Remove generic context and replace with fields

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
pmorie · Jun 25, 2014 · 5c86dd9 · 5c86dd9
1 parent 5210a23
commit 5c86dd9
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 12 deletions.
diff --git a/container.go b/container.go
@@ -51,12 +51,17 @@ type Config struct {
 	// placed into to limit the resources the container has available
 	Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"`
 
-	// Context is a generic key value format that allows for additional settings to be passed
-	// on the container's creation
-	// This is commonly used to specify apparmor profiles, selinux labels, and different restrictions
-	// placed on the container's processes
-	// TODO(vishh): Avoid overloading this field with params for different subsystems. Strongtype this.
-	Context map[string]string `json:"context,omitempty"`
+	// AppArmorProfile specifies the profile to apply to the process running in the container and is
+	// change at the time the process is execed
+	AppArmorProfile string `json:"apparmor_profile,omitempty"`
+
+	// ProcessLabel specifies the label to apply to the process running in the container.  It is
+	// commonly used by selinux
+	ProcessLabel string `json:"process_label,omitempty"`
+
+	// RestrictSys will remount /proc/sys, /sys, and mask over sysrq-trigger as well as /proc/irq and
+	// /proc/bus
+	RestrictSys bool `json:"restrict_sys,omitempty"`
 }
 
 // Routes can be specified to create entries in the route table as the container is started

diff --git a/namespaces/execin.go b/namespaces/execin.go
@@ -41,8 +41,8 @@ func NsEnter(container *libcontainer.Config, nspid int, args []string) error {
 		return err
 	}
 
-	if process_label, ok := container.Context["process_label"]; ok {
-		if err := label.SetProcessLabel(process_label); err != nil {
+	if container.ProcessLabel != "" {
+		if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
 			return err
 		}
 	}

diff --git a/namespaces/init.go b/namespaces/init.go
@@ -74,6 +74,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
 		(*mount.MountConfig)(container.MountConfig)); err != nil {
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
+
 	if container.Hostname != "" {
 		if err := system.Sethostname(container.Hostname); err != nil {
 			return fmt.Errorf("sethostname %s", err)
@@ -82,13 +83,16 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
 
 	runtime.LockOSThread()
 
-	if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
-		return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
+	if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil {
+		return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err)
 	}
-	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
+
+	if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
 		return fmt.Errorf("set process label %s", err)
 	}
-	if container.Context["restrictions"] != "" {
+
+	// TODO: (crosbymichael) make this configurable at the Config level
+	if container.RestrictSys {
 		if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil {
 			return err
 		}