From 0a8a1deed1bae2fa2e4d3972fa01196e34fcab7f Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Wed, 20 Feb 2019 16:42:44 +0000 Subject: Label CRIU log files correctly CRIU creates a log file during checkpointing in .../userdata/dump.log. The problem with this file is, is that CRIU injects a parasite code into the container processes and this parasite code also writes to the same log file. At this point a process from the inside of the container is trying to access the log file on the outside of the container and SELinux prohibits this. To enable writing to the log file from the injected parasite code, this commit creates an empty log file and labels the log file with c.MountLabel(). CRIU uses existing files when writing it logs so the log file label persists and now, with the correct label, SELinux no longer blocks access to the log file. Signed-off-by: Adrian Reber --- libpod/container_internal_linux.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'libpod/container_internal_linux.go') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f182b6bdf..b074efa3a 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -481,6 +481,19 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO if c.state.State != ContainerStateRunning { return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State) } + + // Create the CRIU log file and label it + dumpLog := filepath.Join(c.bundlePath(), "dump.log") + + logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600) + if err != nil { + return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog) + } + logFile.Close() + if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil { + return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog) + } + if err := c.runtime.ociRuntime.checkpointContainer(c, options); err != nil { return err } -- cgit v1.2.3-54-g00ecf