Skip to content

Commit

Permalink
Enable cgroupsv2 rw mount via security-opt unmask
Browse files Browse the repository at this point in the history
Signed-off-by: Jakub Guzik <[email protected]>
  • Loading branch information
jmguzik committed Feb 28, 2021
1 parent 397aae3 commit d9cb135
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 1 deletion.
28 changes: 27 additions & 1 deletion pkg/specgen/generate/oci.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@ package generate

import (
"context"
"path"
"strings"

"github.com/containers/common/pkg/config"
"github.com/containers/podman/v3/libpod"
"github.com/containers/podman/v3/libpod/define"
"github.com/containers/podman/v3/libpod/image"
"github.com/containers/podman/v3/pkg/cgroups"
"github.com/containers/podman/v3/pkg/rootless"
"github.com/containers/podman/v3/pkg/specgen"
spec "github.com/opencontainers/runtime-spec/specs-go"
Expand Down Expand Up @@ -157,8 +159,32 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool {
return true
}

func getCGroupPermissons(unmask []string) string {
ro := "ro"
rw := "rw"
cgroup := "/sys/fs/cgroup"

cgroupv2, _ := cgroups.IsCgroup2UnifiedMode()
if !cgroupv2 {
return ro
}

if unmask != nil && unmask[0] == "ALL" {
return rw
}

for _, p := range unmask {
if path.Clean(p) == cgroup {
return rw
}
}
return ro
}

// SpecGenToOCI returns the base configuration for the container.
func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) {
cgroupPerm := "ro"
cgroupPerm := getCGroupPermissons(s.Unmask)

g, err := generate.New("linux")
if err != nil {
return nil, err
Expand Down
36 changes: 36 additions & 0 deletions test/e2e/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,42 @@ var _ = Describe("Podman run", func() {

})

It("podman run security-opt unmask on /sys/fs/cgroup", func() {

SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")
SkipIfRootless("/sys/fs/cgroup rw access is needed")
rwOnCGroups := "/sys/fs/cgroup cgroup2 rw"
session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))

session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))

session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))

session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))

session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))

session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).ToNot(BeEmpty())
})

It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expand Down

0 comments on commit d9cb135

Please sign in to comment.