hashicorp · ruspaul013 · Sep 16, 2024
@@ -1,5 +1,9 @@
 ## UNRELEASED
 
+IMPROVEMENTS:
+
+* config: Allow setting `security_opt` option. 
+
 ## 0.6.1 (July 15, 2024)
 
 BUG FIXES:

@@ -423,6 +423,16 @@ config {
 }
 ```
 
+* **security_opt** - (Optional)  A list of security-related options that are set in the container.
+
+```hcl
+config {
+  security_opt = [
+    "no-new-privileges"
+  ]
+}
+```
+
 * **selinux_opts** - (Optional)  A list of process labels the container will use.
 
 ```

@@ -57,6 +57,10 @@ type ContainerBasicConfig struct {
 	// container.
 	// Optional.
 	Env map[string]string `json:"env,omitempty"`
+	// Labels nested indicates whether or not the container is allowed
+	// to run fully nested containers including SELinux labelling.
+	// Optional.
+	LabelsNested bool `json:"labels_nested,omitempty"`
 	// Labels are key-value pairs that are used to add metadata to
 	// containers.
 	// Optional.
@@ -298,7 +302,15 @@ type ContainerSecurityConfig struct {
 	// privileges flag on create, which disables gaining additional
 	// privileges (e.g. via setuid) in the container.
 	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`
-
+	// Mask is the path we want to mask in the container. This masks the paths
+	// given in addition to the default list.
+	// Optional
+	Mask []string `json:"mask,omitempty"`
+	// Unmask a path in the container. Some paths are masked by default,
+	// preventing them from being accessed within the container; this undoes that masking.
+	// If ALL is passed, all paths will be unmasked.
+	// Optional.
+	Unmask []string `json:"unmask,omitempty"`
 	// IDMappings are UID and GID mappings that will be used by user
 	// namespaces.
 	// Required if UserNS is private.

@@ -117,6 +117,7 @@ var (
 		"readonly_rootfs":    hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"userns":             hclspec.NewAttr("userns", "string", false),
 		"shm_size":           hclspec.NewAttr("shm_size", "string", false),
+		"security_opt":       hclspec.NewAttr("security_opt", "list(string)", false),
 	})
 )
 
@@ -224,4 +225,5 @@ type TaskConfig struct {
 	ReadOnlyRootfs    bool               `codec:"readonly_rootfs"`
 	UserNS            string             `codec:"userns"`
 	ShmSize           string             `codec:"shm_size"`
+	SecurityOpt       []string           `codec:"security_opt"`
 }
@@ -602,6 +602,11 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	createOpts.ContainerSecurityConfig.ReadOnlyFilesystem = driverConfig.ReadOnlyRootfs
 	createOpts.ContainerSecurityConfig.ApparmorProfile = driverConfig.ApparmorProfile
 
+	// add security_opt if configured
+	if securiyOptsErr := parseSecurityOpt(driverConfig.SecurityOpt, &createOpts); securiyOptsErr != nil {
+		return nil, nil, fmt.Errorf("failed to parse security_opt configuration: %v", securiyOptsErr)
+	}
+
 	// Populate --userns mode only if configured
 	if driverConfig.UserNS != "" {
 		userns := strings.SplitN(driverConfig.UserNS, ":", 2)
@@ -1526,3 +1531,58 @@ func setExtraHosts(hosts []string, createOpts *api.SpecGenerator) error {
 	createOpts.ContainerNetworkConfig.HostAdd = slices.Clone(hosts)
 	return nil
 }
+
+func parseSecurityOpt(securityOpt []string, createOpts *api.SpecGenerator) error {
+	labelMap := make(map[string]string)
+	for _, opt := range securityOpt {
+		con := strings.SplitN(opt, "=", 2)
+		if len(con) == 1 && con[0] != "no-new-privileges" {
+			if strings.Contains(opt, ":") {
+				con = strings.SplitN(opt, ":", 2)
+			} else {
+				return fmt.Errorf("invalid security_opt: %q", opt)
+			}
+		}
+
+		switch con[0] {
+		case "no-new-privileges":
+			createOpts.ContainerSecurityConfig.NoNewPrivileges = true
+			continue
+		case "label":
+			if con[1] == "nested" {
+				createOpts.ContainerBasicConfig.LabelsNested = true
+				continue
+			}
+			labelValue := strings.SplitN(con[1], ":", 2)
+			if len(labelValue) == 2 {
+				labelMap[labelValue[0]] = labelValue[1]
+				createOpts.ContainerBasicConfig.Labels = labelMap
+			}
+		case "apparmor":
+			createOpts.ContainerSecurityConfig.ApparmorProfile = con[1]
+		case "seccomp":
+			if con[1] != "empty" && con[1] != "default" && con[1] != "image" {
+				createOpts.ContainerSecurityConfig.SeccompProfilePath = con[1]
+				continue
+			}
+			// For empty, default, image profile
+			createOpts.ContainerSecurityConfig.SeccompPolicy = con[1]
+		case "proc-opts":
+			procOptsList := strings.Split(con[1], ",")
+			createOpts.ContainerSecurityConfig.ProcOpts = procOptsList
+		case "mask":
+			maskList := strings.Split(con[1], ":")
+			createOpts.ContainerSecurityConfig.Mask = maskList
+		case "unmask":
+			if con[1] == "ALL" {
+				createOpts.ContainerSecurityConfig.Unmask = []string{con[1]}
+				continue
+			}
+			unmaskList := strings.Split(con[1], ":")
+			createOpts.ContainerSecurityConfig.Unmask = unmaskList
+		default:
+			return fmt.Errorf("invalid security_opt: %q", opt)
+		}
+	}
+	return nil
+}
@@ -1484,6 +1484,16 @@ func TestPodmanDriver_Caps(t *testing.T) {
 	}
 }
 
+// check security_opt option
+func TestPodmanDriver_SecurityOpt(t *testing.T) {
+	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
+	// add a security_opt
+	taskCfg.SecurityOpt = []string{"no-new-privileges"}
+	inspectData := startDestroyInspect(t, taskCfg, "securityopt")
+	// and compare it
+	must.SliceContains(t, inspectData.HostConfig.SecurityOpt, "no-new-privileges")
+}
+
 // check enabled tty option
 func TestPodmanDriver_Tty(t *testing.T) {
 	ci.Parallel(t)