feature: selinux for cri manager #1092
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
YaoZengzeng
force-pushed
the
selinux
branch
4 times, most recently
from
52b378a to
c97f1b9
Compare
YaoZengzeng
changed the title
Codecov Report
@@ Coverage Diff @@
## master #1092 +/- ##
==========================================
- Coverage 15.8% 15.48% -0.32%
==========================================
Files 163 161 -2
Lines 8793 8800 +7
==========================================
- Hits 1390 1363 -27
- Misses 7300 7334 +34
Partials 103 103
|
|
@allencloud PTAL |
allencloud
reviewed
Apr 11, 2018
| meta.AppArmorProfile = value | ||
| case "seccomp": | ||
| meta.SeccompProfile = value | ||
| case "no-new-privileges": |
There was a problem hiding this comment.
prevent processes in container to gain new privileges via the --security-opt=no-new-privileges flag
just attach a record which may do us a favour.
allencloud
reviewed
Apr 12, 2018
daemon/mgr/container_utils.go
Outdated
| case "label": | ||
| labelOpts = append(labelOpts, value) | ||
| default: | ||
| return fmt.Errorf("invalid type %s in --security-opt %s: unknown type from apparmor and seccomp", key, securityOpt) |
There was a problem hiding this comment.
With the code change, I do not think this line is correct any longer.
unknown type from apparmor and seccomp
except apparmor and seccomp, it seems that we should add no-new-privileges and label. Right? @YaoZengzeng
allencloud
reviewed
Apr 12, 2018
daemon/mgr/container_utils.go
Outdated
| meta.SeccompProfile = value | ||
| case "no-new-privileges": | ||
| noNewPrivileges, err := strconv.ParseBool(value) | ||
| if labelOpts != nil { |
There was a problem hiding this comment.
We can judge if labelOpts == nil first to make return fast to simplify code and reduce ident.
if labelOpts == nil {
return nil
}
meta.ProcessLabel, meta.MountLabel, err = label.InitLabels(labelOpts)
if err != nil{
return fmt.Errorf("failed to init labels: %v", err)
}
return nil
Signed-off-by: YaoZengzeng <yaozengzeng@zju.edu.cn>
|
@allencloud Updated. |
|
LGTM |
pouchrobot
added
the
LGTM
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: YaoZengzeng yaozengzeng@zju.edu.cn
Ⅰ. Describe what this PR did
Ⅱ. Does this pull request fix one issue?
Ⅲ. Describe how you did it
With this PR, we could enable one of the security context --- SELinux, if it's configured in CRI.
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews