diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go index 14e7c66cf5..0f7d5fa738 100644 --- a/pkg/validate/security_context.go +++ b/pkg/validate/security_context.go @@ -421,7 +421,7 @@ var _ = framework.KubeDescribe("Security Context", func() { podID, podConfig = createPrivilegedPodSandbox(rc, isPrivileged) By("create container for security context Privileged is true") - containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged) + containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged, framework.DefaultContainerImage, []string{"top"}) By("start container") startContainer(rc, containerID) @@ -439,7 +439,7 @@ var _ = framework.KubeDescribe("Security Context", func() { podID, podConfig = createPrivilegedPodSandbox(rc, notPrivileged) By("create container for security context Privileged is true") - containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged) + containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged, framework.DefaultContainerImage, []string{"top"}) By("start container") startContainer(rc, containerID) @@ -451,6 +451,24 @@ var _ = framework.KubeDescribe("Security Context", func() { checkNetworkManagement(rc, containerID, notPrivileged) }) + It("selinux mount label should persist when container is privileged", func() { + By("create pod") + privileged := true + podID, podConfig = createPrivilegedPodSandbox(rc, privileged) + + By("create container for security context Privileged is true") + containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-mount-and-process-label-test-", privileged, "fedora:latest", []string{"sleep", "1000"}) + + By("start container") + startContainer(rc, containerID) + Eventually(func() runtimeapi.ContainerState { + return getContainerStatus(rc, containerID).State + }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) + + By("check the Privileged container") + checkMountAndProcessLabels(rc, containerID, privileged) + }) + It("runtime should support setting Capability", func() { By("create pod") podID, podConfig = framework.CreatePodSandboxForContainer(rc) @@ -891,13 +909,13 @@ func createPrivilegedPodSandbox(rc internalapi.RuntimeService, privileged bool) } // createPrivilegedContainer creates container with specified Privileged in ContainerConfig. -func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool) string { +func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool, image string, cmd []string) string { By("create Privileged container") containerName := prefix + framework.NewUUID() containerConfig := &runtimeapi.ContainerConfig{ Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt), - Image: &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage}, - Command: []string{"top"}, + Image: &runtimeapi.ImageSpec{Image: image}, + Command: cmd, Linux: &runtimeapi.LinuxContainerConfig{ SecurityContext: &runtimeapi.LinuxContainerSecurityContext{ Privileged: privileged, @@ -1133,3 +1151,24 @@ func checkSetHostname(rc internalapi.RuntimeService, containerID string, setable Expect(err).To(HaveOccurred(), msg) } } + +func checkMountAndProcessLabels(rc internalapi.RuntimeService, containerID string, privileged bool) { + // Check that the mount label is set for privileged containers + cmd := []string{"ls", "-lZ", "bin"} + stdout, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second) + msg := fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr) + Expect(err).NotTo(HaveOccurred(), msg) + Expect(string(stdout)).To(ContainSubstring("object_r:container_file_t")) + + // Check that the correct process label is set for privileged and unprivileged containers + cmd = []string{"cat", "/proc/self/attr/current"} + stdout, stderr, err = rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second) + msg = fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr) + Expect(err).NotTo(HaveOccurred(), msg) + + if privileged { + Expect(string(stdout)).To(ContainSubstring("system_r:spc_t")) + } else { + Expect(string(stdout)).To(Not(ContainSubstring("system_r:spc_t"))) + } +}