aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/create.go2
-rw-r--r--docs/libpod.conf.5.md3
-rw-r--r--docs/podman-create.1.md4
-rw-r--r--docs/podman-run.1.md4
-rw-r--r--libpod.conf3
-rw-r--r--libpod/container_internal_linux.go22
-rw-r--r--libpod/options.go12
-rw-r--r--libpod/runtime.go3
-rw-r--r--libpod/runtime_ctr.go32
-rw-r--r--pkg/spec/createconfig.go22
-rw-r--r--pkg/spec/spec.go2
11 files changed, 84 insertions, 25 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index ce62bd278..6842a9f77 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -317,7 +317,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
}
}
}
- config.ProcessLabel, config.MountLabel, err = label.InitLabels(labelOpts)
+ config.LabelOpts = labelOpts
return err
}
diff --git a/docs/libpod.conf.5.md b/docs/libpod.conf.5.md
index e881c4296..198e927ee 100644
--- a/docs/libpod.conf.5.md
+++ b/docs/libpod.conf.5.md
@@ -59,6 +59,9 @@ libpod to manage containers.
The default namespace is "", which corresponds to no namespace. When no namespace is set, all
containers and pods are visible.
+**label**="true|false"
+ Indicates whether the containers should use label separation.
+
## FILES
`/usr/share/containers/libpod.conf`, default libpod configuration path
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 8cbe64a3e..01e072005 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -506,6 +506,8 @@ Security Options
"seccomp=unconfined" : Turn off seccomp confinement for the container
"seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter
+Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file.
+
**--shm-size**=""
Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
@@ -736,7 +738,7 @@ $ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
**/etc/subgid**
## SEE ALSO
-subgid(5), subuid(5)
+subgid(5), subuid(5), libpod.conf(5)
## HISTORY
October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 0960125a3..a4c47f5de 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -528,6 +528,8 @@ Security Options
- `seccomp=unconfined` : Turn off seccomp confinement for the container
- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter
+Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file.
+
**--shm-size**=""
Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
@@ -1025,7 +1027,7 @@ $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
**/etc/subgid**
## SEE ALSO
-subgid(5), subuid(5)
+subgid(5), subuid(5), libpod.conf(5)
## HISTORY
October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/libpod.conf b/libpod.conf
index dcfeb67cc..2976cec02 100644
--- a/libpod.conf
+++ b/libpod.conf
@@ -88,3 +88,6 @@ pause_command = "/pause"
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
#enable_port_reservation = true
+
+# Default libpod support for container labeling
+# label=true
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f9e161cb3..b77beaf64 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -98,6 +98,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
+ // Check if the spec file mounts contain the label Relabel flags z or Z.
+ // If they do, relabel the source directory and then remove the option.
+ for _, m := range g.Mounts() {
+ var options []string
+ for _, o := range m.Options {
+ switch o {
+ case "z":
+ fallthrough
+ case "Z":
+ if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
+ return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
+ }
+
+ default:
+ options = append(options, o)
+ }
+ }
+ m.Options = options
+ }
+
+ g.SetProcessSelinuxLabel(c.ProcessLabel())
+ g.SetLinuxMountLabel(c.MountLabel())
// Remove the default /dev/shm mount to ensure we overwrite it
g.RemoveMount("/dev/shm")
diff --git a/libpod/options.go b/libpod/options.go
index 1a29c0705..977f3f4c2 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -373,15 +373,17 @@ func WithPrivileged(privileged bool) CtrCreateOption {
}
}
-// WithSELinuxLabels sets the mount label for SELinux.
-func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
+// WithSecLabels sets the labels for SELinux.
+func WithSecLabels(labelOpts []string) CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return ErrCtrFinalized
}
-
- ctr.config.ProcessLabel = processLabel
- ctr.config.MountLabel = mountLabel
+ var err error
+ ctr.config.ProcessLabel, ctr.config.MountLabel, err = ctr.runtime.initLabels(labelOpts)
+ if err != nil {
+ return errors.Wrapf(err, "failed to init labels")
+ }
return nil
}
}
diff --git a/libpod/runtime.go b/libpod/runtime.go
index c69854a17..fbd4c7529 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -172,6 +172,8 @@ type RuntimeConfig struct {
// However, this can cause significant memory usage if a container has
// many ports forwarded to it. Disabling this can save memory.
