Add support for selecting kvm and systemd labels

In order to better support kata containers and systemd containers
container-selinux has added new types. Podman should execute the
container with an SELinux process label to match the container type.

Traditional Container process : container_t
KVM Container Process: containre_kvm_t
PID 1 Init process: container_init_t

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

7 files changed, 59 insertions, 22 deletions

diff --git a/libpod/container.go b/libpod/container.go
index c1deb95f9..a1848b96a 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -564,6 +564,11 @@ func (c *Container) MountLabel() string {
 	return c.config.MountLabel
 }
 
+// Systemd returns whether the container will be running in systemd mode
+func (c *Container) Systemd() bool {
+	return c.config.Systemd
+}
+
 // User returns the user who the container is run as
 func (c *Container) User() string {
 	return c.config.User
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index c930017a4..50bd9bc25 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -19,6 +19,7 @@ import (
 	"github.com/containers/libpod/pkg/hooks"
 	"github.com/containers/libpod/pkg/hooks/exec"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/mount"
@@ -430,7 +431,22 @@ func (c *Container) setupStorage(ctx context.Context) error {
 
 	c.config.IDMappings.UIDMap = containerInfo.UIDMap
 	c.config.IDMappings.GIDMap = containerInfo.GIDMap
-	c.config.ProcessLabel = containerInfo.ProcessLabel
+
+	processLabel := containerInfo.ProcessLabel
+	switch {
+	case c.ociRuntime.SupportsKVM():
+		processLabel, err = util.SELinuxKVMLabel(processLabel)
+		if err != nil {
+			return err
+		}
+	case c.config.Systemd:
+		processLabel, err = util.SELinuxInitLabel(processLabel)
+		if err != nil {
+			return err
+		}
+	}
+
+	c.config.ProcessLabel = processLabel
 	c.config.MountLabel = containerInfo.MountLabel
 	c.config.StaticDir = containerInfo.Dir
 	c.state.RunDir = containerInfo.RunDir
diff --git a/libpod/oci.go b/libpod/oci.go
index 6adf42497..9991c5625 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -103,6 +103,9 @@ type OCIRuntime interface {
 	// SupportsNoCgroups is whether the runtime supports running containers
 	// without cgroups.
 	SupportsNoCgroups() bool
+	// SupportsKVM os whether the OCI runtime supports running containers
+	// without KVM separation
+	SupportsKVM() bool
 
 	// AttachSocketPath is the path to the socket to attach to a given
 	// container.
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 18b438792..0113f7d8e 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -60,6 +60,7 @@ type ConmonOCIRuntime struct {
 	noPivot           bool
 	reservePorts      bool
 	supportsJSON      bool
+	supportsKVM       bool
 	supportsNoCgroups bool
 	sdNotify          bool
 }
@@ -70,11 +71,25 @@ type ConmonOCIRuntime struct {
 // The first path that points to a valid executable will be used.
 // Deliberately private. Someone should not be able to construct this outside of
 // libpod.
-func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config, supportsJSON, supportsNoCgroups bool) (OCIRuntime, error) {
+func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config) (OCIRuntime, error) {
 	if name == "" {
 		return nil, errors.Wrapf(define.ErrInvalidArg, "the OCI runtime must be provided a non-empty name")
 	}
 
+	// Make lookup tables for runtime support
+	supportsJSON := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsJSON))
+	supportsNoCgroups := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsNoCgroups))
+	supportsKVM := make(map[string]bool, len(runtimeCfg.Engine.RuntimeSupportsKVM))
+	for _, r := range runtimeCfg.Engine.RuntimeSupportsJSON {
+		supportsJSON[r] = true
+	}
+	for _, r := range runtimeCfg.Engine.RuntimeSupportsNoCgroups {
+		supportsNoCgroups[r] = true
+	}
+	for _, r := range runtimeCfg.Engine.RuntimeSupportsKVM {
+		supportsKVM[r] = true
+	}
+
 	runtime := new(ConmonOCIRuntime)
 	runtime.name = name
 	runtime.conmonPath = conmonPath
@@ -89,8 +104,9 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime
 
