diff options
| -rw-r--r-- | cmd/podman/images/scp.go | 4 | ||||
| -rw-r--r-- | docs/source/markdown/podman-image-scp.1.md | 2 | ||||
| -rw-r--r-- | libpod/container_internal.go | 36 | ||||
| -rw-r--r-- | test/e2e/run_cgroup_parent_test.go | 17 | ||||
| -rw-r--r-- | test/system/410-selinux.bats | 12 |
5 files changed, 54 insertions, 17 deletions
diff --git a/cmd/podman/images/scp.go b/cmd/podman/images/scp.go index 71399e0b7..a47d01995 100644 --- a/cmd/podman/images/scp.go +++ b/cmd/podman/images/scp.go @@ -111,7 +111,7 @@ func scp(cmd *cobra.Command, args []string) (finalErr error) { if err != nil { return err } - fmt.Println("Loaded images(s): " + strings.Join(report.Names, ",")) + fmt.Println("Loaded image(s): " + strings.Join(report.Names, ",")) case scpOpts.ToRemote: // remote host load scpOpts.Save.Format = "oci-archive" abiErr := abiEng.Save(context.Background(), scpOpts.SourceImageName, []string{}, scpOpts.Save) // save the image locally before loading it on remote, local, or ssh @@ -137,7 +137,7 @@ func scp(cmd *cobra.Command, args []string) (finalErr error) { if err != nil { return err } - fmt.Println("Loaded images(s): " + strings.Join(rep.Names, ",")) + fmt.Println("Loaded image(s): " + strings.Join(rep.Names, ",")) } return nil } diff --git a/docs/source/markdown/podman-image-scp.1.md b/docs/source/markdown/podman-image-scp.1.md index 7d143c851..420452a4d 100644 --- a/docs/source/markdown/podman-image-scp.1.md +++ b/docs/source/markdown/podman-image-scp.1.md @@ -59,7 +59,7 @@ Copying blob 9450ef9feb15 [--------------------------------------] 0.0b / 0.0b Copying config 1f97f0559c done Writing manifest to image destination Storing signatures -Loaded images(s): docker.io/library/alpine:latest +Loaded image(s): docker.io/library/alpine:latest ``` ## SEE ALSO diff --git a/libpod/container_internal.go b/libpod/container_internal.go index e7694227a..8ffcccf4c 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error { c.config.IDMappings.UIDMap = containerInfo.UIDMap c.config.IDMappings.GIDMap = containerInfo.GIDMap - processLabel := containerInfo.ProcessLabel - switch { - case c.ociRuntime.SupportsKVM(): - processLabel, err = selinux.KVMLabel(processLabel) - if err != nil { - return err - } - case c.config.Systemd: - processLabel, err = selinux.InitLabel(processLabel) - if err != nil { - return err - } + processLabel, err := c.processLabel(containerInfo.ProcessLabel) + if err != nil { + return err } - c.config.ProcessLabel = processLabel c.config.MountLabel = containerInfo.MountLabel c.config.StaticDir = containerInfo.Dir @@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error { return nil } +func (c *Container) processLabel(processLabel string) (string, error) { + if !c.config.Systemd && !c.ociRuntime.SupportsKVM() { + return processLabel, nil + } + ctrSpec, err := c.specFromState() + if err != nil { + return "", err + } + label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel] + if !ok || !strings.Contains(label, "type:") { + switch { + case c.ociRuntime.SupportsKVM(): + return selinux.KVMLabel(processLabel) + case c.config.Systemd: + return selinux.InitLabel(processLabel) + } + } + return processLabel, nil +} + // Tear down a container's storage prior to removal func (c *Container) teardownStorage() error { if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) { diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index 300c3a8e0..3e261961b 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -2,6 +2,7 @@ package integration import ( "fmt" + "io/ioutil" "os" "path/filepath" "strings" @@ -80,7 +81,21 @@ var _ = Describe("Podman run with --cgroup-parent", func() { exec.WaitWithDefaultTimeout() Expect(exec).Should(Exit(0)) - cgroup := filepath.Dir(strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n")) + containerCgroup := strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n") + + content, err := ioutil.ReadFile(filepath.Join("/sys/fs/cgroup", containerCgroup, "cgroup.procs")) + Expect(err).To(BeNil()) + + // Move the container process to a sub cgroup + subCgroupPath := filepath.Join(filepath.Join("/sys/fs/cgroup", containerCgroup, "old-container")) + + err = os.MkdirAll(subCgroupPath, 0755) + Expect(err).To(BeNil()) + + err = ioutil.WriteFile(filepath.Join(subCgroupPath, "cgroup.procs"), content, 0644) + Expect(err).To(BeNil()) + + cgroup := filepath.Dir(containerCgroup) run = podmanTest.Podman([]string{"--cgroup-manager=cgroupfs", "run", "-d", fmt.Sprintf("--cgroup-parent=%s", cgroup), fedoraMinimal, "sleep", "100"}) run.WaitWithDefaultTimeout() diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 4ef9c8b30..5ee0e0715 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -50,6 +50,18 @@ function check_label() { check_label "--systemd=always" "container_init_t" } +@test "podman selinux: init container with --security-opt type" { + check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t" +} + +@test "podman selinux: init container with --security-opt level&type" { + check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2" +} + +@test "podman selinux: init container with --security-opt level" { + check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2" +} + @test "podman selinux: pid=host" { # FIXME this test fails when run rootless with runc: # Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied |