aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <me@concord.sh>2022-01-31 12:05:43 -0500
committerKenton Groombridge <me@concord.sh>2022-03-08 10:57:26 -0500
commitbd0766e9668f9dc186684223bea7b6388102ecb8 (patch)
tree3829b941ecd0c337d74c50186129eb9a7e2ffdb7
parentf33b64d8b7d7b2bd22560cfacc90e25d1f9e16b4 (diff)
downloadpodman-bd0766e9668f9dc186684223bea7b6388102ecb8.tar.gz
podman-bd0766e9668f9dc186684223bea7b6388102ecb8.tar.bz2
podman-bd0766e9668f9dc186684223bea7b6388102ecb8.zip
selinux: remove explicit range transition when starting conmon
Do not explicitly transition to s0 when starting conmon. Instead, the policy should implement this behavior. [NO NEW TESTS NEEDED] This is dependent on the SELinux policy to implement the desired behavior. Additionally, entirely custom SELinux policies may choose to implement the behavior differently. Signed-off-by: Kenton Groombridge <me@concord.sh>
-rw-r--r--libpod/oci_conmon_exec_linux.go2
-rw-r--r--libpod/oci_conmon_linux.go49
2 files changed, 4 insertions, 47 deletions
diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
index aa970bbde..c88ef2c67 100644
--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
@@ -462,7 +462,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
Setpgid: true,
}
- err = startCommandGivenSelinux(execCmd, c)
+ err = startCommand(execCmd, c)
// We don't need children pipes on the parent side
errorhandling.CloseQuiet(childSyncPipe)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index a328f7621..cf439cd33 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -37,7 +37,6 @@ import (
pmount "github.com/containers/storage/pkg/mount"
"github.com/coreos/go-systemd/v22/daemon"
spec "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -1245,7 +1244,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
if restoreOptions != nil {
runtimeRestoreStarted = time.Now()
}
- err = startCommandGivenSelinux(cmd, ctr)
+ err = startCommand(cmd, ctr)
// regardless of whether we errored or not, we no longer need the children pipes
childSyncPipe.Close()
@@ -1412,9 +1411,7 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p
return args
}
-// startCommandGivenSelinux starts a container ensuring to set the labels of
-// the process to make sure SELinux doesn't block conmon communication, if SELinux is enabled
-func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
+func startCommand(cmd *exec.Cmd, ctr *Container) error {
// Make sure to unset the NOTIFY_SOCKET and reset if afterwards if needed.
switch ctr.config.SdNotifyMode {
case define.SdNotifyModeContainer, define.SdNotifyModeIgnore:
@@ -1431,47 +1428,7 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
}
}
- if !selinux.GetEnabled() {
- return cmd.Start()
- }
- // Set the label of the conmon process to be level :s0
- // This will allow the container processes to talk to fifo-files
- // passed into the container by conmon
- var (
- plabel string
- con selinux.Context
- err error
- )
- plabel, err = selinux.CurrentLabel()
- if err != nil {
- return errors.Wrapf(err, "failed to get current SELinux label")
- }
-
- con, err = selinux.NewContext(plabel)
- if err != nil {
- return errors.Wrapf(err, "failed to get new context from SELinux label")
- }
-
- runtime.LockOSThread()
- if con["level"] != "s0" && con["level"] != "" {
- con["level"] = "s0"
- if err = label.SetProcessLabel(con.Get()); err != nil {
- runtime.UnlockOSThread()
- return err
- }
- }
- err = cmd.Start()
- // Ignore error returned from SetProcessLabel("") call,
- // can't recover.
- if labelErr := label.SetProcessLabel(""); labelErr == nil {
- // Unlock the thread only if the process label could be restored
- // successfully. Otherwise leave the thread locked and the Go runtime
- // will terminate it once it returns to the threads pool.
- runtime.UnlockOSThread()
- } else {
- logrus.Errorf("Unable to set process label: %q", labelErr)
- }
- return err
+ return cmd.Start()
}
// moveConmonToCgroupAndSignal gets a container's cgroupParent and moves the conmon process to that cgroup