New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If caller specifies label overrides, don't override security options #30652
Conversation
daemon/create.go
Outdated
@@ -158,7 +158,18 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) ( | |||
return container, nil | |||
} | |||
|
|||
func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) { | |||
func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) { | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Remove empty line here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I feel comfortable reviewing this change... |
ping @justincormack PTAL |
If a caller specifies an SELinux type or MCS Label and still wants to share an IPC Namespace or the host namespace, we should allow them. Currently we are ignoring the label specification if ipcmod=container or pidmode=host. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Any chance we can get people to look at this? This is a serious problem with kubernetes use of docker. |
Is this function really more of a |
I think we could rename it to generateSELinuxLabel, or duplicateSELinuxLabel. BUT if the caller has specified an SELinux Label to use, docker should just use the label, figuring the caller knows what it wants. This is important for POD situations, where you could potentially want to containers sharing content but running with different SELinux labels. Imaging you have a daemon container, but you another container to the pod that you want to have limited access, it can not use the network, or it can look at the process but not examine any content. Bottom line it gives better flexibility to the caller of the docker-engine to specify the labels that it wants. |
What do you guys want me to do with this? Change the function names or allow it to go in as is? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐯
I guess we can go as is.
If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)