opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-19 20:23:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add SELinux support for pods

Browse Source 
All containers within a Pod need to run with the same SELinux
label, unless overwritten by the user.

Also added a bunch of SELinux tests to make sure selinux labels
are correct on namespaces.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2020-10-02 12:02:16 -04:00
parent d4e97b35c2
commit d0f3c17912
3 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libpod/pod.go
View File

@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta
} }
return newContainerStats, nil return newContainerStats, nil
} }
// ProcessLabel returns the SELinux label associated with the pod
func (p *Pod) ProcessLabel() (string, error) {
if !p.HasInfraContainer() {
return "", nil
}
id, err := p.InfraContainerID()
if err != nil {
return "", err
}
ctr, err := p.runtime.state.Container(id)
if err != nil {
return "", err
}
return ctr.ProcessLabel(), nil
}

16
pkg/specgen/generate/container_create.go
View File

@ -11,6 +11,7 @@ import (
"github.com/containers/podman/v2/pkg/specgen" "github.com/containers/podman/v2/pkg/specgen"
"github.com/containers/podman/v2/pkg/util" "github.com/containers/podman/v2/pkg/util"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -272,6 +273,21 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
// Security options // Security options
if len(s.SelinuxOpts) > 0 { if len(s.SelinuxOpts) > 0 {
options = append(options, libpod.WithSecLabels(s.SelinuxOpts)) options = append(options, libpod.WithSecLabels(s.SelinuxOpts))
} else {
if pod != nil {
// duplicate the security options from the pod
processLabel, err := pod.ProcessLabel()
if err != nil {
return nil, err
}
if processLabel != "" {
selinuxOpts, err := label.DupSecOpt(processLabel)
if err != nil {
return nil, err
}
options = append(options, libpod.WithSecLabels(selinuxOpts))
}
}
} }
options = append(options, libpod.WithPrivileged(s.Privileged)) options = append(options, libpod.WithPrivileged(s.Privileged))

111
test/e2e/run_selinux_test.go
View File

@ -182,4 +182,115 @@ var _ = Describe("Podman run", func() {
match2, _ := session.GrepString("s0:c1,c2") match2, _ := session.GrepString("s0:c1,c2")
Expect(match2).To(BeTrue()) Expect(match2).To(BeTrue())
}) })
It("podman pod container share SELinux labels", func() {
session := podmanTest.Podman([]string{"pod", "create"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
podID := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
label1 := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(Equal(label1))
session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
})
It("podman pod container --infra=false doesn't share SELinux labels", func() {
session := podmanTest.Podman([]string{"pod", "create", "--infra=false"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
podID := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
label1 := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(Not(Equal(label1)))
session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
})
It("podman shared IPC NS container share SELinux labels", func() {
session := podmanTest.RunTopContainer("test1")
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
label1 := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(Equal(label1))
})
It("podman shared PID NS container share SELinux labels", func() {
session := podmanTest.RunTopContainer("test1")
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
label1 := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(Equal(label1))
})
It("podman shared NET NS container doesn't share SELinux labels", func() {
session := podmanTest.RunTopContainer("test1")
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
label1 := session.OutputToString()
session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(Not(Equal(label1)))
})
It("podman test --pid=host", func() {
session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
})
It("podman test --ipc=host", func() {
session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
})
It("podman test --ipc=net", func() {
session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("container_t"))
})
}) })