Label CRIU log files correctly

CRIU creates a log file during checkpointing in .../userdata/dump.log.
The problem with this file is, is that CRIU injects a parasite code into
the container processes and this parasite code also writes to the same
log file. At this point a process from the inside of the container is
trying to access the log file on the outside of the container and
SELinux prohibits this. To enable writing to the log file from the
injected parasite code, this commit creates an empty log file and labels
the log file with c.MountLabel(). CRIU uses existing files when writing
it logs so the log file label persists and now, with the correct label,
SELinux no longer blocks access to the log file.

Signed-off-by: Adrian Reber <areber@redhat.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f182b6bdf..b074efa3a 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -481,6 +481,19 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO
 	if c.state.State != ContainerStateRunning {
 		return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State)
 	}
+
+	// Create the CRIU log file and label it
+	dumpLog := filepath.Join(c.bundlePath(), "dump.log")
+
+	logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600)
+	if err != nil {
+		return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog)
+	}
+	logFile.Close()
+	if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil {
+		return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog)
+	}
+
 	if err := c.runtime.ociRuntime.checkpointContainer(c, options); err != nil {
 		return err
 	}