Forbid empty AppArmor localhost profile

This commit is contained in:
Tim Allclair 2022-02-15 13:19:02 -08:00
parent 30a21e9abd
commit f780889d4c
2 changed files with 12 additions and 1 deletions

View File

@ -74,10 +74,19 @@ func (v *validator) Validate(pod *v1.Pod) error {
var retErr error
podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
retErr = ValidateProfileFormat(GetProfileName(pod, container.Name))
profile := GetProfileName(pod, container.Name)
retErr = ValidateProfileFormat(profile)
if retErr != nil {
return false
}
// TODO(#64841): This would ideally be part of ValidateProfileFormat, but that is called for
// API validation, and this is tightening validation.
if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" {
retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile)
return false
}
}
return true
})

View File

@ -109,6 +109,8 @@ func TestValidateValidHost(t *testing.T) {
{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
{"docker-default", false},
{v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
{v1.AppArmorBetaProfileNamePrefix + " ", false},
}
for _, test := range tests {