SELinux context support to volumes

Oleg Anastasyev · KostyaSha · commit 7920d4822eb0 · 2016-03-27T21:27:27.000+03:00
diff --git a/src/main/java/com/github/dockerjava/api/model/Bind.java b/src/main/java/com/github/dockerjava/api/model/Bind.java
@@ -4,8 +4,8 @@
 import org.apache.commons.lang.builder.HashCodeBuilder;
 
 /**
- * Represents a host path being bind mounted as a {@link Volume} in a Docker container. The Bind can be in read only or read write access
- * mode.
+ * Represents a host path being bind mounted as a {@link Volume} in a Docker container.
+ * The Bind can be in read only or read write access mode.
  */
 public class Bind {
 
@@ -15,14 +15,24 @@ public class Bind {
 
     private AccessMode accessMode;
 
+    /**
+     * @since {@link com.github.dockerjava.core.RemoteApiVersion#VERSION_1_17}
+     */
+    private SELContext secMode;
+
     public Bind(String path, Volume volume) {
-        this(path, volume, AccessMode.DEFAULT);
+        this(path, volume, AccessMode.DEFAULT, SELContext.DEFAULT);
     }
 
     public Bind(String path, Volume volume, AccessMode accessMode) {
+        this(path, volume, accessMode, SELContext.DEFAULT);
+    }
+
+    public Bind(String path, Volume volume, AccessMode accessMode, SELContext secMode) {
         this.path = path;
         this.volume = volume;
         this.accessMode = accessMode;
+        this.secMode = secMode;
     }
 
     public String getPath() {
@@ -37,6 +47,10 @@ public AccessMode getAccessMode() {
         return accessMode;
     }
 
+    public SELContext getSecMode() {
+        return secMode;
+    }
+
     /**
      * Parses a bind mount specification to a {@link Bind}.
      *
@@ -50,47 +64,70 @@ public static Bind parse(String serialized) {
         try {
             String[] parts = serialized.split(":");
             switch (parts.length) {
-                case 2: {
-                    return new Bind(parts[0], new Volume(parts[1]));
-                }
-                case 3: {
-                    AccessMode accessMode = AccessMode.valueOf(parts[2].toLowerCase());
-                    return new Bind(parts[0], new Volume(parts[1]), accessMode);
-                }
-                default: {
-                    throw new IllegalArgumentException();
+            case 2: {
+                return new Bind(parts[0], new Volume(parts[1]));
+            }
+            case 3: {
+                String[] flags = parts[2].split(",");
+                AccessMode accessMode = AccessMode.DEFAULT;
+                SELContext seMode = SELContext.DEFAULT;
+                for (String p : flags) {
+                    if (p.length() == 2) {
+                        accessMode = AccessMode.valueOf(p.toLowerCase());
+                    } else {
+                        seMode = SELContext.fromString(p);
+                    }
                 }
+
+                return new Bind(parts[0], new Volume(parts[1]), accessMode, seMode);
+            }
+            default: {
+                throw new IllegalArgumentException();
+            }
             }
         } catch (Exception e) {
-            throw new IllegalArgumentException("Error parsing Bind '" + serialized + "'");
+            throw new IllegalArgumentException("Error parsing Bind '" + serialized + "'", e);
         }
     }
 
     @Override
     public boolean equals(Object obj) {
         if (obj instanceof Bind) {
             Bind other = (Bind) obj;
-            return new EqualsBuilder().append(path, other.getPath()).append(volume, other.getVolume())
-                    .append(accessMode, other.getAccessMode()).isEquals();
+            return new EqualsBuilder()
+                    .append(path, other.getPath())
+                    .append(volume, other.getVolume())
+                    .append(accessMode, other.getAccessMode())
+                    .append(secMode, other.getSecMode())
+                    .isEquals();
         } else {
             return super.equals(obj);
         }
     }
 
     @Override
     public int hashCode() {
-        return new HashCodeBuilder().append(path).append(volume).append(accessMode).toHashCode();
+        return new HashCodeBuilder()
+                .append(path)
+                .append(volume)
+                .append(accessMode)
+                .append(secMode)
+                .toHashCode();
     }
 
