From c91bc31570f1fab616e10d0e2b4a6c8b7fe631c7 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Tue, 16 Jul 2019 15:00:41 -0400 Subject: Populate inspect with security-opt settings We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon --- libpod/container_inspect.go | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) (limited to 'libpod/container_inspect.go') diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 7273a9005..c4d2af66e 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -58,6 +58,24 @@ const ( // If an annotation with this key is found in the OCI spec, it will be // used in the output of Inspect(). InspectAnnotationInit = "io.podman.annotations.init" + // InspectAnnotationLabel is used by Inspect to identify containers with + // special SELinux-related settings. It is used to populate the output + // of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationLabel = "io.podman.annotations.label" + // InspectAnnotationSeccomp is used by Inspect to identify containers + // with special Seccomp-related settings. It is used to populate the + // output of the SecurityOpt setting in Inspect. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationSeccomp = "io.podman.annotations.seccomp" + // InspectAnnotationApparmor is used by Inspect to identify containers + // with special Apparmor-related settings. It is used to populate the + // output of the SecurityOpt setting. + // If an annotation with this key is found in the OCI spec, it will be + // used in the output of Inspect(). + InspectAnnotationApparmor = "io.podman.annotations.apparmor" // InspectResponseTrue is a boolean True response for an inspect // annotation. @@ -275,7 +293,6 @@ type InspectContainerHostConfig struct { ReadonlyRootfs bool `json:"ReadonlyRootfs"` // SecurityOpt is a list of security-related options that are set in the // container. - // TODO. SecurityOpt []string `json:"SecurityOpt"` // Tmpfs is a list of tmpfs filesystems that will be mounted into the // container. @@ -965,10 +982,14 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named hostConfig.GroupAdd = append(hostConfig.GroupAdd, group) } + hostConfig.SecurityOpt = []string{} if ctrSpec.Process != nil { if ctrSpec.Process.OOMScoreAdj != nil { hostConfig.OomScoreAdj = *ctrSpec.Process.OOMScoreAdj } + if ctrSpec.Process.NoNewPrivileges { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") + } } hostConfig.ReadonlyRootfs = ctrSpec.Root.Readonly @@ -995,6 +1016,15 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named if ctrSpec.Annotations[InspectAnnotationInit] == InspectResponseTrue { hostConfig.Init = true } + if label, ok := ctrSpec.Annotations[InspectAnnotationLabel]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label)) + } + if seccomp, ok := ctrSpec.Annotations[InspectAnnotationSeccomp]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp)) + } + if apparmor, ok := ctrSpec.Annotations[InspectAnnotationApparmor]; ok { + hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor)) + } } // Resource limits -- cgit v1.2.3-54-g00ecf