mirror of
https://github.com/containers/podman.git
synced 2025-08-06 19:44:14 +08:00
Address review comments
Review comments to delete WithNoNew function and its append. Signed-off-by: baude <bbaude@redhat.com> Closes: #369 Approved by: rhatdan
This commit is contained in:
@ -38,7 +38,7 @@ context: "CAH smoketested"
|
|||||||
|
|
||||||
inherit: true
|
inherit: true
|
||||||
host:
|
host:
|
||||||
distro: fedora/27/cloud
|
distro: fedora/27/cloud/pungi
|
||||||
specs:
|
specs:
|
||||||
ram: 8192
|
ram: 8192
|
||||||
cpus: 4
|
cpus: 4
|
||||||
|
@ -665,7 +665,6 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
|
|||||||
}
|
}
|
||||||
|
|
||||||
options = append(options, libpod.WithPrivileged(c.Privileged))
|
options = append(options, libpod.WithPrivileged(c.Privileged))
|
||||||
options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
|
|
||||||
return options, nil
|
return options, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -236,11 +236,12 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
|
|||||||
globalOpts := runcGlobalOptions{
|
globalOpts := runcGlobalOptions{
|
||||||
log: c.LogPath(),
|
log: c.LogPath(),
|
||||||
}
|
}
|
||||||
|
|
||||||
execOpts := runcExecOptions{
|
execOpts := runcExecOptions{
|
||||||
capAdd: capList,
|
capAdd: capList,
|
||||||
pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
|
pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
|
||||||
env: env,
|
env: env,
|
||||||
noNewPrivs: c.config.NoNewPrivs,
|
noNewPrivs: c.config.Spec.Process.NoNewPrivileges,
|
||||||
user: user,
|
user: user,
|
||||||
cwd: c.config.Spec.Process.Cwd,
|
cwd: c.config.Spec.Process.Cwd,
|
||||||
tty: tty,
|
tty: tty,
|
||||||
|
@ -272,18 +272,6 @@ func WithPrivileged(privileged bool) CtrCreateOption {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
|
|
||||||
func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
|
|
||||||
return func(ctr *Container) error {
|
|
||||||
if ctr.valid {
|
|
||||||
return ErrCtrFinalized
|
|
||||||
}
|
|
||||||
|
|
||||||
ctr.config.NoNewPrivs = noNewPrivs
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// WithSELinuxLabels sets the mount label for SELinux
|
// WithSELinuxLabels sets the mount label for SELinux
|
||||||
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
|
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
|
||||||
return func(ctr *Container) error {
|
return func(ctr *Container) error {
|
||||||
|
@ -16,6 +16,7 @@ import (
|
|||||||
"github.com/containers/image/transports/alltransports"
|
"github.com/containers/image/transports/alltransports"
|
||||||
"github.com/containers/image/types"
|
"github.com/containers/image/types"
|
||||||
sstorage "github.com/containers/storage"
|
sstorage "github.com/containers/storage"
|
||||||
|
"github.com/containers/storage/pkg/parsers/kernel"
|
||||||
"github.com/containers/storage/pkg/reexec"
|
"github.com/containers/storage/pkg/reexec"
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
@ -72,6 +73,10 @@ func TestLibpod(t *testing.T) {
|
|||||||
if reexec.Init() {
|
if reexec.Init() {
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
if os.Getenv("NOCACHE") == "1" {
|
||||||
|
CACHE_IMAGES = []string{}
|
||||||
|
RESTORE_IMAGES = []string{}
|
||||||
|
}
|
||||||
RegisterFailHandler(Fail)
|
RegisterFailHandler(Fail)
|
||||||
RunSpecs(t, "Libpod Suite")
|
RunSpecs(t, "Libpod Suite")
|
||||||
}
|
}
|
||||||
@ -480,3 +485,24 @@ func (p *PodmanTest) GetHostDistribution() string {
|
|||||||
}
|
}
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsKernelNewThan compares the current kernel version to one provided. If
|
||||||
|
// the kernel is equal to or greater, returns true
|
||||||
|
func IsKernelNewThan(version string) (bool, error) {
|
||||||
|
inputVersion, err := kernel.ParseRelease(version)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
kv, err := kernel.GetKernelVersion()
|
||||||
|
if err == nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
// CompareKernelVersion compares two kernel.VersionInfo structs.
|
||||||
|
// Returns -1 if a < b, 0 if a == b, 1 it a > b
|
||||||
|
result := kernel.CompareKernelVersion(*kv, *inputVersion)
|
||||||
|
if result >= 0 {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
|
||||||
|
}
|
||||||
|
@ -1,12 +1,11 @@
|
|||||||
package integration
|
package integration
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
|
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
"strings"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var _ = Describe("Podman privileged container tests", func() {
|
var _ = Describe("Podman privileged container tests", func() {
|
||||||
@ -84,23 +83,29 @@ var _ = Describe("Podman privileged container tests", func() {
|
|||||||
})
|
})
|
||||||
|
|
||||||
It("run no-new-privileges test", func() {
|
It("run no-new-privileges test", func() {
|
||||||
|
// Check if our kernel is new enough
|
||||||
|
k, err := IsKernelNewThan("4.14")
|
||||||
|
Expect(err).To(BeNil())
|
||||||
|
if !k {
|
||||||
|
Skip("Kernel is not new enough to test this feature")
|
||||||
|
}
|
||||||
|
|
||||||
cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
|
cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
|
||||||
cap.WaitWithDefaultTimeout()
|
cap.WaitWithDefaultTimeout()
|
||||||
if cap.ExitCode() != 0 {
|
if cap.ExitCode() != 0 {
|
||||||
fmt.Println("Can't determine NoNewPrivs")
|
Skip("Can't determine NoNewPrivs")
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
|
session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
|
||||||
session.WaitWithDefaultTimeout()
|
session.WaitWithDefaultTimeout()
|
||||||
Expect(session.ExitCode()).To(Equal(0))
|
Expect(session.ExitCode()).To(Equal(0))
|
||||||
privs := strings.Split(cap.OutputToString(), ":")
|
|
||||||
|
|
||||||
|
privs := strings.Split(cap.OutputToString(), ":")
|
||||||
session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
|
session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
|
||||||
session.WaitWithDefaultTimeout()
|
session.WaitWithDefaultTimeout()
|
||||||
Expect(session.ExitCode()).To(Equal(0))
|
Expect(session.ExitCode()).To(Equal(0))
|
||||||
noprivs := strings.Split(cap.OutputToString(), ":")
|
|
||||||
|
|
||||||
|
noprivs := strings.Split(cap.OutputToString(), ":")
|
||||||
Expect(privs[1]).To(Not(Equal(noprivs[1])))
|
Expect(privs[1]).To(Not(Equal(noprivs[1])))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user