libpod: Apply SELinux KVM label if process contains "kata" in its name

[fidencio]

We currently only apply the label when the user calls podman --runtime kata ..., which may not happen in several different cases, including
testing binaries which are not part of the PATH.

In order to avoid forcing the user to pass --security-opt label=type:..., let's follow a similar logic than the one implemented
on the CRI-O side and apply the KVM label to the processes in case the
runtime binary contains "kata" as part of its name.

Fixes: #9582

Signed-off-by: Fabiano Fidêncio [email protected]

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fidencio
To complete the pull request process, please assign rhatdan after the PR has been reviewed.
You can assign the PR to them by writing /assign @rhatdan in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[brianredbeard]

At a minimum, shouldn't this do a bit more checking than a partial string match?

[fidencio]

At a minimum, shouldn't this do a bit more checking than a partial string match?

I'm open to suggestions, @brianredbeard.

By the way, here you can find what's done on CRI-O side:
https://github.com/cri-o/cri-o/blob/091b0208c3a4659ad5f2f66011a7be012d51d775/server/sandbox_run_linux.go#L864-L867

[mheon]

This seems unnecessary? We added the runtime_supports_kvm config table already for this purpose. Runtimes requiring this should be marked in the config file. Doing it based on a string match instead seems questionable.

[fidencio]

This seems unnecessary? We added the runtime_supports_kvm config table already for this purpose. Runtimes requiring this should be marked in the config file. Doing it based on a string match instead seems questionable.

Okay, no biggie.

@rhatdan, we discussed this over the IRC, but seems we better not address this case. At least now it's documented (as in, issue and discussions) that this is not something that was missed and it's the intended behaviour.

[rhatdan]

Should we go the other way though. Basically look at kata paths, and if we get a match then we do the SELinux labels.

# kata = [
#            "/usr/bin/kata-runtime",
#            "/usr/sbin/kata-runtime",
#            "/usr/local/bin/kata-runtime",
#            "/usr/local/sbin/kata-runtime",
#            "/sbin/kata-runtime",
#            "/bin/kata-runtime",
#            "/usr/bin/kata-qemu",
#            "/usr/bin/kata-fc",