opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-16 18:53:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Handle filetype field in kubernetes.yaml files

Browse Source 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-01-30 07:00:14 -06:00
parent 28e9b48440
commit 02bcf0bac8
5 changed files with 54 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
libpod/kube.go
View File

@ -230,7 +230,7 @@ func ConvertV1PodToYAMLPod(pod *v1.Pod) *YAMLPod {
continue continue
} }
selinuxOpts := ctr.SecurityContext.SELinuxOptions selinuxOpts := ctr.SecurityContext.SELinuxOptions
if selinuxOpts.User == "" && selinuxOpts.Role == "" && selinuxOpts.Type == "" && selinuxOpts.Level == "" { if selinuxOpts.User == "" && selinuxOpts.Role == "" && selinuxOpts.Type == "" && selinuxOpts.Level == "" && selinuxOpts.FileType == "" {
ctr.SecurityContext.SELinuxOptions = nil ctr.SecurityContext.SELinuxOptions = nil
} }
} }
@ -1043,27 +1043,33 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, bool, error
sc.Capabilities = capabilities sc.Capabilities = capabilities
} }
var selinuxOpts v1.SELinuxOptions var selinuxOpts v1.SELinuxOptions
opts := strings.SplitN(c.config.Spec.Annotations[define.InspectAnnotationLabel], ":", 2) selinuxHasData := false
for _, label := range strings.Split(c.config.Spec.Annotations[define.InspectAnnotationLabel], ",label=") {
opts := strings.SplitN(label, ":", 2)
switch len(opts) { switch len(opts) {
case 2: case 2:
switch opts[0] { switch opts[0] {
case "filetype":
selinuxOpts.FileType = opts[1]
selinuxHasData = true
case "type": case "type":
selinuxOpts.Type = opts[1] selinuxOpts.Type = opts[1]
sc.SELinuxOptions = &selinuxOpts selinuxHasData = true
scHasData = true
case "level": case "level":
selinuxOpts.Level = opts[1] selinuxOpts.Level = opts[1]
sc.SELinuxOptions = &selinuxOpts selinuxHasData = true
scHasData = true
} }
case 1: case 1:
if opts[0] == "disable" { if opts[0] == "disable" {
selinuxOpts.Type = "spc_t" selinuxOpts.Type = "spc_t"
selinuxHasData = true
}
}
}
if selinuxHasData {
sc.SELinuxOptions = &selinuxOpts sc.SELinuxOptions = &selinuxOpts
scHasData = true scHasData = true
} }
}
if !allowPrivEscalation { if !allowPrivEscalation {
scHasData = true scHasData = true
sc.AllowPrivilegeEscalation = &allowPrivEscalation sc.AllowPrivilegeEscalation = &allowPrivEscalation

3
pkg/k8s.io/api/core/v1/types.go
View File

@ -4403,6 +4403,9 @@ type SELinuxOptions struct {
// Type is a SELinux type label that applies to the container. // Type is a SELinux type label that applies to the container.
// +optional // +optional
Type string `json:"type,omitempty"` Type string `json:"type,omitempty"`
// FileType is a SELinux file type label that applies to the container.
// +optional
FileType string `json:"filetype,omitempty"`
// Level is SELinux level label that applies to the container. // Level is SELinux level label that applies to the container.
// +optional // +optional
Level string `json:"level,omitempty"` Level string `json:"level,omitempty"`

3
pkg/specgen/generate/kube/kube.go
View File

@ -719,6 +719,9 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
if seopt.Level != "" { if seopt.Level != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
} }
if seopt.FileType != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("filetype:%s", seopt.FileType))
}
} }
if caps := securityContext.Capabilities; caps != nil { if caps := securityContext.Capabilities; caps != nil {
for _, capability := range caps.Add { for _, capability := range caps.Add {

20
test/system/700-play.bats
View File

@ -72,7 +72,7 @@ RELABEL="system_u:object_r:container_file_t:s0"
echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
run_podman kube play - < $PODMAN_TMPDIR/test.yaml run_podman kube play - < $PODMAN_TMPDIR/test.yaml
if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then if selinux_enabled; then
run ls -Zd $TESTDIR run ls -Zd $TESTDIR
is "$output" "${RELABEL} $TESTDIR" "selinux relabel should have happened" is "$output" "${RELABEL} $TESTDIR" "selinux relabel should have happened"
fi fi
@ -94,7 +94,7 @@ RELABEL="system_u:object_r:container_file_t:s0"
mkdir -p $TESTDIR mkdir -p $TESTDIR
echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
run_podman play kube $PODMAN_TMPDIR/test.yaml run_podman play kube $PODMAN_TMPDIR/test.yaml
if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then if selinux_enabled; then
run ls -Zd $TESTDIR run ls -Zd $TESTDIR
is "$output" "${RELABEL} $TESTDIR" "selinux relabel should have happened" is "$output" "${RELABEL} $TESTDIR" "selinux relabel should have happened"
fi fi
@ -549,3 +549,19 @@ EOF
run_podman kube down $yaml_source run_podman kube down $yaml_source
} }
@test "podman kube generate filetype" {
YAML=$PODMAN_TMPDIR/test.yml
run_podman create --pod new:pod1 --security-opt label=level:s0:c1,c2 --security-opt label=filetype:usr_t --name test1 $IMAGE true
run_podman kube generate pod1 -f $YAML
run cat $YAML
is "$output" ".*filetype: usr_t" "Generated YAML file should contain filetype usr_t"
run_podman pod rm --force pod1
run_podman kube play $YAML
if selinux_enabled; then
run_podman inspect pod1-test1 --format "{{ .MountLabel }}"
is "$output" "system_u:object_r:usr_t:s0:c1,c2" "Generated container should use filetype usr_t"
fi
run_podman kube down $YAML
}

4
test/system/helpers.bash
View File

@ -347,6 +347,10 @@ function is_aarch64() {
[ "$(uname -m)" == "aarch64" ] [ "$(uname -m)" == "aarch64" ]
} }
function selinux_enabled() {
/usr/sbin/selinuxenabled 2> /dev/null
}
# Returns the OCI runtime *basename* (typically crun or runc). Much as we'd # Returns the OCI runtime *basename* (typically crun or runc). Much as we'd
# love to cache this result, we probably shouldn't. # love to cache this result, we probably shouldn't.
function podman_runtime() { function podman_runtime() {