diff options
author | Matthew Heon <mheon@redhat.com> | 2019-07-16 15:00:41 -0400 |
---|---|---|
committer | Matthew Heon <mheon@redhat.com> | 2019-07-17 16:48:38 -0400 |
commit | c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 (patch) | |
tree | 912709f28548ec28002786bd5c9a32904538ee7e /libpod | |
parent | 156b6ef22230b296a06b50196e0191d191e15749 (diff) | |
download | podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.gz podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.tar.bz2 podman-c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7.zip |
Populate inspect with security-opt settings
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container_inspect.go | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 7273a9005..c4d2af66e 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -58,6 +58,24 @@ const ( // If an annotation with this key is found in the OCI spec, it will be // used in the output of Inspect(). InspectAnnotationInit = "io.podman.annotations.init" + // InspectAnnotationLabel is used by Inspect to identify containers with + // special SELinux-related settings. It is used to populate the output + // of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationLabel = "io.podman.annotations.label" + // InspectAnnotationSeccomp is used by Inspect to identify containers + // with special Seccomp-related settings. It is used to populate the + // output of the SecurityOpt setting in Inspect. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationSeccomp = "io.podman.annotations.seccomp" + // InspectAnnotationApparmor is used by Inspect to identify containers + // with special Apparmor-related settings. It is used to populate the + // output of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationApparmor = "io.podman.annotations.apparmor" // InspectResponseTrue is a boolean True response for an inspect // annotation. @@ -275,7 +293,6 @@ type InspectContainerHostConfig struct { ReadonlyRootfs bool `json:"ReadonlyRootfs"` // SecurityOpt is a list of security-related options that are set in the // container. - // TODO. SecurityOpt []string `json:"SecurityOpt"` // Tmpfs is a list of tmpfs filesystems that will be mounted into the // container. @@ -965,10 +982,14 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named hostConfig.GroupAdd = append(hostConfig.GroupAdd, group) } + hostConfig.SecurityOpt = []string{} if ctrSpec.Process != nil { if ctrSpec.Process.OOMScoreAdj != nil { hostConfig.OomScoreAdj = *ctrSpec.Process.OOMScoreAdj } + if ctrSpec.Process.NoNewPrivileges { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") + } } hostConfig.ReadonlyRootfs = ctrSpec.Root.Readonly @@ -995,6 +1016,15 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named if ctrSpec.Annotations[InspectAnnotationInit] == InspectResponseTrue { hostConfig.Init = true } + if label, ok := ctrSpec.Annotations[InspectAnnotationLabel]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label)) + } + if seccomp, ok := ctrSpec.Annotations[InspectAnnotationSeccomp]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp)) + } + if apparmor, ok := ctrSpec.Annotations[InspectAnnotationApparmor]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor)) + } } // Resource limits |