Merge pull request #18612 from containers/renovate/major-ci-vm-image

chore(deps): update dependency containers/automation_images to v20230726

.cirrus.yml

@@ -30,10 +30,10 @@ env:
     FEDORA_AARCH64_NAME: "${FEDORA_NAME}-aarch64"
     PRIOR_FEDORA_NAME: "fedora-37"
     RAWHIDE_NAME: "rawhide"
-    DEBIAN_NAME: "debian-12"
+    DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20230426t140447z-f38f37d12"
+    IMAGE_SUFFIX: "c20230726t191046z-f38f37d13"
 
     # EC2 images
     FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"
@@ -243,10 +243,13 @@ validate_task:
             <<: *stdenvars
             VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
             DISTRO_NV: ${FEDORA_NAME}
-        - env:
-            <<: *stdenvars
-            VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
-            DISTRO_NV: ${RAWHIDE_NAME}
+        # FIXME: #18612 c20230726t191046z-f38f37d13 Python dependnecies
+        # broken in rawhide image cause this task to fail.  Re-enable
+        # check if fixed in next set of images.
+        # - env:
+        #     <<: *stdenvars
+        #     VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
+        #     DISTRO_NV: ${RAWHIDE_NAME}
     env:
         TEST_FLAVOR: validate
     # N/B: This script depends on ${DISTRO_NV} being defined for the task.

Makefile

@@ -258,7 +258,7 @@ help: ## (Default) Print listing of key targets with their descriptions
 .PHONY: .gitvalidation
 .gitvalidation:
 	@echo "Validating vs commit '$(call err_if_empty,EPOCH_TEST_COMMIT)'"
-	GIT_CHECK_EXCLUDE="./vendor:./test/tools/vendor:docs/make.bat:test/buildah-bud/buildah-tests.diff:test/e2e/quadlet/remap-keep-id2.container" ./test/tools/build/git-validation -run DCO,short-subject,dangling-whitespace -range $(EPOCH_TEST_COMMIT)..$(HEAD)
+	GIT_CHECK_EXCLUDE="./vendor:./test/tools/vendor:docs/make.bat:test/buildah-bud/buildah-tests.diff:test/e2e/quadlet/remap-keep-id2.container" ./test/tools/build/git-validation -run short-subject -range $(EPOCH_TEST_COMMIT)..$(HEAD)
 
 .PHONY: lint
 lint: golangci-lint

pkg/specgenutil/specgen.go

@@ -21,6 +21,7 @@ import (
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
 )
 
 const (
@@ -301,12 +302,38 @@ func GenRlimits(ulimits []string) ([]specs.POSIXRlimit, error) {
 	return rlimits, nil
 }
 
+func currentLabelOpts() ([]string, error) {
+	label, err := selinux.CurrentLabel()
+	if err != nil {
+		return nil, err
+	}
+	if label == "" {
+		return nil, nil
+	}
+	con, err := selinux.NewContext(label)
+	if err != nil {
+		return nil, err
+	}
+	return []string{
+		fmt.Sprintf("label=user:%s", con["user"]),
+		fmt.Sprintf("label=role:%s", con["role"]),
+	}, nil
+}
+
 func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions, args []string) error {
 	rtc, err := config.Default()
 	if err != nil {
 		return err
 	}
 
+	if rtc.Containers.EnableLabeledUsers {
+		defSecurityOpts, err := currentLabelOpts()
+		if err != nil {
+			return err
+		}
+
+		c.SecurityOpt = append(defSecurityOpts, c.SecurityOpt...)
+	}
 	// validate flags as needed
 	if err := validate(c); err != nil {
 		return err

test/system/125-import.bats

@@ -45,6 +45,11 @@ load helpers
 }
 
 @test "podman export, alter tarball, re-import" {
+    # Skip this only when running under rawhide in CI, since detecting
+    # and/or skipping for rawhide outside this environment is unhelpful.
+    if [[ "$CIRRUS_CI" == "true" ]] && [[ "$DISTRO_NV" == "rawhide" ]]; then
+        skip "FIXME: #19407 Broken in rawhide: processing tar file(): duplicates of file paths not supported"
+    fi
 
