summaryrefslogtreecommitdiffhomepage
path: root/runsc/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'runsc/sandbox')
-rw-r--r--runsc/sandbox/sandbox.go19
-rw-r--r--runsc/sandbox/sandbox_test.go22
2 files changed, 41 insertions, 0 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 0354a64b9..2a5eda6ae 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -53,6 +53,22 @@ func validateID(id string) error {
return nil
}
+func validateSpec(spec *specs.Spec) error {
+ if spec.Process.SelinuxLabel != "" {
+ return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel)
+ }
+
+ // Docker uses AppArmor by default, so just log that it's being ignored.
+ if spec.Process.ApparmorProfile != "" {
+ log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
+ }
+ // TODO: Apply seccomp to application inside sandbox.
+ if spec.Linux != nil && spec.Linux.Seccomp != nil {
+ log.Warningf("Seccomp spec is being ignored")
+ }
+ return nil
+}
+
// Sandbox wraps a child sandbox process, and is responsible for saving and
// loading sandbox metadata to disk.
//
@@ -110,6 +126,9 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
if err := validateID(id); err != nil {
return nil, err
}
+ if err := validateSpec(spec); err != nil {
+ return nil, err
+ }
sandboxRoot := filepath.Join(conf.RootDir, id)
if exists(sandboxRoot) {
diff --git a/runsc/sandbox/sandbox_test.go b/runsc/sandbox/sandbox_test.go
index a46212173..1fac38a29 100644
--- a/runsc/sandbox/sandbox_test.go
+++ b/runsc/sandbox/sandbox_test.go
@@ -567,6 +567,28 @@ func TestConsoleSocket(t *testing.T) {
}
}
+func TestSpecUnsupported(t *testing.T) {
+ spec := newSpecWithArgs("/bin/true")
+ spec.Process.SelinuxLabel = "somelabel"
+
+ // These are normally set by docker and will just cause warnings to be logged.
+ spec.Process.ApparmorProfile = "someprofile"
+ spec.Linux = &specs.Linux{Seccomp: &specs.LinuxSeccomp{}}
+
+ rootDir, bundleDir, conf, err := setupSandbox(spec)
+ if err != nil {
+ t.Fatalf("error setting up sandbox: %v", err)
+ }
+ defer os.RemoveAll(rootDir)
+ defer os.RemoveAll(bundleDir)
+
+ id := uniqueSandboxID()
+ _, err = sandbox.Create(id, spec, conf, bundleDir, "", "", nil)
+ if err == nil || !strings.Contains(err.Error(), "is not supported") {
+ t.Errorf("sandbox.Create() wrong error, got: %v, want: *is not supported, spec.Process: %+v", err, spec.Process)
+ }
+}
+
// procListsEqual is used to check whether 2 Process lists are equal for all
// implemented fields.
func procListsEqual(got, want []*control.Process) bool {