     /**
-     * Returns a string representation of this {@link Bind} suitable for inclusion in a JSON message. The format is
-     * <code>&lt;host path&gt;:&lt;container path&gt;:&lt;access mode&gt;</code>, like the argument in {@link #parse(String)}.
+     * Returns a string representation of this {@link Bind} suitable for inclusion in a JSON message.
+     * The format is <code>&lt;host path&gt;:&lt;container path&gt;:&lt;access mode&gt;</code>,
+     * like the argument in {@link #parse(String)}.
      *
      * @return a string representation of this {@link Bind}
      */
     @Override
     public String toString() {
-        return path + ":" + volume.getPath() + ":" + accessMode.toString();
+        return String.format("%s:%s:%s%s",
+                path,
+                volume.getPath(),
+                accessMode.toString(),
+                secMode != SELContext.none ? "," + secMode.toString() : "");
     }
-
 }
diff --git a/src/main/java/com/github/dockerjava/api/model/SELContext.java b/src/main/java/com/github/dockerjava/api/model/SELContext.java
@@ -0,0 +1,45 @@
+package com.github.dockerjava.api.model;
+
+/**
+ * The context mode of bound volume in SELinux.
+ * Host path <code>shared</code> - can be used by all containers, <code>private</code> - by only this container
+ *
+ * @see http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
+ * @since 1.17
+ */
+public enum SELContext {
+    /** no selinux */
+    none(""),
+
+    /** z option */
+    shared("z"),
+
+    /** Z option */
+    single("Z");
+
+    /**
+     * The default {@link SELContext}: {@link #none}
+     */
+    public static final SELContext DEFAULT = none;
+
+    private String value;
+
+    SELContext(String v) {
+        this.value = v;
+    }
+
+    @Override
+    public String toString() {
+        return value;
+    }
+
+    public static SELContext fromString(String p) {
+        switch (p) {
+        case "z":
+            return shared;
+        case "Z":
+            return single;
+        }
+        return none;
+    }
+}
diff --git a/src/test/java/com/github/dockerjava/api/model/BindTest.java b/src/test/java/com/github/dockerjava/api/model/BindTest.java
@@ -14,6 +14,7 @@ public void parseUsingDefaultAccessMode() {
         assertEquals(bind.getPath(), "/host");
         assertEquals(bind.getVolume().getPath(), "/container");
         assertEquals(bind.getAccessMode(), AccessMode.DEFAULT);
+        assertEquals(bind.getSecMode(), SELContext.none);
     }
 
     @Test
@@ -22,6 +23,7 @@ public void parseReadWrite() {
         assertEquals(bind.getPath(), "/host");
         assertEquals(bind.getVolume().getPath(), "/container");
         assertEquals(bind.getAccessMode(), rw);
+        assertEquals(bind.getSecMode(), SELContext.none);
     }
 
     @Test
@@ -30,6 +32,40 @@ public void parseReadOnly() {
         assertEquals(bind.getPath(), "/host");
         assertEquals(bind.getVolume().getPath(), "/container");
         assertEquals(bind.getAccessMode(), ro);
+        assertEquals(bind.getSecMode(), SELContext.none);
+    }
+
+    @Test
+    public void parseSELOnly() {
+        Bind bind = Bind.parse("/host:/container:Z");
+        assertEquals(bind.getPath(), "/host");
+        assertEquals(bind.getVolume().getPath(), "/container");
+        assertEquals(bind.getAccessMode(), AccessMode.DEFAULT);
+        assertEquals(bind.getSecMode(), SELContext.single);
+        
+        bind = Bind.parse("/host:/container:z");
+        assertEquals(bind.getPath(), "/host");
+        assertEquals(bind.getVolume().getPath(), "/container");
+        assertEquals(bind.getAccessMode(), AccessMode.DEFAULT);
+        assertEquals(bind.getSecMode(), SELContext.shared);
+    }
+
+    @Test
+    public void parseReadWriteSEL() {
+        Bind bind = Bind.parse("/host:/container:rw,Z");
+        assertEquals(bind.getPath(), "/host");
+        assertEquals(bind.getVolume().getPath(), "/container");
+        assertEquals(bind.getAccessMode(), rw);
+        assertEquals(bind.getSecMode(), SELContext.single);
+    }
+
+    @Test
+    public void parseReadOnlySEL() {
+        Bind bind = Bind.parse("/host:/container:ro,z");
+        assertEquals(bind.getPath(), "/host");
+        assertEquals(bind.getVolume().getPath(), "/container");
+        assertEquals(bind.getAccessMode(), ro);
+        assertEquals(bind.getSecMode(), SELContext.shared);
     }
 
     @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "Error parsing Bind.*")
@@ -62,4 +98,19 @@ public void toStringDefaultAccessMode() {
         assertEquals(Bind.parse("/host:/container").toString(), "/host:/container:rw");
     }
 
+    @Test
+    public void toStringReadOnlySEL() {
+        assertEquals(Bind.parse("/host:/container:ro,Z").toString(), "/host:/container:ro,Z");
+    }
+
+    @Test
+    public void toStringReadWriteSEL() {
+        assertEquals(Bind.parse("/host:/container:rw,z").toString(), "/host:/container:rw,z");
+    }
+
+    @Test
+    public void toStringDefaultSEL() {
+        assertEquals(Bind.parse("/host:/container:Z").toString(), "/host:/container:rw,Z");
+    }
+
 }
