github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 15:02:45 +00:00
Code Issues Projects Releases Wiki Activity

selinux: Disable selinux

Browse Source 
Till we implement support for selinux, disable selinux
by not passing selinux labels in the container spec.

Fixes #2442

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This commit is contained in:
Archana Shinde 2020-02-06 18:10:21 -08:00
parent a91cb13be8
commit 055f31716c
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
virtcontainers/kata_agent.go
View File

@ -1007,7 +1007,7 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages
return nil
}
func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
func (k *kataAgent) constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
// Disable Hooks since they have been handled on the host and there is
// no reason to send them to the agent. It would make no sense to try
// to apply them on the guest.
@ -1019,6 +1019,12 @@ func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
grpcSpec.Linux.Seccomp = nil
}
// Disable selinux
if grpcSpec.Process.SelinuxLabel != "" {
k.Logger().Warn("Selinux label specified in config, but not supported in Kata yet, running container without selinux")
grpcSpec.Process.SelinuxLabel = ""
}
// By now only CPU constraints are supported
// Issue: https://github.com/kata-containers/runtime/issues/158
// Issue: https://github.com/kata-containers/runtime/issues/204
@ -1312,7 +1318,7 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,
// We need to constraint the spec to make sure we're not passing
// irrelevant information to the agent.
constraintGRPCSpec(grpcSpec, passSeccomp)
k.constraintGRPCSpec(grpcSpec, passSeccomp)
k.handleShm(grpcSpec, sandbox)

7
virtcontainers/kata_agent_test.go
View File

@ -487,9 +487,13 @@ func TestConstraintGRPCSpec(t *testing.T) {
},
CgroupsPath: "system.slice:foo:bar",
},
Process: &pb.Process{
SelinuxLabel: "foo",
},
}
constraintGRPCSpec(g, true)
k := kataAgent{}
k.constraintGRPCSpec(g, true)
// check nil fields
assert.Nil(g.Hooks)
@ -501,6 +505,7 @@ func TestConstraintGRPCSpec(t *testing.T) {
assert.Nil(g.Linux.Resources.HugepageLimits)
assert.Nil(g.Linux.Resources.Network)
assert.NotNil(g.Linux.Resources.CPU)
assert.Equal(g.Process.SelinuxLabel, "")
// check namespaces
assert.Len(g.Linux.Namespaces, 1)