From 00524d15ca68eb3233e613e7eeadb51ffb717ec1 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Wed, 20 Sep 2017 10:09:54 -0500 Subject: [PATCH 1/2] respond to comments on #137 Signed-off-by: Mike Brown --- pkg/validate/security_context.go | 150 +++++++++++++++---------------- 1 file changed, 70 insertions(+), 80 deletions(-) diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go index b30be617b7..62e37d1c4e 100644 --- a/pkg/validate/security_context.go +++ b/pkg/validate/security_context.go @@ -27,7 +27,6 @@ import ( "strings" "time" - "github.com/golang/glog" "github.com/kubernetes-incubator/cri-tools/pkg/framework" internalapi "k8s.io/kubernetes/pkg/kubelet/apis/cri" runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime" @@ -39,26 +38,6 @@ import ( const ( nginxContainerImage string = "nginx" localhost string = "localhost/" - // profile which denies sethostname syscall - seccompBlockHostNameProfile = `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "sethostname", - "action": "SCMP_ACT_ERRNO" - } - ] -}` - // profile which denies chmod syscall - seccompBlockChmodProfile = `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "chmod", - "action": "SCMP_ACT_ERRNO" - } - ] -}` ) var _ = framework.KubeDescribe("Security Context", func() { @@ -427,6 +406,28 @@ var _ = framework.KubeDescribe("Security Context", func() { }) Context("SeccompProfilePath", func() { + const ( + // profile which denies sethostname syscall + seccompBlockHostNameProfile = `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "sethostname", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + // profile which denies chmod syscall + seccompBlockChmodProfile = `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "chmod", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + ) var podID, profileDir, blockHostNameProfilePath, blockchmodProfilePath string var podConfig *runtimeapi.PodSandboxConfig var err error @@ -435,17 +436,17 @@ var _ = framework.KubeDescribe("Security Context", func() { BeforeEach(func() { profileDir, err = createSeccompProfileDir() if err != nil { - glog.Errorf("Failed creating seccomp profile directory: %v", err) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Failed creating seccomp profile directory: %v", err)) return } blockHostNameProfilePath, err = createSeccompProfile(seccompBlockHostNameProfile, "block-host-name.json", profileDir) if err != nil { - glog.Errorf("Failed creating seccomp block hostname profile: %v", err) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Failed creating seccomp block hostname profile: %v", err)) return } blockchmodProfilePath, err = createSeccompProfile(seccompBlockChmodProfile, "block-chmod.json", profileDir) if err != nil { - glog.Errorf("Failed creating seccomp block chmod profile: %v", err) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Failed creating seccomp block chmod profile: %v", err)) return } }) @@ -471,17 +472,6 @@ var _ = framework.KubeDescribe("Security Context", func() { verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "0") // seccomp disabled }) - It("should support seccomp docker/default on the container", func() { - var containerID string - seccompProfile := "docker/default" - - By("create seccomp sandbox and container") - podID, containerID = seccompTestContainer(rc, ic, seccompProfile) - - By("verify seccomp profile") - verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "2") // seccomp filtered - }) - It("should support seccomp localhost/profile on the container", func() { var containerID string @@ -546,55 +536,12 @@ var _ = framework.KubeDescribe("Security Context", func() { checkSetHostname(rc, containerID, true) }) - It("runtime should block setting hostname with no seccomp profile specified", func() { - By("create pod") - podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container without seccomp profile and test") - containerID := framework.CreateDefaultContainer(rc, ic, podID, podConfig, - "container-with-no-seccomp-profile-test-") - startContainer(rc, containerID) - Eventually(func() runtimeapi.ContainerState { - return getContainerStatus(rc, containerID).State - }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) - checkSetHostname(rc, containerID, false) - }) - - It("runtime should support setting hostname with docker/default seccomp profile and sysCaps", func() { - privileged := false - expectContainerCreateToPass := true - By("create pod") - podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with docker/default seccomp profile and test") - containerID := createSeccompContainer(rc, ic, podID, podConfig, - "container-with-dockerdefault-seccomp-profile-test-", "docker/default", sysCaps, privileged, expectContainerCreateToPass) - startContainer(rc, containerID) - Eventually(func() runtimeapi.ContainerState { - return getContainerStatus(rc, containerID).State - }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) - checkSetHostname(rc, containerID, true) - }) - - It("runtime should block sethostname with docker/default seccomp profile and no sysCaps", func() { - privileged := false - expectContainerCreateToPass := true - By("create pod") - podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with docker/default seccomp profile and test") - containerID := createSeccompContainer(rc, ic, podID, podConfig, - "container-with-dockerdefault-seccomp-profile-test-", "docker/default", nil, privileged, expectContainerCreateToPass) - startContainer(rc, containerID) - Eventually(func() runtimeapi.ContainerState { - return getContainerStatus(rc, containerID).State - }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) - checkSetHostname(rc, containerID, false) - }) - It("runtime