Merge pull request #105934 from jsafrane/dont-ignore-selinux

Don't guess SELinux support on error
This commit is contained in:
Kubernetes Prow Robot 2021-11-05 12:44:51 -07:00 committed by GitHub
commit 6d9008b1b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 25 additions and 5 deletions

View File

@ -276,7 +276,8 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
c.supportsSELinux, err = c.kubeVolHost.GetHostUtil().GetSELinuxSupport(dir) c.supportsSELinux, err = c.kubeVolHost.GetHostUtil().GetSELinuxSupport(dir)
if err != nil { if err != nil {
klog.V(2).Info(log("error checking for SELinux support: %s", err)) // The volume is mounted. Return UncertainProgressError, so kubelet will unmount it when user deletes the pod.
return volumetypes.NewUncertainProgressError(fmt.Sprintf("error checking for SELinux support: %s", err))
} }
if !driverSupportsCSIVolumeMountGroup && c.supportsFSGroup(fsType, mounterArgs.FsGroup, c.fsGroupPolicy) { if !driverSupportsCSIVolumeMountGroup && c.supportsFSGroup(fsType, mounterArgs.FsGroup, c.fsGroupPolicy) {

View File

@ -108,7 +108,7 @@ func (hu *FakeHostUtil) GetOwner(pathname string) (int64, int64, error) {
// GetSELinuxSupport tests if pathname is on a mount that supports SELinux. // GetSELinuxSupport tests if pathname is on a mount that supports SELinux.
// Not implemented for testing // Not implemented for testing
func (hu *FakeHostUtil) GetSELinuxSupport(pathname string) (bool, error) { func (hu *FakeHostUtil) GetSELinuxSupport(pathname string) (bool, error) {
return false, errors.New("GetSELinuxSupport not implemented") return false, nil
} }
// GetMode returns permissions of pathname. // GetMode returns permissions of pathname.

View File

@ -29,6 +29,7 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/util/selinux"
"k8s.io/mount-utils" "k8s.io/mount-utils"
utilpath "k8s.io/utils/path" utilpath "k8s.io/utils/path"
) )
@ -230,8 +231,16 @@ func DoMakeRShared(path string, mountInfoFilename string) error {
return nil return nil
} }
// selinux.SELinuxEnabled implementation for unit tests
type seLinuxEnabledFunc func() bool
// GetSELinux is common implementation of GetSELinuxSupport on Linux. // GetSELinux is common implementation of GetSELinuxSupport on Linux.
func GetSELinux(path string, mountInfoFilename string) (bool, error) { func GetSELinux(path string, mountInfoFilename string, selinuxEnabled seLinuxEnabledFunc) (bool, error) {
// Skip /proc/mounts parsing if SELinux is disabled.
if !selinuxEnabled() {
return false, nil
}
info, err := findMountInfo(path, mountInfoFilename) info, err := findMountInfo(path, mountInfoFilename)
if err != nil { if err != nil {
return false, err return false, err
@ -254,7 +263,7 @@ func GetSELinux(path string, mountInfoFilename string) (bool, error) {
// GetSELinuxSupport returns true if given path is on a mount that supports // GetSELinuxSupport returns true if given path is on a mount that supports
// SELinux. // SELinux.
func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) { func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) {
return GetSELinux(pathname, procMountInfoPath) return GetSELinux(pathname, procMountInfoPath, selinux.SELinuxEnabled)
} }
// GetOwner returns the integer ID for the user and group of the given path // GetOwner returns the integer ID for the user and group of the given path

View File

@ -157,27 +157,37 @@ func TestGetSELinuxSupport(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
mountPoint string mountPoint string
selinuxEnabled bool
expectedResult bool expectedResult bool
}{ }{
{
"ext4 on / with disabled SELinux",
"/",
false,
false,
},
{ {
"ext4 on /", "ext4 on /",
"/", "/",
true, true,
true,
}, },
{ {
"tmpfs on /var/lib/bar", "tmpfs on /var/lib/bar",
"/var/lib/bar", "/var/lib/bar",
true,
false, false,
}, },
{ {
"nfsv4", "nfsv4",
"/media/nfs_vol", "/media/nfs_vol",
true,
false, false,
}, },
} }
for _, test := range tests { for _, test := range tests {
out, err := GetSELinux(test.mountPoint, filename) out, err := GetSELinux(test.mountPoint, filename, func() bool { return test.selinuxEnabled })
if err != nil { if err != nil {
t.Errorf("Test %s failed with error: %s", test.name, err) t.Errorf("Test %s failed with error: %s", test.name, err)
} }