Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
iSulad
提交
ec2b357a
I
iSulad
项目概览
openeuler
/
iSulad
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
I
iSulad
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
ec2b357a
编写于
7月 10, 2020
作者:
W
wujing
提交者:
lifeng68
7月 25, 2020
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Pass mount_label into the image module for processing
Signed-off-by:
N
wujing
<
wujing50@huawei.com
>
上级
18751b02
变更
5
显示空白变更内容
内联
并排
Showing
5 changed file
with
62 addition
and
50 deletion
+62
-50
src/daemon/executor/container_cb/execution_create.c
src/daemon/executor/container_cb/execution_create.c
+50
-3
src/daemon/modules/image/image.c
src/daemon/modules/image/image.c
+2
-0
src/daemon/modules/spec/specs.c
src/daemon/modules/spec/specs.c
+3
-17
src/daemon/modules/spec/specs_security.c
src/daemon/modules/spec/specs_security.c
+6
-28
src/daemon/modules/spec/specs_security.h
src/daemon/modules/spec/specs_security.h
+1
-2
未找到文件。
src/daemon/executor/container_cb/execution_create.c
浏览文件 @
ec2b357a
...
...
@@ -55,6 +55,7 @@
#include "utils_string.h"
#include "utils_timestamp.h"
#include "utils_verify.h"
#include "selinux_label.h"
static
int
runtime_check
(
const
char
*
name
,
bool
*
runtime_res
)
{
...
...
@@ -855,7 +856,7 @@ static int get_basic_spec(const container_create_request *request, const char *i
}
static
int
do_image_create_container_roofs_layer
(
const
char
*
container_id
,
const
char
*
image_type
,
const
char
*
image_name
,
const
char
*
rootfs
,
const
char
*
image_name
,
const
char
*
mount_label
,
const
char
*
rootfs
,
json_map_string_string
*
storage_opt
,
char
**
real_rootfs
)
{
int
ret
=
0
;
...
...
@@ -870,6 +871,7 @@ static int do_image_create_container_roofs_layer(const char *container_id, const
request
->
container_id
=
util_strdup_s
(
container_id
);
request
->
image_name
=
util_strdup_s
(
image_name
);
request
->
image_type
=
util_strdup_s
(
image_type
);
request
->
mount_label
=
util_strdup_s
(
mount_label
);
request
->
rootfs
=
util_strdup_s
(
rootfs
);
if
(
storage_opt
!=
NULL
)
{
request
->
storage_opt
=
util_common_calloc_s
(
sizeof
(
json_map_string_string
));
...
...
@@ -895,6 +897,45 @@ out:
return
ret
;
}
static
int
pack_security_config_to_v2_spec
(
const
host_config
*
host_spec
,
container_config_v2_common_config
*
v2_spec
)
{
int
ret
=
0
;
bool
no_new_privileges
=
false
;
char
**
label_opts
=
NULL
;
size_t
label_opts_len
=
0
;
char
*
seccomp_profile
=
NULL
;
char
*
process_label
=
NULL
;
char
*
mount_label
=
NULL
;
ret
=
parse_security_opt
(
host_spec
,
&
no_new_privileges
,
&
label_opts
,
&
label_opts_len
,
&
seccomp_profile
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to parse security opt"
);
goto
out
;
}
v2_spec
->
seccomp_profile
=
seccomp_profile
;
seccomp_profile
=
NULL
;
v2_spec
->
no_new_privileges
=
no_new_privileges
;
if
(
init_label
((
const
char
**
)
label_opts
,
label_opts_len
,
&
process_label
,
&
mount_label
)
!=
0
)
{
ERROR
(
"Failed to append label"
);
ret
=
-
1
;
goto
out
;
}
v2_spec
->
mount_label
=
mount_label
;
mount_label
=
NULL
;
v2_spec
->
process_label
=
process_label
;
process_label
=
NULL
;
out:
util_free_array
(
label_opts
);
free
(
seccomp_profile
);
free
(
process_label
);
free
(
mount_label
);
return
ret
;
}
/*
* request -> host_spec + container_spec
* container_spec + image config
...
...
@@ -965,14 +1006,20 @@ int container_create_cb(const container_create_request *request, container_creat
v2_spec
->
config
=
container_spec
;
if
(
pack_security_config_to_v2_spec
(
host_spec
,
v2_spec
)
!=
0
)
{
ERROR
(
"Failed to pack security config"
);
cc
=
ISULAD_ERR_INPUT
;
goto
clean_container_root_dir
;
}
if
(
init_container_network_confs
(
id
,
runtime_root
,
host_spec
,
v2_spec
)
!=
0
)
{
ERROR
(
"Init Network files failed"
);
cc
=
ISULAD_ERR_INPUT
;
goto
clean_container_root_dir
;
}
ret
=
do_image_create_container_roofs_layer
(
id
,
image_type
,
image_name
,
request
->
rootfs
,
host_spec
->
storage_opt
,
&
real_rootfs
);
ret
=
do_image_create_container_roofs_layer
(
id
,
image_type
,
image_name
,
v2_spec
->
mount_label
,
request
->
rootfs
,
host_spec
->
storage_opt
,
&
real_rootfs
);
if
(
ret
!=
0
)
{
ERROR
(
"Can not create container %s rootfs layer"
,
id
);
cc
=
ISULAD_ERR_EXEC
;
...
...
src/daemon/modules/image/image.c
浏览文件 @
ec2b357a
...
...
