// Create prepares the filesystem for the VFS driver and copies the directory for the given id under the parent. func (d *Driver) Create(id, parent, mountLabel string, storageOpt map[string]string) error { if len(storageOpt) != 0 { return fmt.Errorf("--storage-opt is not supported for vfs") } dir := d.dir(id) rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps) if err != nil { return err } if err := idtools.MkdirAllAs(filepath.Dir(dir), 0700, rootUID, rootGID); err != nil { return err } if err := idtools.MkdirAs(dir, 0755, rootUID, rootGID); err != nil { return err } opts := []string{"level:s0"} if _, mountLabel, err := label.InitLabels(opts); err == nil { label.SetFileLabel(dir, mountLabel) } if parent == "" { return nil } parentDir, err := d.Get(parent, "") if err != nil { return fmt.Errorf("%s: %s", parent, err) } if err := CopyWithTar(parentDir, dir); err != nil { return err } return nil }
func parseSecurityOpt(container *container.Container, config *containertypes.HostConfig) error { var ( labelOpts []string err error ) for _, opt := range config.SecurityOpt { con := strings.SplitN(opt, ":", 2) if len(con) == 1 { return fmt.Errorf("Invalid --security-opt: %q", opt) } switch con[0] { case "label": labelOpts = append(labelOpts, con[1]) case "apparmor": container.AppArmorProfile = con[1] case "seccomp": container.SeccompProfile = con[1] default: return fmt.Errorf("Invalid --security-opt: %q", opt) } } container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts) return err }
// Create prepares the filesystem for the VFS driver and copies the directory for the given id under the parent. func (d *Driver) Create(id, parent, mountLabel string) error { dir := d.dir(id) rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps) if err != nil { return err } if err := idtools.MkdirAllAs(filepath.Dir(dir), 0700, rootUID, rootGID); err != nil { return err } if err := idtools.MkdirAs(dir, 0755, rootUID, rootGID); err != nil { return err } opts := []string{"level:s0"} if _, mountLabel, err := label.InitLabels(opts); err == nil { label.SetFileLabel(dir, mountLabel) } if parent == "" { return nil } parentDir, err := d.Get(parent, "") if err != nil { return fmt.Errorf("%s: %s", parent, err) } if err := chrootarchive.CopyWithTar(parentDir, dir); err != nil { return err } return nil }
func parseSecurityOpt(config *specs.Spec, hc *containertypes.HostConfig) error { var ( labelOpts []string err error ) var customSeccompProfile bool for _, opt := range hc.SecurityOpt { con := strings.SplitN(opt, "=", 2) if len(con) <= 1 { // try : instead con = strings.SplitN(opt, ":", 2) if len(con) == 1 { return fmt.Errorf("invalid --security-opt: %q", opt) } } switch con[0] { case "label": labelOpts = append(labelOpts, con[1]) case "apparmor": config.Process.ApparmorProfile = con[1] case "seccomp": customSeccompProfile = true if con[1] != "unconfined" { var seccomp specs.Seccomp if err := json.Unmarshal([]byte(con[1]), &seccomp); err != nil { return fmt.Errorf("parsing seccomp profile failed: %v", err) } config.Linux.Seccomp = &seccomp } default: return fmt.Errorf("invalid security-opt: %q", opt) } } // set default apparmor profile if possible if config.Process.ApparmorProfile == "" && !hc.Privileged { config.Process.ApparmorProfile = DefaultApparmorProfile } if config.Process.ApparmorProfile == "" && hc.Privileged { config.Process.ApparmorProfile = "unconfined" } // runc does not like "unconfined" here if config.Process.ApparmorProfile == "unconfined" { config.Process.ApparmorProfile = "" } // set default seccomp profile if the user did not pass a custom profile if !customSeccompProfile && !hc.Privileged { config.Linux.Seccomp = &defaultSeccompProfile } config.Process.SelinuxLabel, _, err = label.InitLabels(labelOpts) return err }
func parseSecurityOpt(container *container.Container, config *containertypes.HostConfig) error { //Since config.SecurityOpt is specifically defined as a "List of string values to //customize labels for MLs systems, such as SELinux" //until we figure out how to map to Trusted Extensions //this is being disabled for now on Solaris var ( labelOpts []string err error ) if len(config.SecurityOpt) > 0 { return errors.New("Security options are not supported on Solaris") } container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts) return err }
func parseSecurityOpt(container *container.Container, config *containertypes.HostConfig) error { var ( labelOpts []string err error ) for _, opt := range config.SecurityOpt { if opt == "no-new-privileges" { container.NoNewPrivileges = true continue } var con []string if strings.Contains(opt, "=") { con = strings.SplitN(opt, "=", 2) } else if strings.Contains(opt, ":") { con = strings.SplitN(opt, ":", 2) logrus.Warn("Security options with `:` as a separator are deprecated and will be completely unsupported in 1.14, use `=` instead.") } if len(con) != 2 { return fmt.Errorf("invalid --security-opt 1: %q", opt) } switch con[0] { case "label": labelOpts = append(labelOpts, con[1]) case "apparmor": container.AppArmorProfile = con[1] case "seccomp": container.SeccompProfile = con[1] default: return fmt.Errorf("invalid --security-opt 2: %q", opt) } } container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts) return err }
// Create prepares the filesystem for the VFS driver and copies the directory for the given id under the parent. func (d *Driver) Create(id, parent string) error { dir := d.dir(id) if err := system.MkdirAll(filepath.Dir(dir), 0700); err != nil { return err } if err := os.Mkdir(dir, 0755); err != nil { return err } opts := []string{"level:s0"} if _, mountLabel, err := label.InitLabels(opts); err == nil { label.SetFileLabel(dir, mountLabel) } if parent == "" { return nil } parentDir, err := d.Get(parent, "") if err != nil { return fmt.Errorf("%s: %s", parent, err) } if err := chrootarchive.CopyWithTar(parentDir, dir); err != nil { return err } return nil }