If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
... | ... |
@@ -156,7 +156,17 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) ( |
156 | 156 |
return container, nil |
157 | 157 |
} |
158 | 158 |
|
159 |
-func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) { |
|
159 |
+func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) { |
|
160 |
+ for _, opt := range hostConfig.SecurityOpt { |
|
161 |
+ con := strings.Split(opt, "=") |
|
162 |
+ if con[0] == "label" { |
|
163 |
+ // Caller overrode SecurityOpts |
|
164 |
+ return nil, nil |
|
165 |
+ } |
|
166 |
+ } |
|
167 |
+ ipcMode := hostConfig.IpcMode |
|
168 |
+ pidMode := hostConfig.PidMode |
|
169 |
+ privileged := hostConfig.Privileged |
|
160 | 170 |
if ipcMode.IsHost() || pidMode.IsHost() || privileged { |
161 | 171 |
return label.DisableSecOpt(), nil |
162 | 172 |
} |
... | ... |
@@ -274,7 +274,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf |
274 | 274 |
} |
275 | 275 |
} |
276 | 276 |
var err error |
277 |
- opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged) |
|
277 |
+ opts, err := daemon.generateSecurityOpt(hostConfig) |
|
278 | 278 |
if err != nil { |
279 | 279 |
return err |
280 | 280 |
} |