Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Commit

Permalink
selinux: Disable selinux
Browse files Browse the repository at this point in the history 
Till we implement support for selinux, disable selinux
by not passing selinux labels in the container spec.

Fixes #2442

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
  • Loading branch information
@amshinde
amshinde committed Feb 7, 2020
1 parent a91cb13 commit 055f317
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
10 changes: 8 additions & 2 deletions virtcontainers/kata_agent.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages
return nil
}

func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
func (k *kataAgent) constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
// Disable Hooks since they have been handled on the host and there is
// no reason to send them to the agent. It would make no sense to try
// to apply them on the guest.
Expand All @@ -1019,6 +1019,12 @@ func constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
grpcSpec.Linux.Seccomp = nil
}

// Disable selinux
if grpcSpec.Process.SelinuxLabel != "" {
k.Logger().Warn("Selinux label specified in config, but not supported in Kata yet, running container without selinux")
grpcSpec.Process.SelinuxLabel = ""
}

// By now only CPU constraints are supported
// Issue: https://github.com/kata-containers/runtime/issues/158
// Issue: https://github.com/kata-containers/runtime/issues/204
Expand Down Expand Up @@ -1312,7 +1318,7 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,

// We need to constraint the spec to make sure we're not passing
// irrelevant information to the agent.
constraintGRPCSpec(grpcSpec, passSeccomp)
k.constraintGRPCSpec(grpcSpec, passSeccomp)

k.handleShm(grpcSpec, sandbox)

Expand Down
7 changes: 6 additions & 1 deletion virtcontainers/kata_agent_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -487,9 +487,13 @@ func TestConstraintGRPCSpec(t *testing.T) {
},
CgroupsPath: "system.slice:foo:bar",
},
Process: &pb.Process{
SelinuxLabel: "foo",
},
}

constraintGRPCSpec(g, true)
k := kataAgent{}
k.constraintGRPCSpec(g, true)

// check nil fields
assert.Nil(g.Hooks)
Expand All @@ -501,6 +505,7 @@ func TestConstraintGRPCSpec(t *testing.T) {
assert.Nil(g.Linux.Resources.HugepageLimits)
assert.Nil(g.Linux.Resources.Network)
assert.NotNil(g.Linux.Resources.CPU)
assert.Equal(g.Process.SelinuxLabel, "")

// check namespaces
assert.Len(g.Linux.Namespaces, 1)
Expand Down

0 comments on commit 055f317

Please sign in to comment.