github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-14 14:14:15 +00:00
Code Issues Projects Releases Wiki Activity

selinux: Disable selinux

Browse Source 
Till we implement support for selinux, disable selinux
by not passing selinux labels in the container spec.

Fixes #2442

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This commit is contained in:
Archana Shinde 2020-02-06 18:10:21 -08:00
parent a91cb13be8
commit 055f31716c
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
virtcontainers/kata_agent.go
View File

@ -1007,7 +1007,7 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages
return nil return nil
} }
func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { func (k *kataAgent) constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
// Disable Hooks since they have been handled on the host and there is // Disable Hooks since they have been handled on the host and there is
// no reason to send them to the agent. It would make no sense to try // no reason to send them to the agent. It would make no sense to try
// to apply them on the guest. // to apply them on the guest.
@ -1019,6 +1019,12 @@ func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
grpcSpec.Linux.Seccomp = nil grpcSpec.Linux.Seccomp = nil
} }
// Disable selinux
if grpcSpec.Process.SelinuxLabel != "" {
k.Logger().Warn("Selinux label specified in config, but not supported in Kata yet, running container without selinux")
grpcSpec.Process.SelinuxLabel = ""
}
// By now only CPU constraints are supported // By now only CPU constraints are supported
// Issue: https://github.com/kata-containers/runtime/issues/158 // Issue: https://github.com/kata-containers/runtime/issues/158
// Issue: https://github.com/kata-containers/runtime/issues/204 // Issue: https://github.com/kata-containers/runtime/issues/204
@ -1312,7 +1318,7 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,
// We need to constraint the spec to make sure we're not passing // We need to constraint the spec to make sure we're not passing
// irrelevant information to the agent. // irrelevant information to the agent.
constraintGRPCSpec(grpcSpec, passSeccomp) k.constraintGRPCSpec(grpcSpec, passSeccomp)
k.handleShm(grpcSpec, sandbox) k.handleShm(grpcSpec, sandbox)

7
virtcontainers/kata_agent_test.go
View File

@ -487,9 +487,13 @@ func TestConstraintGRPCSpec(t *testing.T) {
}, },
CgroupsPath: "system.slice:foo:bar", CgroupsPath: "system.slice:foo:bar",
}, },
Process: &pb.Process{
SelinuxLabel: "foo",
},
} }
constraintGRPCSpec(g, true) k := kataAgent{}
k.constraintGRPCSpec(g, true)
// check nil fields // check nil fields
assert.Nil(g.Hooks) assert.Nil(g.Hooks)
@ -501,6 +505,7 @@ func TestConstraintGRPCSpec(t *testing.T) {
assert.Nil(g.Linux.Resources.HugepageLimits) assert.Nil(g.Linux.Resources.HugepageLimits)
assert.Nil(g.Linux.Resources.Network) assert.Nil(g.Linux.Resources.Network)
assert.NotNil(g.Linux.Resources.CPU) assert.NotNil(g.Linux.Resources.CPU)
assert.Equal(g.Process.SelinuxLabel, "")
// check namespaces // check namespaces
assert.Len(g.Linux.Namespaces, 1) assert.Len(g.Linux.Namespaces, 1)