 	// TODO: probe OCI runtime for feature and enable automatically if
 	// available.
-	runtime.supportsJSON = supportsJSON
-	runtime.supportsNoCgroups = supportsNoCgroups
+	runtime.supportsJSON = supportsJSON[name]
+	runtime.supportsNoCgroups = supportsNoCgroups[name]
+	runtime.supportsKVM = supportsKVM[name]
 
 	foundPath := false
 	for _, path := range paths {
@@ -971,6 +987,12 @@ func (r *ConmonOCIRuntime) SupportsNoCgroups() bool {
 	return r.supportsNoCgroups
 }
 
+// SupportsKVM checks if the OCI runtime supports running containers
+// without KVM separation
+func (r *ConmonOCIRuntime) SupportsKVM() bool {
+	return r.supportsKVM
+}
+
 // AttachSocketPath is the path to a single container's attach socket.
 func (r *ConmonOCIRuntime) AttachSocketPath(ctr *Container) (string, error) {
 	if ctr == nil {
diff --git a/libpod/oci_conmon_unsupported.go b/libpod/oci_conmon_unsupported.go
index 1f9d89ff6..309e0d417 100644
--- a/libpod/oci_conmon_unsupported.go
+++ b/libpod/oci_conmon_unsupported.go
@@ -17,7 +17,7 @@ type ConmonOCIRuntime struct {
 }
 
 // newConmonOCIRuntime is not supported on this OS.
-func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config, supportsJSON, supportsNoCgroups bool) (OCIRuntime, error) {
+func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtimeCfg *config.Config) (OCIRuntime, error) {
 	return nil, define.ErrNotImplemented
 }
 
diff --git a/libpod/oci_missing.go b/libpod/oci_missing.go
index 5284fb4b7..172805b0d 100644
--- a/libpod/oci_missing.go
+++ b/libpod/oci_missing.go
@@ -168,6 +168,12 @@ func (r *MissingRuntime) SupportsNoCgroups() bool {
 	return false
 }
 
+// SupportsKVM checks if the OCI runtime supports running containers
+// without KVM separation
+func (r *MissingRuntime) SupportsKVM() bool {
+	return false
+}
+
 // AttachSocketPath does not work as there is no runtime to attach to.
 // (Theoretically we could follow ExitFilePath but there is no guarantee the
 // container is running and thus has an attach socket...)
diff --git a/libpod/runtime.go b/libpod/runtime.go
index a6032ad23..e54f51af1 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -359,25 +359,13 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
 		}
 	}
 
-	// Make lookup tables for runtime support
-	supportsJSON := make(map[string]bool)
-	supportsNoCgroups := make(map[string]bool)
-	for _, r := range runtime.config.Engine.RuntimeSupportsJSON {
-		supportsJSON[r] = true
-	}
-	for _, r := range runtime.config.Engine.RuntimeSupportsNoCgroups {
-		supportsNoCgroups[r] = true
-	}
-
 	// Get us at least one working OCI runtime.
 	runtime.ociRuntimes = make(map[string]OCIRuntime)
 
 	// Initialize remaining OCI runtimes
 	for name, paths := range runtime.config.Engine.OCIRuntimes {
-		json := supportsJSON[name]
-		nocgroups := supportsNoCgroups[name]
 
-		ociRuntime, err := newConmonOCIRuntime(name, paths, runtime.conmonPath, runtime.config, json, nocgroups)
+		ociRuntime, err := newConmonOCIRuntime(name, paths, runtime.conmonPath, runtime.config)
 		if err != nil {
 			// Don't fatally error.
 			// This will allow us to ship configs including optional
@@ -397,10 +385,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
 		if strings.HasPrefix(runtime.config.Engine.OCIRuntime, "/") {
 			name := filepath.Base(runtime.config.Engine.OCIRuntime)
 
-			json := supportsJSON[name]
-			nocgroups := supportsNoCgroups[name]
-
-			ociRuntime, err := newConmonOCIRuntime(name, []string{runtime.config.Engine.OCIRuntime}, runtime.conmonPath, runtime.config, json, nocgroups)
+			ociRuntime, err := newConmonOCIRuntime(name, []string{runtime.config.Engine.OCIRuntime}, runtime.conmonPath, runtime.config)
 			if err != nil {
 				return err
 			}