diff --git a/container.go b/container.go index 95be4f9e..8fe95c24 100644 --- a/container.go +++ b/container.go @@ -51,12 +51,17 @@ type Config struct { // placed into to limit the resources the container has available Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` - // Context is a generic key value format that allows for additional settings to be passed - // on the container's creation - // This is commonly used to specify apparmor profiles, selinux labels, and different restrictions - // placed on the container's processes - // TODO(vishh): Avoid overloading this field with params for different subsystems. Strongtype this. - Context map[string]string `json:"context,omitempty"` + // AppArmorProfile specifies the profile to apply to the process running in the container and is + // change at the time the process is execed + AppArmorProfile string `json:"apparmor_profile,omitempty"` + + // ProcessLabel specifies the label to apply to the process running in the container. It is + // commonly used by selinux + ProcessLabel string `json:"process_label,omitempty"` + + // RestrictSys will remount /proc/sys, /sys, and mask over sysrq-trigger as well as /proc/irq and + // /proc/bus + RestrictSys bool `json:"restrict_sys,omitempty"` } // Routes can be specified to create entries in the route table as the container is started diff --git a/namespaces/execin.go b/namespaces/execin.go index cd33025a..5dc8071c 100644 --- a/namespaces/execin.go +++ b/namespaces/execin.go @@ -41,8 +41,8 @@ func NsEnter(container *libcontainer.Config, nspid int, args []string) error { return err } - if process_label, ok := container.Context["process_label"]; ok { - if err := label.SetProcessLabel(process_label); err != nil { + if container.ProcessLabel != "" { + if err := label.SetProcessLabel(container.ProcessLabel); err != nil { return err } } diff --git a/namespaces/init.go b/namespaces/init.go index e916ca28..b0b32750 100644 --- a/namespaces/init.go +++ b/namespaces/init.go @@ -74,6 +74,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn (*mount.MountConfig)(container.MountConfig)); err != nil { return fmt.Errorf("setup mount namespace %s", err) } + if container.Hostname != "" { if err := system.Sethostname(container.Hostname); err != nil { return fmt.Errorf("sethostname %s", err) @@ -82,13 +83,16 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn runtime.LockOSThread() - if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil { - return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err) + if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil { + return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err) } - if err := label.SetProcessLabel(container.Context["process_label"]); err != nil { + + if err := label.SetProcessLabel(container.ProcessLabel); err != nil { return fmt.Errorf("set process label %s", err) } - if container.Context["restrictions"] != "" { + + // TODO: (crosbymichael) make this configurable at the Config level + if container.RestrictSys { if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil { return err }