ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2025-02-07 11:50:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1891 from balena-os/sec-opt

Browse Source 
Ignore selinux security opts when comparing services
This commit is contained in:
bulldozer-balena[bot] 2022-02-24 13:31:01 +00:00 committed by GitHub
commit cb68a067b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/compose/service.ts
View File

@ -28,6 +28,8 @@ import { EnvVarObject } from '../types';
const SERVICE_NETWORK_MODE_REGEX = /service:\s*(.+)/; const SERVICE_NETWORK_MODE_REGEX = /service:\s*(.+)/;
const CONTAINER_NETWORK_MODE_REGEX = /container:\s*(.+)/; const CONTAINER_NETWORK_MODE_REGEX = /container:\s*(.+)/;
const unsupportedSecurityOpt = (opt: string) => /label=.*/.test(opt);
export type ServiceStatus = export type ServiceStatus =
| 'Stopping' | 'Stopping'
| 'Stopped' | 'Stopped'
@ -383,6 +385,18 @@ export class Service {
} }
delete config.tmpfs; delete config.tmpfs;
if (config.securityOpt != null) {
const unsupported = (config.securityOpt || []).filter(
unsupportedSecurityOpt,
);
if (unsupported.length > 0) {
log.warn(`Ignoring unsupported security options: ${unsupported}`);
config.securityOpt = (config.securityOpt || []).filter(
(opt) => !unsupportedSecurityOpt(opt),
);
}
}
// Normalise the config before passing it to defaults // Normalise the config before passing it to defaults
ComposeUtils.normalizeNullValues(config); ComposeUtils.normalizeNullValues(config);
@ -577,7 +591,14 @@ export class Service {
groupAdd: container.HostConfig.GroupAdd || [], groupAdd: container.HostConfig.GroupAdd || [],
pid: container.HostConfig.PidMode || '', pid: container.HostConfig.PidMode || '',
pidsLimit: container.HostConfig.PidsLimit || 0, pidsLimit: container.HostConfig.PidsLimit || 0,
securityOpt: container.HostConfig.SecurityOpt || [], securityOpt: (container.HostConfig.SecurityOpt || []).filter(
// The docker engine v20+ adds selinux security options depending
// on the container configuration. Ignore those in the target state
// comparison as selinux is not supported by balenaOS so those options
// will not have any effect.
// https://github.com/moby/moby/blob/master/daemon/create.go#L214
(opt: string) => !unsupportedSecurityOpt(opt),
),
usernsMode: container.HostConfig.UsernsMode || '', usernsMode: container.HostConfig.UsernsMode || '',
ipc: container.HostConfig.IpcMode || '', ipc: container.HostConfig.IpcMode || '',
macAddress: (container.Config as any).MacAddress || '', macAddress: (container.Config as any).MacAddress || '',

48
test/src/compose/service.spec.ts
View File

@ -1031,4 +1031,52 @@ describe('compose/service', () => {
.be.false; .be.false;
}); });
}); });
describe('Security options', () => {
it('ignores selinux security options on the target state', async () => {
const service = await Service.fromComposeObject(
{
appId: 123,
serviceId: 123,
serviceName: 'test',
securityOpt: [
'label=user:USER',
'label=user:ROLE',
'seccomp=unconfined',
],
},
{ appName: 'test' } as any,
);
expect(service.config)
.to.have.property('securityOpt')
.that.deep.equals(['seccomp=unconfined']);
});
it('ignores selinux security options on the current state', async () => {
const mockContainer = createContainer({
Id: 'deadbeef',
Name: 'main_431889_572579',
Config: {
Labels: {
'io.resin.app-id': '1011165',
'io.resin.architecture': 'armv7hf',
'io.resin.service-id': '43697',
'io.resin.service-name': 'main',
'io.resin.supervised': 'true',
},
},
HostConfig: {
SecurityOpt: ['label=disable', 'seccomp=unconfined'],
},
});
const service = Service.fromDockerContainer(
await mockContainer.inspect(),
);
expect(service.config)
.to.have.property('securityOpt')
.that.deep.equals(['seccomp=unconfined']);
});
});
}); });