From d0f3c17912643aca73372aa87f3eadf757621ccc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 2 Oct 2020 12:02:16 -0400 Subject: Add SELinux support for pods All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh --- libpod/pod.go | 18 +++++ pkg/specgen/generate/container_create.go | 16 +++++ test/e2e/run_selinux_test.go | 111 +++++++++++++++++++++++++++++++ 3 files changed, 145 insertions(+) diff --git a/libpod/pod.go b/libpod/pod.go index a5a0532be..c8f62ca18 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta } return newContainerStats, nil } + +// ProcessLabel returns the SELinux label associated with the pod +func (p *Pod) ProcessLabel() (string, error) { + if !p.HasInfraContainer() { + return "", nil + } + + id, err := p.InfraContainerID() + if err != nil { + return "", err + } + + ctr, err := p.runtime.state.Container(id) + if err != nil { + return "", err + } + return ctr.ProcessLabel(), nil +} diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 2ac3b376f..147450703 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -11,6 +11,7 @@ import ( "github.com/containers/podman/v2/pkg/specgen" "github.com/containers/podman/v2/pkg/util" "github.com/containers/storage" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -272,6 +273,21 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. // Security options if len(s.SelinuxOpts) > 0 { options = append(options, libpod.WithSecLabels(s.SelinuxOpts)) + } else { + if pod != nil { + // duplicate the security options from the pod + processLabel, err := pod.ProcessLabel() + if err != nil { + return nil, err + } + if processLabel != "" { + selinuxOpts, err := label.DupSecOpt(processLabel) + if err != nil { + return nil, err + } + options = append(options, libpod.WithSecLabels(selinuxOpts)) + } + } } options = append(options, libpod.WithPrivileged(s.Privileged)) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index 219750bcb..3294f6d3b 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -182,4 +182,115 @@ var _ = Describe("Podman run", func() { match2, _ := session.GrepString("s0:c1,c2") Expect(match2).To(BeTrue()) }) + + It("podman pod container share SELinux labels", func() { + session := podmanTest.Podman([]string{"pod", "create"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + podID := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + label1 := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(label1)) + + session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + + It("podman pod container --infra=false doesn't share SELinux labels", func() { + session := podmanTest.Podman([]string{"pod", "create", "--infra=false"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + podID := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + label1 := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Not(Equal(label1))) + + session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + + It("podman shared IPC NS container share SELinux labels", func() { + session := podmanTest.RunTopContainer("test1") + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + label1 := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(label1)) + }) + + It("podman shared PID NS container share SELinux labels", func() { + session := podmanTest.RunTopContainer("test1") + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + label1 := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(label1)) + }) + + It("podman shared NET NS container doesn't share SELinux labels", func() { + session := podmanTest.RunTopContainer("test1") + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + label1 := session.OutputToString() + + session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Not(Equal(label1))) + }) + + It("podman test --pid=host", func() { + session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("spc_t")) + }) + + It("podman test --ipc=host", func() { + session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("spc_t")) + }) + + It("podman test --ipc=net", func() { + session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("container_t")) + }) }) -- cgit v1.2.3-54-g00ecf