mirror of
https://github.com/containers/udica
synced 2024-05-25 01:56:14 +02:00
feat: add devices and capabilities support for containerd engine
Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
This commit is contained in:
parent
696cea1e87
commit
e5e919bebe
|
@ -215,7 +215,7 @@ class ContainerdHelper(EngineHelper):
|
|||
|
||||
@getter_decorator
|
||||
def get_devices(self, data):
|
||||
return []
|
||||
return data[0]["Spec"]["linux"]["devices"]
|
||||
|
||||
@getter_decorator
|
||||
def get_mounts(self, data):
|
||||
|
@ -235,6 +235,12 @@ class ContainerdHelper(EngineHelper):
|
|||
|
||||
@getter_decorator
|
||||
def get_caps(self, data, opts):
|
||||
if opts["Caps"]:
|
||||
return (
|
||||
opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else []
|
||||
)
|
||||
else:
|
||||
return data[0]["Spec"]["capabilities"]["effective"]
|
||||
return []
|
||||
|
||||
|
||||
|
@ -288,7 +294,6 @@ def parse_avc_file(data):
|
|||
|
||||
|
||||
def validate_container_engine(ContainerEngine):
|
||||
print(ContainerEngine)
|
||||
if ContainerEngine in ENGINE_ALL + ["CRIO", "-"]:
|
||||
# Fix CRIO reference to use ENGINE_CRIO
|
||||
if ContainerEngine == "CRIO":
|
||||
|
|
|
@ -172,7 +172,9 @@ def create_policy(
|
|||
|
||||
# devices
|
||||
# Not applicable for CRI-O container engine
|
||||
if inspect_format != "CRI-O":
|
||||
if inspect_format == "containerd":
|
||||
write_policy_for_containerd_devices(devices, policy)
|
||||
elif inspect_format != "CRI-0":
|
||||
write_policy_for_podman_devices(devices, policy)
|
||||
|
||||
# mounts
|
||||
|
@ -431,6 +433,39 @@ def write_policy_for_podman_mounts(mounts, policy):
|
|||
+ " ))) \n"
|
||||
)
|
||||
|
||||
|
||||
def write_policy_for_containerd_devices(devices, policy):
|
||||
# devices JSON example:
|
||||
# [
|
||||
# {
|
||||
# "path": "/dev/zero",
|
||||
# "type": "c",
|
||||
# "major": 1,
|
||||
# "minor": 5,
|
||||
# "fileMode": 438,
|
||||
# "uid": 0,
|
||||
# "gid": 0
|
||||
# }
|
||||
# ]
|
||||
for item in sorted(devices, key=lambda x: str(x["path"])):
|
||||
contexts = list_contexts(item["path"])
|
||||
for context in contexts:
|
||||
policy.write(
|
||||
" (allow process "
|
||||
+ context
|
||||
+ " ( blk_file ( "
|
||||
+ perms.perm["device_rw"]
|
||||
+ " ))) \n"
|
||||
)
|
||||
policy.write(
|
||||
" (allow process "
|
||||
+ context
|
||||
+ " ( chr_file ( "
|
||||
+ perms.perm["device_rw"]
|
||||
+ " ))) \n"
|
||||
)
|
||||
|
||||
|
||||
def write_policy_for_containerd_mounts(mounts, policy):
|
||||
# mount JSON example:
|
||||
# {
|
||||
|
|
Loading…
Reference in New Issue