opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-23 02:18:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18795 from rhatdan/quadlet

Browse Source 
Add support for SecurityLabelNested flag in quadlet
This commit is contained in:
OpenShift Merge Robot
2023-06-07 07:16:09 -04:00
committed by GitHub
parent 15fc6ec729 3b79f241b1
commit dd753c6f9a
5 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -128,6 +128,7 @@ Valid options for `[Container]` are listed below:
| SecurityLabelDisable=true | --security-opt label=disable | | SecurityLabelDisable=true | --security-opt label=disable |
| SecurityLabelFileType=usr_t | --security-opt label=filetype:usr_t | | SecurityLabelFileType=usr_t | --security-opt label=filetype:usr_t |
| SecurityLabelLevel=s0:c1,c2 | --security-opt label=level:s0:c1,c2 | | SecurityLabelLevel=s0:c1,c2 | --security-opt label=level:s0:c1,c2 |
| SecurityLabelNested=true | --security-opt label=nested |
| SecurityLabelType=spc_t | --security-opt label=type:spc_t | | SecurityLabelType=spc_t | --security-opt label=type:spc_t |
| Timezone=local | --tz local | | Timezone=local | --tz local |
| Tmpfs=/work | --tmpfs /work | | Tmpfs=/work | --tmpfs /work |
@ -424,6 +425,10 @@ Set the label file type for the container files.
Set the label process level for the container processes. Set the label process level for the container processes.
### `SecurityLabelNested=`
Allow SecurityLabels to function within the container. This allows separation of containers created within the container.
### `SecurityLabelType=` ### `SecurityLabelType=`
Set the label process type for the container processes. Set the label process type for the container processes.

7
pkg/systemd/quadlet/quadlet.go
View File

@ -93,6 +93,7 @@ const (
KeySecurityLabelDisable = "SecurityLabelDisable" KeySecurityLabelDisable = "SecurityLabelDisable"
KeySecurityLabelFileType = "SecurityLabelFileType" KeySecurityLabelFileType = "SecurityLabelFileType"
KeySecurityLabelLevel = "SecurityLabelLevel" KeySecurityLabelLevel = "SecurityLabelLevel"
KeySecurityLabelNested = "SecurityLabelNested"
KeySecurityLabelType = "SecurityLabelType" KeySecurityLabelType = "SecurityLabelType"
KeySecret = "Secret" KeySecret = "Secret"
KeyTimezone = "Timezone" KeyTimezone = "Timezone"
@ -156,6 +157,7 @@ var (
KeySecurityLabelDisable: true, KeySecurityLabelDisable: true,
KeySecurityLabelFileType: true, KeySecurityLabelFileType: true,
KeySecurityLabelLevel: true, KeySecurityLabelLevel: true,
KeySecurityLabelNested: true,
KeySecurityLabelType: true, KeySecurityLabelType: true,
KeySecret: true, KeySecret: true,
KeyTmpfs: true, KeyTmpfs: true,
@ -414,6 +416,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
podman.add("--security-opt", "label:disable") podman.add("--security-opt", "label:disable")
} }
securityLabelNested := container.LookupBooleanWithDefault(ContainerGroup, KeySecurityLabelNested, false)
if securityLabelNested {
podman.add("--security-opt", "label:nested")
}
securityLabelType, _ := container.Lookup(ContainerGroup, KeySecurityLabelType) securityLabelType, _ := container.Lookup(ContainerGroup, KeySecurityLabelType)
if len(securityLabelType) > 0 { if len(securityLabelType) > 0 {
podman.add("--security-opt", fmt.Sprintf("label=type:%s", securityLabelType)) podman.add("--security-opt", fmt.Sprintf("label=type:%s", securityLabelType))

1
test/e2e/quadlet/disableselinux.container
View File

@ -1,3 +1,4 @@
## assert-podman-final-args localhost/imagename
## assert-podman-args "--security-opt" "label:disable" ## assert-podman-args "--security-opt" "label:disable"
[Container] [Container]

5
test/e2e/quadlet/nestedselinux.container Normal file
View File

@ -0,0 +1,5 @@
## assert-podman-args "--security-opt" "label:nested"
[Container]
Image=localhost/imagename
SecurityLabelNested=true

1
test/e2e/quadlet_test.go
View File

@ -537,6 +537,7 @@ var _ = Describe("quadlet system generator", func() {
Entry("capabilities.container", "capabilities.container"), Entry("capabilities.container", "capabilities.container"),
Entry("capabilities2.container", "capabilities2.container"), Entry("capabilities2.container", "capabilities2.container"),
Entry("disableselinux.container", "disableselinux.container"), Entry("disableselinux.container", "disableselinux.container"),
Entry("nestedselinux.container", "nestedselinux.container"),
Entry("devices.container", "devices.container"), Entry("devices.container", "devices.container"),
Entry("env.container", "env.container"), Entry("env.container", "env.container"),
Entry("escapes.container", "escapes.container"), Entry("escapes.container", "escapes.container"),