EnablePortReservation bool `toml:"enable_port_reservation"`
+ // EnableLabeling indicates wether libpod will support container labeling
+ EnableLabeling bool `toml:"label"`
}
var (
@@ -209,6 +211,7 @@ var (
InfraCommand: DefaultInfraCommand,
InfraImage: DefaultInfraImage,
EnablePortReservation: true,
+ EnableLabeling: true,
}
)
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index a0b576bcd..6c487e367 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -11,6 +11,7 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/stringid"
spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/ulule/deepcopier"
@@ -77,6 +78,7 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
ctr.config.Namespace = r.config.Namespace
}
+ ctr.runtime = r
for _, option := range options {
if err := option(ctr); err != nil {
return nil, errors.Wrapf(err, "error running container create option")
@@ -85,7 +87,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
ctr.valid = true
ctr.state.State = ContainerStateConfigured
- ctr.runtime = r
var pod *Pod
if ctr.config.Pod != "" {
@@ -327,6 +328,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool)
}
}
+ if r.config.EnableLabeling {
+ label.ReleaseLabel(c.ProcessLabel())
+ r.reserveLabels()
+ }
// Delete the container
// Only do this if we're not ContainerStateConfigured - if we are,
// we haven't been created in the runtime yet
@@ -460,3 +465,28 @@ func (r *Runtime) GetLatestContainer() (*Container, error) {
}
return ctrs[lastCreatedIndex], nil
}
+
+// reserveLabels walks the list o fcontainers and reserves the label, so new containers will not
+// get them.
+// TODO Performance wise this should only run if the state has changed since the last time it was run.
+func (r *Runtime) reserveLabels() error {
+ containers, err := r.state.AllContainers()
+ if err != nil {
+ return err
+ }
+ for _, ctr := range containers {
+ label.ReserveLabel(ctr.ProcessLabel())
+ }
+ return nil
+}
+
+// initLabels allocates an new label to return to the caller
+func (r *Runtime) initLabels(labelOpts []string) (string, string, error) {
+ if !r.config.EnableLabeling {
+ return "", "", nil
+ }
+ if err := r.reserveLabels(); err != nil {
+ return "", "", errors.Wrapf(err, "unable to reserve labels")
+ }
+ return label.InitLabels(labelOpts)
+}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index a441b4019..328e3763c 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -15,7 +15,6 @@ import (
"github.com/docker/go-connections/nat"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
- "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
@@ -126,12 +125,11 @@ type CreateConfig struct {
UtsMode namespaces.UTSMode //uts
Volumes []string //volume
VolumesFrom []string
- WorkDir string //workdir
- MountLabel string //SecurityOpts
- ProcessLabel string //SecurityOpts
- NoNewPrivs bool //SecurityOpts
- ApparmorProfile string //SecurityOpts
- SeccompProfilePath string //SecurityOpts
+ WorkDir string //workdir
+ LabelOpts []string //SecurityOpts
+ NoNewPrivs bool //SecurityOpts
+ ApparmorProfile string //SecurityOpts
+ SeccompProfilePath string //SecurityOpts
SecurityOpts []string
Rootfs string
LocalVolumes []string //Keeps track of the built-in volumes of container used in the --volumes-from flag
@@ -179,14 +177,10 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e
options = append(options, "rw")
}
if foundz {
- if err := label.Relabel(spliti[0], c.MountLabel, true); err != nil {
- return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
- }
+ options = append(options, "z")
}
if foundZ {
- if err := label.Relabel(spliti[0], c.MountLabel, false); err != nil {
- return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
- }
+ options = append(options, "Z")
}
if rootProp == "" {
options = append(options, "rprivate")
@@ -449,7 +443,7 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib
useImageVolumes := c.ImageVolumeType == "bind"
// Gather up the options for NewContainer which consist of With... funcs
options = append(options, libpod.WithRootFSFromImage(c.ImageID, c.Image, useImageVolumes))
- options = append(options, libpod.WithSELinuxLabels(c.ProcessLabel, c.MountLabel))
+ options = append(options, libpod.WithSecLabels(c.LabelOpts))
options = append(options, libpod.WithConmonPidFile(c.ConmonPidFile))
options = append(options, libpod.WithLabels(c.Labels))
options = append(options, libpod.WithUser(c.User))
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 3634b0b33..e115bba7f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -211,8 +211,6 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
// SECURITY OPTS
g.SetProcessNoNewPrivileges(config.NoNewPrivs)
g.SetProcessApparmorProfile(config.ApparmorProfile)
- g.SetProcessSelinuxLabel(config.ProcessLabel)
- g.SetLinuxMountLabel(config.MountLabel)
if canAddResources {
blockAccessToKernelFilesystems(config, &g)