@@ -452,6 +452,8 @@ void free_im_prepare_request(im_prepare_request *request)
request
->
rootfs
=
NULL
;
free
(
request
->
image_type
);
request
->
image_type
=
NULL
;
free
(
request
->
mount_label
);
request
->
mount_label
=
NULL
;
free
(
request
->
mount_label
);
request
->
mount_label
=
NULL
;
...
...
src/daemon/modules/spec/specs.c
浏览文件 @
ec2b357a
...
...
@@ -1919,10 +1919,6 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe
container_config_v2_common_config
*
v2_spec
)
{
int
ret
=
0
;
bool
no_new_privileges
=
false
;
char
**
label_opts
=
NULL
;
size_t
label_opts_len
=
0
;
char
*
seccomp_profile
=
NULL
;
ret
=
generate_security_opt
(
host_spec
);
if
(
ret
!=
0
)
{
...
...
@@ -1943,36 +1939,26 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe
goto
out
;
}
ret
=
parse_security_opt
(
host_spec
,
&
no_new_privileges
,
&
label_opts
,
&
label_opts_len
,
&
seccomp_profile
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to parse security opt"
);
goto
out
;
}
// merge external parameter
ret
=
merge_seccomp
(
oci_spec
,
seccomp_profile
);
ret
=
merge_seccomp
(
oci_spec
,
v2_spec
->
seccomp_profile
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to merge user seccomp file"
);
goto
out
;
}
v2_spec
->
seccomp_profile
=
util_strdup_s
(
seccomp_profile
);
ret
=
merge_no_new_privileges
(
oci_spec
,
no_new_privileges
);
ret
=
merge_no_new_privileges
(
oci_spec
,
v2_spec
->
no_new_privileges
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to merge no new privileges"
);
goto
out
;
}
v2_spec
->
no_new_privileges
=
no_new_privileges
;
ret
=
merge_selinux
(
oci_spec
,
v2_spec
,
(
const
char
**
)
label_opts
,
label_opts_len
);
ret
=
merge_selinux
(
oci_spec
,
v2_spec
);
if
(
ret
!=
0
)
{
ERROR
(
"Failed to merge selinux config"
);
goto
out
;
}
out:
util_free_array
(
label_opts
);
free
(
seccomp_profile
);
return
ret
;
}
...
...
src/daemon/modules/spec/specs_security.c
浏览文件 @
ec2b357a
...
...
@@ -32,7 +32,6 @@
#include "isula_libutils/parse_common.h"
#include "err_msg.h"
#include "specs_extend.h"
#include "selinux_label.h"
#include "specs_api.h"
#include "constants.h"
#include "utils_array.h"
...
...
@@ -850,37 +849,16 @@ out:
return
ret
;
}
int
merge_selinux
(
oci_runtime_spec
*
oci_spec
,
container_config_v2_common_config
*
v2_spec
,
const
char
**
label_opts
,
size_t
label_opts_len
)
int
merge_selinux
(
oci_runtime_spec
*
oci_spec
,
container_config_v2_common_config
*
v2_spec
)
{
char
*
process_label
=
NULL
;
char
*
mount_label
=
NULL
;
int
ret
=
make_sure_oci_spec_process
(
oci_spec
);
if
(
ret
<
0
)
{
goto
out
;
}
if
(
init_label
(
label_opts
,
label_opts_len
,
&
process_label
,
&
mount_label
)
!=
0
)
{
ERROR
(
"Failed to append label"
);
ret
=
-
1
;
goto
out
;
}
if
(
mount_label
!=
NULL
)
{
oci_spec
->
linux
->
mount_label
=
util_strdup_s
(
mount_label
);
v2_spec
->
mount_label
=
util_strdup_s
(
mount_label
);
if
(
make_sure_oci_spec_process
(
oci_spec
)
<
0
)
{
return
-
1
;
}
if
(
process_label
!=
NULL
)
{
oci_spec
->
process
->
selinux_label
=
util_strdup_s
(
process_label
);
v2_spec
->
process_label
=
util_strdup_s
(
process_label
);
}
oci_spec
->
linux
->
mount_label
=
util_strdup_s
(
v2_spec
->
mount_label
);
oci_spec
->
process
->
selinux_label
=
util_strdup_s
(
v2_spec
->
process_label
);
out:
free
(
process_label
);
free
(
mount_label
);
return
ret
;
return
0
;
}
static
int
get_adds_cap_for_system_container
(
const
host_config
*
host_spec
,
char
***
adds
,
size_t
*
adds_len
)
...
...
src/daemon/modules/spec/specs_security.h
浏览文件 @
ec2b357a
...
...
@@ -33,7 +33,6 @@ int merge_sysctls(oci_runtime_spec *oci_spec, const json_map_string_string *sysc
int
merge_no_new_privileges
(
oci_runtime_spec
*
oci_spec
,
bool
value
);
int
adapt_settings_for_system_container
(
oci_runtime_spec
*
oci_spec
,
const
host_config
*
host_spec
);
int
merge_seccomp
(
oci_runtime_spec
*
oci_spec
,
const
char
*
seccomp_profile
);
int
merge_selinux
(
oci_runtime_spec
*
oci_spec
,
container_config_v2_common_config
*
v2_spec
,
const
char
**
label_opts
,
size_t
label_opts_len
);
int
merge_selinux
(
oci_runtime_spec
*
oci_spec
,
container_config_v2_common_config
*
v2_spec
);
#endif
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录