github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00
Code Issues Projects Releases Wiki Activity

Forbid empty AppArmor localhost profile

Browse Source
This commit is contained in:
Tim Allclair 2022-02-15 13:19:02 -08:00
parent 30a21e9abd
commit f780889d4c
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/security/apparmor/validate.go
View File

@ -74,10 +74,19 @@ func (v *validator) Validate(pod *v1.Pod) error {
var retErr error
podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
retErr = ValidateProfileFormat(GetProfileName(pod, container.Name))
profile := GetProfileName(pod, container.Name)
retErr = ValidateProfileFormat(profile)
if retErr != nil {
return false
}
// TODO(#64841): This would ideally be part of ValidateProfileFormat, but that is called for
// API validation, and this is tightening validation.
if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" {
retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile)
return false
}
}
return true
})

2
pkg/security/apparmor/validate_test.go
View File

@ -109,6 +109,8 @@ func TestValidateValidHost(t *testing.T) {
{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
{"docker-default", false},
{v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
{v1.AppArmorBetaProfileNamePrefix + " ", false},
}
for _, test := range tests {