Merge pull request #10339 from rhatdan/selinux

Support automatic labeling of kube volumes
containers · May 17, 2021 · 3aa4746 · 3aa4746
2 parents 9a9118b + 4cc19f9
commit 3aa4746
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 14 deletions.
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
@@ -250,27 +250,26 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		if !exists {
 			return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name)
 		}
+
+		dest, options, err := parseMountPath(volume.MountPath, volume.ReadOnly)
+		if err != nil {
+			return nil, err
+		}
+
 		switch volumeSource.Type {
 		case KubeVolumeTypeBindMount:
-			if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil {
-				return nil, errors.Wrapf(err, "error in parsing MountPath")
-			}
 			mount := spec.Mount{
-				Destination: volume.MountPath,
+				Destination: dest,
 				Source:      volumeSource.Source,
 				Type:        "bind",
-			}
-			if volume.ReadOnly {
-				mount.Options = []string{"ro"}
+				Options:     options,
 			}
 			s.Mounts = append(s.Mounts, mount)
 		case KubeVolumeTypeNamed:
 			namedVolume := specgen.NamedVolume{
-				Dest: volume.MountPath,
-				Name: volumeSource.Source,
-			}
-			if volume.ReadOnly {
-				namedVolume.Options = []string{"ro"}
+				Dest:    dest,
+				Name:    volumeSource.Source,
+				Options: options,
 			}
 			s.Volumes = append(s.Volumes, &namedVolume)
 		default:
@@ -300,6 +299,25 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	return s, nil
 }
 
+func parseMountPath(mountPath string, readOnly bool) (string, []string, error) {
+	options := []string{}
+	splitVol := strings.Split(mountPath, ":")
+	if len(splitVol) > 2 {
+		return "", options, errors.Errorf("%q incorrect volume format, should be ctr-dir[:option]", mountPath)
+	}
+	dest := splitVol[0]
+	if len(splitVol) > 1 {
+		options = strings.Split(splitVol[1], ",")
+	}
+	if err := parse.ValidateVolumeCtrDir(dest); err != nil {
+		return "", options, errors.Wrapf(err, "error in parsing MountPath")
+	}
+	if readOnly {
+		options = append(options, "ro")
+	}
+	return dest, options, nil
+}
+
 func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) {
 	if containerYAML.SecurityContext == nil {
 		return

diff --git a/test/system/700-play.bats b/test/system/700-play.bats
@@ -51,18 +51,40 @@ spec:
       seLinuxOptions:
          level: "s0:c1,c2"
       readOnlyRootFilesystem: false
+    volumeMounts:
+    - mountPath: /testdir:z
+      name: home-podman-testdir
     workingDir: /
+  volumes:
+  - hostPath:
+      path: TESTDIR
+      type: Directory
+    name: home-podman-testdir
 status: {}
 "
 
+RELABEL="system_u:object_r:container_file_t:s0"
+
 @test "podman play with stdin" {
-    echo "$testYaml" > $PODMAN_TMPDIR/test.yaml
+    TESTDIR=$PODMAN_TMPDIR/testdir
+    mkdir -p $TESTDIR
+    echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
     run_podman play kube - < $PODMAN_TMPDIR/test.yaml
+    if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then
+       run ls -Zd $TESTDIR
+       is "$output" ${RELABEL} "selinux relabel should have happened"
+    fi
     run_podman pod rm -f test_pod
 }
 
 @test "podman play" {
-    echo "$testYaml" > $PODMAN_TMPDIR/test.yaml
+    TESTDIR=$PODMAN_TMPDIR/testdir
+    mkdir -p $TESTDIR
+    echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
     run_podman play kube $PODMAN_TMPDIR/test.yaml
+    if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then
+       run ls -Zd $TESTDIR
+       is "$output" ${RELABEL} "selinux relabel should have happened"
+    fi
     run_podman pod rm -f test_pod
 }