summaryrefslogtreecommitdiff
path: root/pkg/util
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-04-15 14:48:53 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-04-15 16:52:16 -0400
commitc4ca3c71ffe3c08bc74158340b3427d00efdfe32 (patch)
tree46a81877ca430ebf3f2161f6b582773fd3dd869d /pkg/util
parent195cb11276d61311bbd2b5274ac7a98b62abaaba (diff)
downloadpodman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.tar.gz
podman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.tar.bz2
podman-c4ca3c71ffe3c08bc74158340b3427d00efdfe32.zip
Add support for selecting kvm and systemd labels
In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/util')
-rw-r--r--pkg/util/utils.go36
1 files changed, 36 insertions, 0 deletions
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 1051ed311..2500693d7 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -22,6 +22,7 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
v1 "github.com/opencontainers/image-spec/specs-go/v1"
+ "github.com/opencontainers/selinux/go-selinux"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
@@ -666,3 +667,38 @@ func ValidateSysctls(strSlice []string) (map[string]string, error) {
}
return sysctl, nil
}
+
+// SELinuxKVMLabel returns labels for running kvm isolated containers
+func SELinuxKVMLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.KVMContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+// SELinuxInitLabel returns labels for running systemd based containers
+func SELinuxInitLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.InitContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+func swapSELinuxLabel(cLabel, processLabel string) (string, error) {
+ dcon, err := selinux.NewContext(cLabel)
+ if err != nil {
+ return "", err
+ }
+ scon, err := selinux.NewContext(processLabel)
+ if err != nil {
+ return "", err
+ }
+ dcon["type"] = scon["type"]
+ return dcon.Get(), nil
+}