diff options
| -rw-r--r-- | cmd/podman/create.go | 2 | ||||
| -rw-r--r-- | docs/libpod.conf.5.md | 3 | ||||
| -rw-r--r-- | docs/podman-create.1.md | 4 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 4 | ||||
| -rw-r--r-- | libpod.conf | 3 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 22 | ||||
| -rw-r--r-- | libpod/options.go | 12 | ||||
| -rw-r--r-- | libpod/runtime.go | 3 | ||||
| -rw-r--r-- | libpod/runtime_ctr.go | 32 | ||||
| -rw-r--r-- | pkg/spec/createconfig.go | 22 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 2 |
11 files changed, 84 insertions, 25 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index ce62bd278..6842a9f77 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -317,7 +317,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } } - config.ProcessLabel, config.MountLabel, err = label.InitLabels(labelOpts) + config.LabelOpts = labelOpts return err } diff --git a/docs/libpod.conf.5.md b/docs/libpod.conf.5.md index e881c4296..198e927ee 100644 --- a/docs/libpod.conf.5.md +++ b/docs/libpod.conf.5.md @@ -59,6 +59,9 @@ libpod to manage containers. The default namespace is "", which corresponds to no namespace. When no namespace is set, all containers and pods are visible. +**label**="true|false" + Indicates whether the containers should use label separation. + ## FILES `/usr/share/containers/libpod.conf`, default libpod configuration path diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 8cbe64a3e..01e072005 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -506,6 +506,8 @@ Security Options "seccomp=unconfined" : Turn off seccomp confinement for the container "seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter +Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. + **--shm-size**="" Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. @@ -736,7 +738,7 @@ $ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5) +subgid(5), subuid(5), libpod.conf(5) ## HISTORY October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 0960125a3..a4c47f5de 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -528,6 +528,8 @@ Security Options - `seccomp=unconfined` : Turn off seccomp confinement for the container - `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter +Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. + **--shm-size**="" Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. @@ -1025,7 +1027,7 @@ $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5) +subgid(5), subuid(5), libpod.conf(5) ## HISTORY October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> diff --git a/libpod.conf b/libpod.conf index dcfeb67cc..2976cec02 100644 --- a/libpod.conf +++ b/libpod.conf @@ -88,3 +88,6 @@ pause_command = "/pause" # significant memory usage if a container has many ports forwarded to it. # Disabling this can save memory. #enable_port_reservation = true + +# Default libpod support for container labeling +# label=true diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f9e161cb3..b77beaf64 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -98,6 +98,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } } + // Check if the spec file mounts contain the label Relabel flags z or Z. + // If they do, relabel the source directory and then remove the option. + for _, m := range g.Mounts() { + var options []string + for _, o := range m.Options { + switch o { + case "z": + fallthrough + case "Z": + if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { + return nil, errors.Wrapf(err, "relabel failed %q", m.Source) + } + + default: + options = append(options, o) + } + } + m.Options = options + } + + g.SetProcessSelinuxLabel(c.ProcessLabel()) + g.SetLinuxMountLabel(c.MountLabel()) // Remove the default /dev/shm mount to ensure we overwrite it g.RemoveMount("/dev/shm") diff --git a/libpod/options.go b/libpod/options.go index 1a29c0705..977f3f4c2 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -373,15 +373,17 @@ func WithPrivileged(privileged bool) CtrCreateOption { } } -// WithSELinuxLabels sets the mount label for SELinux. -func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption { +// WithSecLabels sets the labels for SELinux. +func WithSecLabels(labelOpts []string) CtrCreateOption { return func(ctr *Container) error { if ctr.valid { return ErrCtrFinalized } - - ctr.config.ProcessLabel = processLabel - ctr.config.MountLabel = mountLabel + var err error + ctr.config.ProcessLabel, ctr.config.MountLabel, err = ctr.runtime.initLabels(labelOpts) + if err != nil { + return errors.Wrapf(err, "failed to init labels") + } return nil } } diff --git a/libpod/runtime.go b/libpod/runtime.go index c69854a17..fbd4c7529 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -172,6 +172,8 @@ type RuntimeConfig struct { // However, this can cause significant memory usage if a container has // many ports forwarded