Merge pull request #7902 from rhatdan/selinux

Add SELinux support for pods
2024-10-21 17:53:44 +00:00 · 2020-10-05 10:32:28 +02:00 · 2020-10-05 10:32:28 +02:00 · 7353000a06
parent 7c12967257 d0f3c17912
commit 7353000a06
3 changed files with 145 additions and 0 deletions
--- a/libpod/pod.go
+++ b/libpod/pod.go
@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta
 	}
 	return newContainerStats, nil
 }
+
+// ProcessLabel returns the SELinux label associated with the pod
+func (p *Pod) ProcessLabel() (string, error) {
+	if !p.HasInfraContainer() {
+		return "", nil
+	}
+
+	id, err := p.InfraContainerID()
+	if err != nil {
+		return "", err
+	}
+
+	ctr, err := p.runtime.state.Container(id)
+	if err != nil {
+		return "", err
+	}
+	return ctr.ProcessLabel(), nil
+}
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@ -11,6 +11,7 @@ import (
 	"github.com/containers/podman/v2/pkg/specgen"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@ -272,6 +273,21 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	// Security options
 	if len(s.SelinuxOpts) > 0 {
 		options = append(options, libpod.WithSecLabels(s.SelinuxOpts))
+	} else {
+		if pod != nil {
+			// duplicate the security options from the pod
+			processLabel, err := pod.ProcessLabel()
+			if err != nil {
+				return nil, err
+			}
+			if processLabel != "" {
+				selinuxOpts, err := label.DupSecOpt(processLabel)
+				if err != nil {
+					return nil, err
+				}
+				options = append(options, libpod.WithSecLabels(selinuxOpts))
+			}
+		}
 	}
 	options = append(options, libpod.WithPrivileged(s.Privileged))

--- a/test/e2e/run_selinux_test.go
+++ b/test/e2e/run_selinux_test.go
@ -182,4 +182,115 @@ var _ = Describe("Podman run", func() {
 		match2, _ := session.GrepString("s0:c1,c2")
 		Expect(match2).To(BeTrue())
 	})
+
+	It("podman pod container share SELinux labels", func() {
+		session := podmanTest.Podman([]string{"pod", "create"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		podID := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		label1 := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Equal(label1))
+
+		session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman pod container --infra=false doesn't share SELinux labels", func() {
+		session := podmanTest.Podman([]string{"pod", "create", "--infra=false"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		podID := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		label1 := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Not(Equal(label1)))
+
+		session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman shared IPC NS container share SELinux labels", func() {
+		session := podmanTest.RunTopContainer("test1")
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		label1 := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Equal(label1))
+	})
+
+	It("podman shared PID NS container share SELinux labels", func() {
+		session := podmanTest.RunTopContainer("test1")
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		label1 := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Equal(label1))
+	})
+
+	It("podman shared NET NS container doesn't share SELinux labels", func() {
+		session := podmanTest.RunTopContainer("test1")
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		label1 := session.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Not(Equal(label1)))
+	})
+
+	It("podman test --pid=host", func() {
+		session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
+	})
+
+	It("podman test --ipc=host", func() {
+		session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
+	})
+
+	It("podman test --ipc=net", func() {
+		session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring("container_t"))
+	})
 })