Support running nested SELinux container separation

Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested

When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext

This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.

With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-02-13 02:45:33 -05:00
parent 3920799553
commit ad8a96ab95
12 changed files with 130 additions and 66 deletions

View File

@ -2341,3 +2341,16 @@ func WithMountAllDevices() CtrCreateOption {
return nil
}
}
// WithLabelNested sets the LabelNested flag allowing label separation within container
func WithLabelNested(nested bool) CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return define.ErrCtrFinalized
}
ctr.config.LabelNested = nested
return nil
}
}