Unset SocketLabel after system finishes checkpointing

This should fix the SELinux issue we are seeing with talking to /run/systemd/private. Fixes: https://github.com/containers/podman/issues/12362 Also unset the XDG_RUNTIME_DIR if set, since we don't know when running as a service if this will cause issue.s Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2024-10-21 01:34:37 +00:00 · 2021-11-22 14:34:05 -05:00 · 2021-11-22 14:34:05 -05:00 · df6aa67302
parent 1be4c36e7e
commit df6aa67302
2 changed files with 29 additions and 9 deletions
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@ -777,9 +777,6 @@ func (r *ConmonOCIRuntime) AttachResize(ctr *Container, newSize define.TerminalS

 // CheckpointContainer checkpoints the given container.
 func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options ContainerCheckpointOptions) (int64, error) {
-	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
-		return 0, err
-	}
 	// imagePath is used by CRIU to store the actual checkpoint files
 	imagePath := ctr.CheckpointPath()
 	if options.PreCheckPoint {
@ -823,14 +820,37 @@ func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options Container
 	if err != nil {
 		return 0, err
 	}
-	if err = os.Setenv("XDG_RUNTIME_DIR", runtimeDir); err != nil {
-		return 0, errors.Wrapf(err, "cannot set XDG_RUNTIME_DIR")
-	}
 	args = append(args, ctr.ID())
 	logrus.Debugf("the args to checkpoint: %s %s", r.path, strings.Join(args, " "))

+	oldRuntimeDir, oldRuntimeDirSet := os.LookupEnv("XDG_RUNTIME_DIR")
+	if err = os.Setenv("XDG_RUNTIME_DIR", runtimeDir); err != nil {
+		return 0, errors.Wrapf(err, "cannot set XDG_RUNTIME_DIR")
+	}
+	runtime.LockOSThread()
+	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
+		return 0, err
+	}
+	defer func() {
+		if oldRuntimeDirSet {
+			if err := os.Setenv("XDG_RUNTIME_DIR", oldRuntimeDir); err != nil {
+				logrus.Warnf("cannot resset XDG_RUNTIME_DIR: %v", err)
+			}
+		} else {
+			if err := os.Unsetenv("XDG_RUNTIME_DIR"); err != nil {
+				logrus.Warnf("cannot unset XDG_RUNTIME_DIR: %v", err)
+			}
+		}
+	}()
+
 	runtimeCheckpointStarted := time.Now()
 	err = utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
+	// Ignore error returned from SetSocketLabel("") call,
+	// can't recover.
+	if labelErr := label.SetSocketLabel(""); labelErr != nil {
+		logrus.Errorf("Unable to reset socket label: %q", labelErr)
+	}
+	runtime.UnlockOSThread()

 	runtimeCheckpointDuration := func() int64 {
 		if options.PrintStats {
@ -1445,7 +1465,7 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
 	// Ignore error returned from SetProcessLabel("") call,
 	// can't recover.
 	if labelErr := label.SetProcessLabel(""); labelErr != nil {
-		logrus.Errorf("Unable to set process label: %q", err)
+		logrus.Errorf("Unable to set process label: %q", labelErr)
 	}
 	runtime.UnlockOSThread()
 	return err
--- a/test/system/600-completion.bats
+++ b/test/system/600-completion.bats
@ -258,10 +258,10 @@ function _check_completion_end() {
    # create pods for each state
    run_podman pod create --name created-$random_pod_name
    run_podman pod create --name running-$random_pod_name
-    run_podman run -d --name running-$random_pod_name-con --pod running-$random_pod_name $IMAGE top
    run_podman pod create --name degraded-$random_pod_name
-    run_podman run -d --name degraded-$random_pod_name-con --pod degraded-$random_pod_name $IMAGE echo degraded
    run_podman pod create --name exited-$random_pod_name
+    run_podman run -d --name running-$random_pod_name-con --pod running-$random_pod_name $IMAGE top
+    run_podman run -d --name degraded-$random_pod_name-con --pod degraded-$random_pod_name $IMAGE echo degraded
    run_podman run -d --name exited-$random_pod_name-con --pod exited-$random_pod_name $IMAGE echo exited
    run_podman pod stop exited-$random_pod_name