From bd0766e9668f9dc186684223bea7b6388102ecb8 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 31 Jan 2022 12:05:43 -0500 Subject: selinux: remove explicit range transition when starting conmon Do not explicitly transition to s0 when starting conmon. Instead, the policy should implement this behavior. [NO NEW TESTS NEEDED] This is dependent on the SELinux policy to implement the desired behavior. Additionally, entirely custom SELinux policies may choose to implement the behavior differently. Signed-off-by: Kenton Groombridge --- libpod/oci_conmon_exec_linux.go | 2 +- libpod/oci_conmon_linux.go | 49 +++-------------------------------------- 2 files changed, 4 insertions(+), 47 deletions(-) (limited to 'libpod') diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go index aa970bbde..c88ef2c67 100644 --- a/libpod/oci_conmon_exec_linux.go +++ b/libpod/oci_conmon_exec_linux.go @@ -462,7 +462,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex Setpgid: true, } - err = startCommandGivenSelinux(execCmd, c) + err = startCommand(execCmd, c) // We don't need children pipes on the parent side errorhandling.CloseQuiet(childSyncPipe) diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index a328f7621..cf439cd33 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -37,7 +37,6 @@ import ( pmount "github.com/containers/storage/pkg/mount" "github.com/coreos/go-systemd/v22/daemon" spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -1245,7 +1244,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co if restoreOptions != nil { runtimeRestoreStarted = time.Now() } - err = startCommandGivenSelinux(cmd, ctr) + err = startCommand(cmd, ctr) // regardless of whether we errored or not, we no longer need the children pipes childSyncPipe.Close() @@ -1412,9 +1411,7 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p return args } -// startCommandGivenSelinux starts a container ensuring to set the labels of -// the process to make sure SELinux doesn't block conmon communication, if SELinux is enabled -func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error { +func startCommand(cmd *exec.Cmd, ctr *Container) error { // Make sure to unset the NOTIFY_SOCKET and reset if afterwards if needed. switch ctr.config.SdNotifyMode { case define.SdNotifyModeContainer, define.SdNotifyModeIgnore: @@ -1431,47 +1428,7 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error { } } - if !selinux.GetEnabled() { - return cmd.Start() - } - // Set the label of the conmon process to be level :s0 - // This will allow the container processes to talk to fifo-files - // passed into the container by conmon - var ( - plabel string - con selinux.Context - err error - ) - plabel, err = selinux.CurrentLabel() - if err != nil { - return errors.Wrapf(err, "failed to get current SELinux label") - } - - con, err = selinux.NewContext(plabel) - if err != nil { - return errors.Wrapf(err, "failed to get new context from SELinux label") - } - - runtime.LockOSThread() - if con["level"] != "s0" && con["level"] != "" { - con["level"] = "s0" - if err = label.SetProcessLabel(con.Get()); err != nil { - runtime.UnlockOSThread() - return err - } - } - err = cmd.Start() - // Ignore error returned from SetProcessLabel("") call, - // can't recover. - if labelErr := label.SetProcessLabel(""); labelErr == nil { - // Unlock the thread only if the process label could be restored - // successfully. Otherwise leave the thread locked and the Go runtime - // will terminate it once it returns to the threads pool. - runtime.UnlockOSThread() - } else { - logrus.Errorf("Unable to set process label: %q", labelErr) - } - return err + return cmd.Start() } // moveConmonToCgroupAndSignal gets a container's cgroupParent and moves the conmon process to that cgroup -- cgit v1.2.3-54-g00ecf