Make LCOWPrivileged annotation more resilient to change (microsoft#1628)

A change to one of these two checks was requested by Hamza as part of microsoft#1624. It was decided to get both instances in their own PR as the change was unrelated to the work in 1624. Signed-off-by: Sean T. Allen <seanallen@microsoft.com>
princepereira · Jan 27, 2023 · 6c19ecb · 6c19ecb
1 parent f3be5e5
commit 6c19ecb
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/guest/runtime/hcsv2/spec.go b/guest/runtime/hcsv2/spec.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	int_oci "github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runc/libcontainer/user"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
@@ -204,7 +205,7 @@ func applyAnnotationsToSpec(ctx context.Context, spec *oci.Spec) error {
 	}
 
 	// Check if we need to do any capability/device mappings
-	if spec.Annotations[annotations.LCOWPrivileged] == "true" {
+	if int_oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.LCOWPrivileged, false) {
 		log.G(ctx).Debugf("'%s' set for privileged container", annotations.LCOWPrivileged)
 
 		// Add all host devices

diff --git a/guest/runtime/hcsv2/uvm.go b/guest/runtime/hcsv2/uvm.go
@@ -326,7 +326,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 		settings.OCISpecification.Process.Env,
 		settings.OCISpecification.Process.Cwd,
 		settings.OCISpecification.Mounts,
-		isPrivilegedContainerCreationRequest(settings.OCISpecification),
+		isPrivilegedContainerCreationRequest(ctx, settings.OCISpecification),
 	)
 	if err != nil {
 		return nil, errors.Wrapf(err, "container creation denied due to policy")
@@ -995,6 +995,6 @@ func processOCIEnvToParam(envs []string) map[string]string {
 
 // isPrivilegedContainerCreationRequest returns if a given container
 // creation request would create a privileged container
-func isPrivilegedContainerCreationRequest(spec *specs.Spec) bool {
-	return spec.Annotations[annotations.LCOWPrivileged] == "true"
+func isPrivilegedContainerCreationRequest(ctx context.Context, spec *specs.Spec) bool {
+	return oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.LCOWPrivileged, false)
 }