should block sethostname with unconfined seccomp profile and no sysCaps", func() { privileged := false expectContainerCreateToPass := true By("create pod") podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with runtime/default seccomp profile and test") + By("create container with unconfined seccomp profile and test") containerID := createSeccompContainer(rc, ic, podID, podConfig, "container-with-runtimedefault-seccomp-profile-test-", "unconfined", nil, privileged, expectContainerCreateToPass) startContainer(rc, containerID) @@ -609,7 +556,7 @@ var _ = framework.KubeDescribe("Security Context", func() { expectContainerCreateToPass := true By("create pod") podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with runtime/default seccomp profile and test") + By("create container with nil seccomp profile and test") containerID := createSeccompContainer(rc, ic, podID, podConfig, "container-with-runtimedefault-seccomp-profile-test-", "", nil, privileged, expectContainerCreateToPass) startContainer(rc, containerID) @@ -618,6 +565,49 @@ var _ = framework.KubeDescribe("Security Context", func() { }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) checkSetHostname(rc, containerID, false) }) + + Context("docker/default", func() { + It("should support seccomp docker/default on the container", func() { + var containerID string + seccompProfile := "docker/default" + + By("create seccomp sandbox and container") + podID, containerID = seccompTestContainer(rc, ic, seccompProfile) + + By("verify seccomp profile") + verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "2") // seccomp filtered + }) + + It("runtime should support setting hostname with docker/default seccomp profile and sysCaps", func() { + privileged := false + expectContainerCreateToPass := true + By("create pod") + podID, podConfig = framework.CreatePodSandboxForContainer(rc) + By("create container with docker/default seccomp profile and test") + containerID := createSeccompContainer(rc, ic, podID, podConfig, + "container-with-dockerdefault-seccomp-profile-test-", "docker/default", sysCaps, privileged, expectContainerCreateToPass) + startContainer(rc, containerID) + Eventually(func() runtimeapi.ContainerState { + return getContainerStatus(rc, containerID).State + }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) + checkSetHostname(rc, containerID, true) + }) + + It("runtime should block sethostname with docker/default seccomp profile and no sysCaps", func() { + privileged := false + expectContainerCreateToPass := true + By("create pod") + podID, podConfig = framework.CreatePodSandboxForContainer(rc) + By("create container with docker/default seccomp profile and test") + containerID := createSeccompContainer(rc, ic, podID, podConfig, + "container-with-dockerdefault-seccomp-profile-test-", "docker/default", nil, privileged, expectContainerCreateToPass) + startContainer(rc, containerID) + Eventually(func() runtimeapi.ContainerState { + return getContainerStatus(rc, containerID).State + }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) + checkSetHostname(rc, containerID, false) + }) + }) }) }) From 6a276b2201341e343ad30a9c8bbe7ae80947163f Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Wed, 20 Sep 2017 12:48:16 -0500 Subject: [PATCH 2/2] oci runtime spec only supports names, not name and names Signed-off-by: Mike Brown --- pkg/validate/security_context.go | 34 ++------------------------------ 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go index 62e37d1c4e..9a0f24a074 100644 --- a/pkg/validate/security_context.go +++ b/pkg/validate/security_context.go @@ -412,7 +412,7 @@ var _ = framework.KubeDescribe("Security Context", func() { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { - "name": "sethostname", + "names": ["sethostname"], "action": "SCMP_ACT_ERRNO" } ] @@ -422,7 +422,7 @@ var _ = framework.KubeDescribe("Security Context", func() { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { - "name": "chmod", + "names": ["chmod"], "action": "SCMP_ACT_ERRNO" } ] @@ -536,36 +536,6 @@ var _ = framework.KubeDescribe("Security Context", func() { checkSetHostname(rc, containerID, true) }) - It("runtime should block sethostname with unconfined seccomp profile and no sysCaps", func() { - privileged := false - expectContainerCreateToPass := true - By("create pod") - podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with unconfined seccomp profile and test") - containerID := createSeccompContainer(rc, ic, podID, podConfig, - "container-with-runtimedefault-seccomp-profile-test-", "unconfined", nil, privileged, expectContainerCreateToPass) - startContainer(rc, containerID) - Eventually(func() runtimeapi.ContainerState { - return getContainerStatus(rc, containerID).State - }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) - checkSetHostname(rc, containerID, false) - }) - - It("runtime should block sethostname with nil seccomp profile and no sysCaps", func() { - privileged := false - expectContainerCreateToPass := true - By("create pod") - podID, podConfig = framework.CreatePodSandboxForContainer(rc) - By("create container with nil seccomp profile and test") - containerID := createSeccompContainer(rc, ic, podID, podConfig, - "container-with-runtimedefault-seccomp-profile-test-", "", nil, privileged, expectContainerCreateToPass) - startContainer(rc, containerID) - Eventually(func() runtimeapi.ContainerState { - return getContainerStatus(rc, containerID).State - }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING)) - checkSetHostname(rc, containerID, false) - }) - Context("docker/default", func() { It("should support seccomp docker/default on the container", func() { var containerID string