aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-04-14 16:44:37 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-04-15 16:30:03 -0400
commitac94a96a74e63854ab492e35c6c5c26145a6674a (patch)
treeb064e77c440d8d40b0138fb00c1335408e45326f
parent195cb11276d61311bbd2b5274ac7a98b62abaaba (diff)
downloadpodman-ac94a96a74e63854ab492e35c6c5c26145a6674a.tar.gz
podman-ac94a96a74e63854ab492e35c6c5c26145a6674a.tar.bz2
podman-ac94a96a74e63854ab492e35c6c5c26145a6674a.zip
Fix up SELinux labeling
SELinux label options processing fixes, should allow system tests to pass. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--cmd/podmanV2/Makefile4
-rw-r--r--libpod/runtime.go4
-rw-r--r--pkg/specgen/container_validate.go12
-rw-r--r--pkg/specgen/generate/container.go8
-rw-r--r--pkg/specgen/security.go46
-rw-r--r--pkg/specgen/specgen.go8
6 files changed, 31 insertions, 51 deletions
diff --git a/cmd/podmanV2/Makefile b/cmd/podmanV2/Makefile
index 01d551212..c951cbdd9 100644
--- a/cmd/podmanV2/Makefile
+++ b/cmd/podmanV2/Makefile
@@ -1,10 +1,10 @@
all: podman podman-remote
podman:
- CGO_ENABLED=1 GO111MODULE=off go build -tags 'ABISupport systemd varlink seccomp'
+ CGO_ENABLED=1 GO111MODULE=off go build -tags 'ABISupport systemd varlink seccomp selinux'
podman-remote:
- CGO_ENABLED=1 GO111MODULE=off go build -tags '!ABISupport systemd seccomp' -o podmanV2-remote
+ CGO_ENABLED=1 GO111MODULE=off go build -tags '!ABISupport systemd seccomp selinux' -o podmanV2-remote
clean:
rm podmanV2 podmanV2-remote
diff --git a/libpod/runtime.go b/libpod/runtime.go
index a6032ad23..637f3b43f 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -813,3 +813,7 @@ func (r *Runtime) mergeDBConfig(dbConfig *DBConfig) error {
}
return nil
}
+
+func (r *Runtime) EnableLabeling() bool {
+ return r.config.Containers.EnableLabeling
+}
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index aad14ddcb..9152e7ee7 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -68,18 +68,6 @@ func (s *SpecGenerator) Validate() error {
if len(s.CapAdd) > 0 && s.Privileged {
return exclusiveOptions("CapAdd", "privileged")
}
- // selinuxprocesslabel and privileged are exclusive
- if len(s.SelinuxProcessLabel) > 0 && s.Privileged {
- return exclusiveOptions("SelinuxProcessLabel", "privileged")
- }
- // selinuxmounmtlabel and privileged are exclusive
- if len(s.SelinuxMountLabel) > 0 && s.Privileged {
- return exclusiveOptions("SelinuxMountLabel", "privileged")
- }
- // selinuxopts and privileged are exclusive
- if len(s.SelinuxOpts) > 0 && s.Privileged {
- return exclusiveOptions("SelinuxOpts", "privileged")
- }
// apparmor and privileged are exclusive
if len(s.ApparmorProfile) > 0 && s.Privileged {
return exclusiveOptions("AppArmorProfile", "privileged")
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index 78c77fec1..edd54847d 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -113,6 +113,14 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
if err := finishThrottleDevices(s); err != nil {
return err
}
+ // Unless already set via the CLI, check if we need to disable process
+ // labels or set the defaults.
+ if len(s.SelinuxOpts) == 0 {
+ if err := s.SetLabelOpts(r, s.PidNS, s.IpcNS); err != nil {
+ return err
+ }
+ }
+
return nil
}
diff --git a/pkg/specgen/security.go b/pkg/specgen/security.go
index 158e4a7b3..6f835eae4 100644
--- a/pkg/specgen/security.go
+++ b/pkg/specgen/security.go
@@ -1,32 +1,26 @@
package specgen
-// ToCreateOptions convert the SecurityConfig to a slice of container create
-// options.
-/*
-func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error) {
- options := make([]libpod.CtrCreateOption, 0)
- options = append(options, libpod.WithSecLabels(c.LabelOpts))
- options = append(options, libpod.WithPrivileged(c.Privileged))
- return options, nil
-}
-*/
+import (
+ "github.com/containers/libpod/libpod"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+)
// SetLabelOpts sets the label options of the SecurityConfig according to the
// input.
-/*
-func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error {
- if c.Privileged {
- c.LabelOpts = label.DisableSecOpt()
+func (s *SpecGenerator) SetLabelOpts(runtime *libpod.Runtime, pidConfig Namespace, ipcConfig Namespace) error {
+ if !runtime.EnableLabeling() || s.Privileged {
+ s.SelinuxOpts = label.DisableSecOpt()
return nil
}
var labelOpts []string
- if pidConfig.PidMode.IsHost() {
+ if pidConfig.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if pidConfig.PidMode.IsContainer() {
- ctr, err := runtime.LookupContainer(pidConfig.PidMode.Container())
+ } else if pidConfig.IsContainer() {
+ ctr, err := runtime.LookupContainer(pidConfig.Value)
if err != nil {
- return errors.Wrapf(err, "container %q not found", pidConfig.PidMode.Container())
+ return errors.Wrapf(err, "container %q not found", pidConfig.Value)
}
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
if err != nil {
@@ -35,12 +29,12 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
labelOpts = append(labelOpts, secopts...)
}
- if ipcConfig.IpcMode.IsHost() {
+ if ipcConfig.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if ipcConfig.IpcMode.IsContainer() {
- ctr, err := runtime.LookupContainer(ipcConfig.IpcMode.Container())
+ } else if ipcConfig.IsContainer() {
+ ctr, err := runtime.LookupContainer(ipcConfig.Value)
if err != nil {
- return errors.Wrapf(err, "container %q not found", ipcConfig.IpcMode.Container())
+ return errors.Wrapf(err, "container %q not found", ipcConfig.Value)
}
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
if err != nil {
@@ -49,13 +43,7 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
labelOpts = append(labelOpts, secopts...)
}
- c.LabelOpts = append(c.LabelOpts, labelOpts...)
- return nil
-}
-*/
-
-// SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.).
-func SetSecurityOpts(securityOpts []string) error {
+ s.SelinuxOpts = append(s.SelinuxOpts, labelOpts...)
return nil
}
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 8482ef2c9..1a05733f9 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -228,14 +228,6 @@ type ContainerSecurityConfig struct {
// If SELinux is enabled and this is not specified, a label will be
// automatically generated if not specified.
// Optional.
- SelinuxProcessLabel string `json:"selinux_process_label,omitempty"`
- // SelinuxMountLabel is the mount label the container will use.
- // If SELinux is enabled and this is not specified, a label will be
- // automatically generated if not specified.
- // Optional.
- SelinuxMountLabel string `json:"selinux_mount_label,omitempty"`
- // SelinuxOpts are options for configuring SELinux.
- // Optional.
SelinuxOpts []string `json:"selinux_opts,omitempty"`
// ApparmorProfile is the name of the Apparmor profile the container
// will use.