to it. Disabling this can save memory. EnablePortReservation bool `toml:"enable_port_reservation"` + // EnableLabeling indicates wether libpod will support container labeling + EnableLabeling bool `toml:"label"` } var ( @@ -209,6 +211,7 @@ var ( InfraCommand: DefaultInfraCommand, InfraImage: DefaultInfraImage, EnablePortReservation: true, + EnableLabeling: true, } ) diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index a0b576bcd..6c487e367 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -11,6 +11,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/stringid" spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/ulule/deepcopier" @@ -77,6 +78,7 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. ctr.config.Namespace = r.config.Namespace } + ctr.runtime = r for _, option := range options { if err := option(ctr); err != nil { return nil, errors.Wrapf(err, "error running container create option") @@ -85,7 +87,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. ctr.valid = true ctr.state.State = ContainerStateConfigured - ctr.runtime = r var pod *Pod if ctr.config.Pod != "" { @@ -327,6 +328,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool) } } + if r.config.EnableLabeling { + label.ReleaseLabel(c.ProcessLabel()) + r.reserveLabels() + } // Delete the container // Only do this if we're not ContainerStateConfigured - if we are, // we haven't been created in the runtime yet @@ -460,3 +465,28 @@ func (r *Runtime) GetLatestContainer() (*Container, error) { } return ctrs[lastCreatedIndex], nil } + +// reserveLabels walks the list o fcontainers and reserves the label, so new containers will not +// get them. +// TODO Performance wise this should only run if the state has changed since the last time it was run. +func (r *Runtime) reserveLabels() error { + containers, err := r.state.AllContainers() + if err != nil { + return err + } + for _, ctr := range containers { + label.ReserveLabel(ctr.ProcessLabel()) + } + return nil +} + +// initLabels allocates an new label to return to the caller +func (r *Runtime) initLabels(labelOpts []string) (string, string, error) { + if !r.config.EnableLabeling { + return "", "", nil + } + if err := r.reserveLabels(); err != nil { + return "", "", errors.Wrapf(err, "unable to reserve labels") + } + return label.InitLabels(labelOpts) +} diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index a441b4019..328e3763c 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -15,7 +15,6 @@ import ( "github.com/docker/go-connections/nat" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -126,12 +125,11 @@ type CreateConfig struct { UtsMode namespaces.UTSMode //uts Volumes []string //volume VolumesFrom []string - WorkDir string //workdir - MountLabel string //SecurityOpts - ProcessLabel string //SecurityOpts - NoNewPrivs bool //SecurityOpts - ApparmorProfile string //SecurityOpts - SeccompProfilePath string //SecurityOpts + WorkDir string //workdir + LabelOpts []string //SecurityOpts + NoNewPrivs bool //SecurityOpts + ApparmorProfile string //SecurityOpts + SeccompProfilePath string //SecurityOpts SecurityOpts []string Rootfs string LocalVolumes []string //Keeps track of the built-in volumes of container used in the --volumes-from flag @@ -179,14 +177,10 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e options = append(options, "rw") } if foundz { - if err := label.Relabel(spliti[0], c.MountLabel, true); err != nil { - return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) - } + options = append(options, "z") } if foundZ { - if err := label.Relabel(spliti[0], c.MountLabel, false); err != nil { - return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) - } + options = append(options, "Z") } if rootProp == "" { options = append(options, "rprivate") @@ -449,7 +443,7 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib useImageVolumes := c.ImageVolumeType == "bind" // Gather up the options for NewContainer which consist of With... funcs options = append(options, libpod.WithRootFSFromImage(c.ImageID, c.Image, useImageVolumes)) - options = append(options, libpod.WithSELinuxLabels(c.ProcessLabel, c.MountLabel)) + options = append(options, libpod.WithSecLabels(c.LabelOpts)) options = append(options, libpod.WithConmonPidFile(c.ConmonPidFile)) options = append(options, libpod.WithLabels(c.Labels)) options = append(options, libpod.WithUser(c.User)) diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 3634b0b33..e115bba7f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -211,8 +211,6 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint // SECURITY OPTS g.SetProcessNoNewPrivileges(config.NoNewPrivs) g.SetProcessApparmorProfile(config.ApparmorProfile) - g.SetProcessSelinuxLabel(config.ProcessLabel) - g.SetLinuxMountLabel(config.MountLabel) if canAddResources { blockAccessToKernelFilesystems(config, &g) |