b17500 | |
| parent | b7b9f8d0cfcf2ec5eaa35d5a09c7527739b74683 (diff) | |
| download | podman-58cbbbc56e9f1cee4992ae4f4d3971c0e336ecd2.tar.gz podman-58cbbbc56e9f1cee4992ae4f4d3971c0e336ecd2.tar.bz2 podman-58cbbbc56e9f1cee4992ae4f4d3971c0e336ecd2.zip | |
set process labels in pkg/spec
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.
Fixes: #5087
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| -rw-r--r-- | cmd/podman/shared/create.go | 3 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 26 |
2 files changed, 19 insertions, 10 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 99538b3dc..5b244699c 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -701,9 +701,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. Sysctl: sysctl, } - if err := secConfig.SetLabelOpts(runtime, pid, ipc); err != nil { - return nil, err - } if err := secConfig.SetSecurityOpts(runtime, c.StringArray("security-opt")); err != nil { return nil, err } diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index b2a152a2d..21b6bc3b3 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -241,23 +241,35 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } // SECURITY OPTS + var runtimeConfig *libpodconfig.Config + + if runtime != nil { + runtimeConfig, err = runtime.GetConfig() + if err != nil { + return nil, err + } + } + g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs) if !config.Security.Privileged { g.SetProcessApparmorProfile(config.Security.ApparmorProfile) } - blockAccessToKernelFilesystems(config, &g) - - var runtimeConfig *libpodconfig.Config - - if runtime != nil { - runtimeConfig, err = runtime.GetConfig() - if err != nil { + // Unless already set via the CLI, check if we need to disable process + // labels or set the defaults. + if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil { + if !runtimeConfig.EnableLabeling { + // Disabled in the config. + config.Security.LabelOpts = append(config.Security.LabelOpts, "disable") + } else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil { + // Defaults! return nil, err } } + blockAccessToKernelFilesystems(config, &g) + // RESOURCES - PIDS if config.Resources.PidsLimit > 0 { // if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids |