aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2019-07-16 15:00:41 -0400
committerMatthew Heon <mheon@redhat.com>2019-07-17 16:48:38 -0400
commitc91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 (patch)
tree912709f28548ec28002786bd5c9a32904538ee7e
parent156b6ef22230b296a06b50196e0191d191e15749 (diff)
downloadpodman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.gz
podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.bz2
podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.zip
Populate inspect with security-opt settings
We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
-rw-r--r--libpod/container_inspect.go32
-rw-r--r--pkg/spec/spec.go19
2 files changed, 50 insertions, 1 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 7273a9005..c4d2af66e 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -58,6 +58,24 @@ const (
// If an annotation with this key is found in the OCI spec, it will be
// used in the output of Inspect().
InspectAnnotationInit = "io.podman.annotations.init"
+ // InspectAnnotationLabel is used by Inspect to identify containers with
+ // special SELinux-related settings. It is used to populate the output
+ // of the SecurityOpt setting.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationLabel = "io.podman.annotations.label"
+ // InspectAnnotationSeccomp is used by Inspect to identify containers
+ // with special Seccomp-related settings. It is used to populate the
+ // output of the SecurityOpt setting in Inspect.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationSeccomp = "io.podman.annotations.seccomp"
+ // InspectAnnotationApparmor is used by Inspect to identify containers
+ // with special Apparmor-related settings. It is used to populate the
+ // output of the SecurityOpt setting.
+ // If an annotation with this key is found in the OCI spec, it will be
+ // used in the output of Inspect().
+ InspectAnnotationApparmor = "io.podman.annotations.apparmor"
// InspectResponseTrue is a boolean True response for an inspect
// annotation.
@@ -275,7 +293,6 @@ type InspectContainerHostConfig struct {
ReadonlyRootfs bool `json:"ReadonlyRootfs"`
// SecurityOpt is a list of security-related options that are set in the
// container.
- // TODO.
SecurityOpt []string `json:"SecurityOpt"`
// Tmpfs is a list of tmpfs filesystems that will be mounted into the
// container.
@@ -965,10 +982,14 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
hostConfig.GroupAdd = append(hostConfig.GroupAdd, group)
}
+ hostConfig.SecurityOpt = []string{}
if ctrSpec.Process != nil {
if ctrSpec.Process.OOMScoreAdj != nil {
hostConfig.OomScoreAdj = *ctrSpec.Process.OOMScoreAdj
}
+ if ctrSpec.Process.NoNewPrivileges {
+ hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
+ }
}
hostConfig.ReadonlyRootfs = ctrSpec.Root.Readonly
@@ -995,6 +1016,15 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
if ctrSpec.Annotations[InspectAnnotationInit] == InspectResponseTrue {
hostConfig.Init = true
}
+ if label, ok := ctrSpec.Annotations[InspectAnnotationLabel]; ok {
+ hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label))
+ }
+ if seccomp, ok := ctrSpec.Annotations[InspectAnnotationSeccomp]; ok {
+ hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp))
+ }
+ if apparmor, ok := ctrSpec.Annotations[InspectAnnotationApparmor]; ok {
+ hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
+ }
}
// Resource limits
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index ca627f3aa..41054633f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -455,6 +455,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse
}
+ for _, opt := range config.SecurityOpts {
+ // Split on both : and =
+ splitOpt := strings.Split(opt, "=")
+ if len(splitOpt) == 1 {
+ splitOpt = strings.Split(opt, ":")
+ }
+ if len(splitOpt) < 2 {
+ continue
+ }
+ switch splitOpt[0] {
+ case "label":
+ configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1]
+ case "seccomp":
+ configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1]
+ case "apparmor":
+ configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1]
+ }
+ }
+
return configSpec, nil
}