diff options
Diffstat (limited to 'runsc/sandbox')
-rw-r--r-- | runsc/sandbox/sandbox.go | 19 | ||||
-rw-r--r-- | runsc/sandbox/sandbox_test.go | 22 |
2 files changed, 41 insertions, 0 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index 0354a64b9..2a5eda6ae 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -53,6 +53,22 @@ func validateID(id string) error { return nil } +func validateSpec(spec *specs.Spec) error { + if spec.Process.SelinuxLabel != "" { + return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel) + } + + // Docker uses AppArmor by default, so just log that it's being ignored. + if spec.Process.ApparmorProfile != "" { + log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile) + } + // TODO: Apply seccomp to application inside sandbox. + if spec.Linux != nil && spec.Linux.Seccomp != nil { + log.Warningf("Seccomp spec is being ignored") + } + return nil +} + // Sandbox wraps a child sandbox process, and is responsible for saving and // loading sandbox metadata to disk. // @@ -110,6 +126,9 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo if err := validateID(id); err != nil { return nil, err } + if err := validateSpec(spec); err != nil { + return nil, err + } sandboxRoot := filepath.Join(conf.RootDir, id) if exists(sandboxRoot) { diff --git a/runsc/sandbox/sandbox_test.go b/runsc/sandbox/sandbox_test.go index a46212173..1fac38a29 100644 --- a/runsc/sandbox/sandbox_test.go +++ b/runsc/sandbox/sandbox_test.go @@ -567,6 +567,28 @@ func TestConsoleSocket(t *testing.T) { } } +func TestSpecUnsupported(t *testing.T) { + spec := newSpecWithArgs("/bin/true") + spec.Process.SelinuxLabel = "somelabel" + + // These are normally set by docker and will just cause warnings to be logged. + spec.Process.ApparmorProfile = "someprofile" + spec.Linux = &specs.Linux{Seccomp: &specs.LinuxSeccomp{}} + + rootDir, bundleDir, conf, err := setupSandbox(spec) + if err != nil { + t.Fatalf("error setting up sandbox: %v", err) + } + defer os.RemoveAll(rootDir) + defer os.RemoveAll(bundleDir) + + id := uniqueSandboxID() + _, err = sandbox.Create(id, spec, conf, bundleDir, "", "", nil) + if err == nil || !strings.Contains(err.Error(), "is not supported") { + t.Errorf("sandbox.Create() wrong error, got: %v, want: *is not supported, spec.Process: %+v", err, spec.Process) + } +} + // procListsEqual is used to check whether 2 Process lists are equal for all // implemented fields. func procListsEqual(got, want []*control.Process) bool { |