Address review comments

Review comments to delete WithNoNew function and its append.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #369
Approved by: rhatdan
This commit is contained in:
baude
2018-02-20 12:09:28 -06:00
committed by Atomic Bot
parent 831dc48883
commit 5e7979f016
6 changed files with 40 additions and 21 deletions

View File

@ -38,7 +38,7 @@ context: "CAH smoketested"
inherit: true inherit: true
host: host:
distro: fedora/27/cloud distro: fedora/27/cloud/pungi
specs: specs:
ram: 8192 ram: 8192
cpus: 4 cpus: 4

View File

@ -665,7 +665,6 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
} }
options = append(options, libpod.WithPrivileged(c.Privileged)) options = append(options, libpod.WithPrivileged(c.Privileged))
options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
return options, nil return options, nil
} }

View File

@ -236,11 +236,12 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
globalOpts := runcGlobalOptions{ globalOpts := runcGlobalOptions{
log: c.LogPath(), log: c.LogPath(),
} }
execOpts := runcExecOptions{ execOpts := runcExecOptions{
capAdd: capList, capAdd: capList,
pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])), pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
env: env, env: env,
noNewPrivs: c.config.NoNewPrivs, noNewPrivs: c.config.Spec.Process.NoNewPrivileges,
user: user, user: user,
cwd: c.config.Spec.Process.Cwd, cwd: c.config.Spec.Process.Cwd,
tty: tty, tty: tty,

View File

@ -272,18 +272,6 @@ func WithPrivileged(privileged bool) CtrCreateOption {
} }
} }
// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return ErrCtrFinalized
}
ctr.config.NoNewPrivs = noNewPrivs
return nil
}
}
// WithSELinuxLabels sets the mount label for SELinux // WithSELinuxLabels sets the mount label for SELinux
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption { func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
return func(ctr *Container) error { return func(ctr *Container) error {

View File

@ -16,6 +16,7 @@ import (
"github.com/containers/image/transports/alltransports" "github.com/containers/image/transports/alltransports"
"github.com/containers/image/types" "github.com/containers/image/types"
sstorage "github.com/containers/storage" sstorage "github.com/containers/storage"
"github.com/containers/storage/pkg/parsers/kernel"
"github.com/containers/storage/pkg/reexec" "github.com/containers/storage/pkg/reexec"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
@ -72,6 +73,10 @@ func TestLibpod(t *testing.T) {
if reexec.Init() { if reexec.Init() {
os.Exit(1) os.Exit(1)
} }
if os.Getenv("NOCACHE") == "1" {
CACHE_IMAGES = []string{}
RESTORE_IMAGES = []string{}
}
RegisterFailHandler(Fail) RegisterFailHandler(Fail)
RunSpecs(t, "Libpod Suite") RunSpecs(t, "Libpod Suite")
} }
@ -480,3 +485,24 @@ func (p *PodmanTest) GetHostDistribution() string {
} }
return "" return ""
} }
// IsKernelNewThan compares the current kernel version to one provided. If
// the kernel is equal to or greater, returns true
func IsKernelNewThan(version string) (bool, error) {
inputVersion, err := kernel.ParseRelease(version)
if err != nil {
return false, err
}
kv, err := kernel.GetKernelVersion()
if err == nil {
return false, err
}
// CompareKernelVersion compares two kernel.VersionInfo structs.
// Returns -1 if a < b, 0 if a == b, 1 it a > b
result := kernel.CompareKernelVersion(*kv, *inputVersion)
if result >= 0 {
return true, nil
}
return false, nil
}

View File

@ -1,12 +1,11 @@
package integration package integration
import ( import (
"fmt"
"os" "os"
"strings"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
"strings"
) )
var _ = Describe("Podman privileged container tests", func() { var _ = Describe("Podman privileged container tests", func() {
@ -84,23 +83,29 @@ var _ = Describe("Podman privileged container tests", func() {
}) })
It("run no-new-privileges test", func() { It("run no-new-privileges test", func() {
// Check if our kernel is new enough
k, err := IsKernelNewThan("4.14")
Expect(err).To(BeNil())
if !k {
Skip("Kernel is not new enough to test this feature")
}
cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"}) cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
cap.WaitWithDefaultTimeout() cap.WaitWithDefaultTimeout()
if cap.ExitCode() != 0 { if cap.ExitCode() != 0 {
fmt.Println("Can't determine NoNewPrivs") Skip("Can't determine NoNewPrivs")
return
} }
session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0)) Expect(session.ExitCode()).To(Equal(0))
privs := strings.Split(cap.OutputToString(), ":")
privs := strings.Split(cap.OutputToString(), ":")
session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0)) Expect(session.ExitCode()).To(Equal(0))
noprivs := strings.Split(cap.OutputToString(), ":")
noprivs := strings.Split(cap.OutputToString(), ":")
Expect(privs[1]).To(Not(Equal(noprivs[1]))) Expect(privs[1]).To(Not(Equal(noprivs[1])))
}) })