Error if container requires AppArmor, SELinux or seccomp

fvoznika · shentubot · commit e1b412d6609c · 2018-05-08T10:34:11.000-07:00
Closes google#35 PiperOrigin-RevId: 195840128 Change-Id: I31c1ad9b51ec53abb6f0b485d35622d4e9764b29
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
@@ -53,6 +53,22 @@ func validateID(id string) error {
 	return nil
 }
 
+func validateSpec(spec *specs.Spec) error {
+	if spec.Process.SelinuxLabel != "" {
+		return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel)
+	}
+
+	// Docker uses AppArmor by default, so just log that it's being ignored.
+	if spec.Process.ApparmorProfile != "" {
+		log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
+	}
+	// TODO: Apply seccomp to application inside sandbox.
+	if spec.Linux != nil && spec.Linux.Seccomp != nil {
+		log.Warningf("Seccomp spec is being ignored")
+	}
+	return nil
+}
+
 // Sandbox wraps a child sandbox process, and is responsible for saving and
 // loading sandbox metadata to disk.
 //
@@ -110,6 +126,9 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
 	if err := validateID(id); err != nil {
 		return nil, err
 	}
+	if err := validateSpec(spec); err != nil {
+		return nil, err
+	}
 
 	sandboxRoot := filepath.Join(conf.RootDir, id)
 	if exists(sandboxRoot) {
diff --git a/runsc/sandbox/sandbox_test.go b/runsc/sandbox/sandbox_test.go
@@ -567,6 +567,28 @@ func TestConsoleSocket(t *testing.T) {
 	}
 }
 
+func TestSpecUnsupported(t *testing.T) {
+	spec := newSpecWithArgs("/bin/true")
+	spec.Process.SelinuxLabel = "somelabel"
+
+	// These are normally set by docker and will just cause warnings to be logged.
+	spec.Process.ApparmorProfile = "someprofile"
+	spec.Linux = &specs.Linux{Seccomp: &specs.LinuxSeccomp{}}
+
+	rootDir, bundleDir, conf, err := setupSandbox(spec)
+	if err != nil {
+		t.Fatalf("error setting up sandbox: %v", err)
+	}
+	defer os.RemoveAll(rootDir)
+	defer os.RemoveAll(bundleDir)
+
+	id := uniqueSandboxID()
+	_, err = sandbox.Create(id, spec, conf, bundleDir, "", "", nil)
+	if err == nil || !strings.Contains(err.Error(), "is not supported") {
+		t.Errorf("sandbox.Create() wrong error, got: %v, want: *is not supported, spec.Process: %+v", err, spec.Process)
+	}
+}
+
 // procListsEqual is used to check whether 2 Process lists are equal for all
 // implemented fields.
 func procListsEqual(got, want []*control.Process) bool {
