Source file src/github.com/Microsoft/hcsshim/internal/guest/policy/default.go

Documentation: github.com/Microsoft/hcsshim/internal/guest/policy

     1  //go:build linux
     2  // +build linux
     3  
     4  package policy
     5  
     6  import (
     7  	oci "github.com/opencontainers/runtime-spec/specs-go"
     8  
     9  	internalSpec "github.com/Microsoft/hcsshim/internal/guest/spec"
    10  	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
    11  )
    12  
    13  func ExtendPolicyWithNetworkingMounts(sandboxID string, enforcer securitypolicy.SecurityPolicyEnforcer, spec *oci.Spec) error {
    14  	roSpec := &oci.Spec{
    15  		Root: spec.Root,
    16  	}
    17  	networkingMounts := internalSpec.GenerateWorkloadContainerNetworkMounts(sandboxID, roSpec)
    18  	if err := enforcer.ExtendDefaultMounts(networkingMounts); err != nil {
    19  		return err
    20  	}
    21  	return nil
    22  }
    23  
    24  // DefaultCRIMounts returns default mounts added to linux spec by containerD.
    25  func DefaultCRIMounts() []oci.Mount {
    26  	return []oci.Mount{
    27  		{
    28  			Destination: "/proc",
    29  			Type:        "proc",
    30  			Source:      "proc",
    31  			Options:     []string{"nosuid", "noexec", "nodev"},
    32  		},
    33  		{
    34  			Destination: "/dev",
    35  			Type:        "tmpfs",
    36  			Source:      "tmpfs",
    37  			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
    38  		},
    39  		{
    40  			Destination: "/dev/pts",
    41  			Type:        "devpts",
    42  			Source:      "devpts",
    43  			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
    44  		},
    45  		{
    46  			Destination: "/dev/shm",
    47  			Type:        "tmpfs",
    48  			Source:      "shm",
    49  			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
    50  		},
    51  		{
    52  			Destination: "/dev/mqueue",
    53  			Type:        "mqueue",
    54  			Source:      "mqueue",
    55  			Options:     []string{"nosuid", "noexec", "nodev"},
    56  		},
    57  		{
    58  			Destination: "/sys",
    59  			Type:        "sysfs",
    60  			Source:      "sysfs",
    61  			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
    62  		},
    63  		{
    64  			Destination: "/run",
    65  			Type:        "tmpfs",
    66  			Source:      "tmpfs",
    67  			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
    68  		},
    69  		// cgroup mount is always added by default, regardless if it is present
    70  		// in the mount constraints or not. If the user chooses to override it,
    71  		// then a corresponding mount constraint should be present.
    72  		{
    73  			Source:      "cgroup",
    74  			Destination: "/sys/fs/cgroup",
    75  			Type:        "cgroup",
    76  			Options:     []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
    77  		},
    78  	}
    79  }
    80  
    81  // DefaultCRIPrivilegedMounts returns a slice of mounts which are added to the
    82  // linux container spec when a container runs in a privileged mode.
    83  func DefaultCRIPrivilegedMounts() []oci.Mount {
    84  	return []oci.Mount{
    85  		{
    86  			Source:      "cgroup",
    87  			Destination: "/sys/fs/cgroup",
    88  			Type:        "cgroup",
    89  			Options:     []string{"nosuid", "noexec", "nodev", "relatime", "rw"},
    90  		},
    91  		{
    92  			Destination: "/sys",
    93  			Type:        "sysfs",
    94  			Source:      "sysfs",
    95  			Options:     []string{"nosuid", "noexec", "nodev", "rw"},
    96  		},
    97  	}
    98  }
    99  

View as plain text