     # Create a test file following test
     mkdir $PODMAN_TMPDIR/tmp

test/system/180-blkio.bats

@@ -24,6 +24,8 @@ function teardown() {
 }
 
 @test "podman run --blkio-weight-device" {
+    # Broken on rawhide & F38 images as of c20230726t191046z-f38f37d13
+    skip "FIXME: #19471 brq / blkio / loopbackfs / something broken"
 
     skip_if_rootless "cannot create devices in rootless mode"
 

test/system/280-update.bats

@@ -17,6 +17,8 @@ function teardown() {
 
 
 @test "podman update - test all options" {
+    # Broken on rawhide & F38 images as of c20230726t191046z-f38f37d13
+    skip "FIXME: #19471 brq / blkio / loopbackfs / something broken"
 
     local cgv=1
     if is_cgroupsv2; then

test/system/410-selinux.bats

@@ -19,9 +19,22 @@ function check_label() {
     # warning line about dup devices. Ignore it.
     remove_same_dev_warning
     local context="$output"
+    run id -Z
+    user=$(secon -u $output)
+    role=$(secon -r $output)
 
-    is "$context" ".*_u:system_r:.*" "SELinux role should always be system_r"
-
+    case "$args" in
+        # Containers that run automatically without SELinux transitions, run
+        # with the current role.
+        *--privileged*| *--pid=host* | *--ipc=host* | *"--security-opt label=disable"*)
+                is "$context" "$user:$role:.*" "Non SELinux separated containers role should always be the current user and role"
+                ;;
+        # Containers that are confined or force the spc_t type default
+        # to running with the system_r role.
+        *)
+                is "$context" ".*_u:system_r:.*" "SELinux separated containers role should always be system_r"
+                ;;
+    esac
     # e.g. system_u:system_r:container_t:s0:c45,c745 -> "container_t"
     type=$(cut -d: -f3 <<<"$context")
     is "$type" "$1" "SELinux type"
@@ -46,9 +59,18 @@ function check_label() {
 
 # FIXME #19376 - container-selinux broken -- bats test_tags=distro-integration
 @test "podman selinux: privileged container" {
+    check_label "--privileged" "spc_t"
+}
+
+@test "podman selinux: privileged --userns=host container" {
     check_label "--privileged --userns=host" "spc_t"
 }
 
+# bats test_tags=distro-integration
+@test "podman selinux: --ipc=host container" {
+    check_label "--ipc=host" "spc_t"
+}
+
 # bats test_tags=distro-integration
 @test "podman selinux: init container" {
     check_label "--systemd=always" "container_init_t"
@@ -311,4 +333,26 @@ function check_label() {
     assert "$output" =~ "${SELINUXMNT}" "Mount SELinux file system readwrite"
 }
 
+@test "podman EnableLabeledUsers" {
+    skip_if_no_selinux
+
+    overrideConf=$PODMAN_TMPDIR/containers.conf
+    cat >$overrideConf <<EOF
+[Containers]
+label_users=true
+EOF
+
+    run id -Z
+    user=$(secon -u $output)
+    role=$(secon -r $output)
+    CONTAINERS_CONF_OVERRIDE=$overrideConf run_podman run $IMAGE cat /proc/self/attr/current
+    level=$(secon -l $output)
+    id -Z
+    is "$output" "$user:$role:container_t:$level"  "Confined label Correctly"
+
+    CONTAINERS_CONF_OVERRIDE=$overrideConf run_podman run --rm --name label --security-opt label=role:system_r $IMAGE cat /proc/self/attr/current
+    level=$(secon -l $output)
+    is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly"
+}
+
 # vim: filetype=sh

test/system/505-networking-pasta.bats

@@ -448,6 +448,10 @@ function teardown() {
 }
 
 @test "podman networking with pasta(1) - Local forwarder, IPv4" {
+    if [[ "$CIRRUS_CI" == "true" ]] && [[ "$DISTRO_NV" == "debian-13" ]]; then
+        skip "FIXME: Needs passt 0.0~git20230625.32660ce-1 or later in debian SID, unavailable 8-2023."
+    fi
+
     skip_if_no_ipv4 "IPv4 not routable on the host"
 
     run_podman run --dns 198.51.100.1 \