Merge pull request #8408 from umohnani8/sec-opt

Add mask and unmask option to --security-opt

3 files changed, 46 insertions, 16 deletions

diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 2d40dba8f..1808f99b8 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -4,13 +4,16 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 
 	"github.com/containers/podman/v2/pkg/rootless"
+	"github.com/containers/podman/v2/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -137,22 +140,33 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error {
 	return addDevice(g, strings.Join(append([]string{resolvedDevicePath}, devs[1:]...), ":"))
 }
 
-func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.Generator) {
+func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask []string, g *generate.Generator) {
+	defaultMaskPaths := []string{"/proc/acpi",
+		"/proc/kcore",
+		"/proc/keys",
+		"/proc/latency_stats",
+		"/proc/timer_list",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+		"/proc/scsi",
+		"/sys/firmware",
+		"/sys/fs/selinux",
+		"/sys/dev/block",
+	}
+
+	unmaskAll := false
+	if unmask != nil && unmask[0] == "ALL" {
+		unmaskAll = true
+	}
+
 	if !privileged {
-		for _, mp := range []string{
-			"/proc/acpi",
-			"/proc/kcore",
-			"/proc/keys",
-			"/proc/latency_stats",
-			"/proc/timer_list",
-			"/proc/timer_stats",
-			"/proc/sched_debug",
-			"/proc/scsi",
-			"/sys/firmware",
-			"/sys/fs/selinux",
-			"/sys/dev",
-		} {
-			g.AddLinuxMaskedPaths(mp)
+		if !unmaskAll {
+			for _, mp := range defaultMaskPaths {
+				// check that the path to mask is not in the list of paths to unmask
+				if !util.StringInSlice(mp, unmask) {
+					g.AddLinuxMaskedPaths(mp)
+				}
+			}
 		}
 
 		if pidModeIsHost && rootless.IsRootless() {
@@ -170,6 +184,15 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
 			g.AddLinuxReadonlyPaths(rp)
 		}
 	}
+
+	// mask the paths provided by the user
+	for _, mp := range mask {
+		if !path.IsAbs(mp) && mp != "" {
+			logrus.Errorf("Path %q is not an absolute path, skipping...", mp)
+			continue
+		}
+		g.AddLinuxMaskedPaths(mp)
+	}
 }
 
 // based on getDevices from runc (libcontainer/devices/devices.go)
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 8454458a8..0368ab205 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -298,7 +298,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 		}
 	}
 
-	BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g)
+	BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), s.Mask, s.Unmask, &g)
 
 	for name, val := range s.Env {
 		g.AddProcessEnv(name, val)
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index fad2406e5..964b89fa4 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -307,6 +307,13 @@ type ContainerSecurityConfig struct {
 	Umask string `json:"umask,omitempty"`
 	// ProcOpts are the options used for the proc mount.
 	ProcOpts []string `json:"procfs_opts,omitempty"`
+	// Mask is the path we want to mask in the container. This masks the paths
+	// given in addition to the default list.
+	// Optional
+	Mask []string `json:"mask,omitempty"`
+	// Unmask is the path we want to unmask in the container. To override
+	// all the default paths that are masked, set unmask=ALL.
+	Unmask []string `json:"unmask,omitempty"`
 }
 
 // ContainerCgroupConfig contains configuration information about a container's