Add support for SecurityLabelNested flag in quadlet

This flag will allow us to run nested containers within a quadlet service. Signed-off-by: Daniel J Walsh <[email protected]>
edsantiago · Jun 6, 2023 · 3b79f24 · 3b79f24
1 parent 6f38a72
commit 3b79f24
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 0 deletions.
diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -128,6 +128,7 @@ Valid options for `[Container]` are listed below:
 | SecurityLabelDisable=true      | --security-opt label=disable                         |
 | SecurityLabelFileType=usr_t    | --security-opt label=filetype:usr_t                  |
 | SecurityLabelLevel=s0:c1,c2    | --security-opt label=level:s0:c1,c2                  |
+| SecurityLabelNested=true       | --security-opt label=nested                          |
 | SecurityLabelType=spc_t        | --security-opt label=type:spc_t                      |
 | Timezone=local                 | --tz local                                           |
 | Tmpfs=/work                    | --tmpfs /work                                        |
@@ -424,6 +425,10 @@ Set the label file type for the container files.
 
 Set the label process level for the container processes.
 
+### `SecurityLabelNested=`
+
+Allow SecurityLabels to function within the container. This allows separation of containers created within the container.
+
 ### `SecurityLabelType=`
 
 Set the label process type for the container processes.

diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -93,6 +93,7 @@ const (
 	KeySecurityLabelDisable  = "SecurityLabelDisable"
 	KeySecurityLabelFileType = "SecurityLabelFileType"
 	KeySecurityLabelLevel    = "SecurityLabelLevel"
+	KeySecurityLabelNested   = "SecurityLabelNested"
 	KeySecurityLabelType     = "SecurityLabelType"
 	KeySecret                = "Secret"
 	KeyTimezone              = "Timezone"
@@ -156,6 +157,7 @@ var (
 		KeySecurityLabelDisable:  true,
 		KeySecurityLabelFileType: true,
 		KeySecurityLabelLevel:    true,
+		KeySecurityLabelNested:   true,
 		KeySecurityLabelType:     true,
 		KeySecret:                true,
 		KeyTmpfs:                 true,
@@ -414,6 +416,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.add("--security-opt", "label:disable")
 	}
 
+	securityLabelNested := container.LookupBooleanWithDefault(ContainerGroup, KeySecurityLabelNested, false)
+	if securityLabelNested {
+		podman.add("--security-opt", "label:nested")
+	}
+
 	securityLabelType, _ := container.Lookup(ContainerGroup, KeySecurityLabelType)
 	if len(securityLabelType) > 0 {
 		podman.add("--security-opt", fmt.Sprintf("label=type:%s", securityLabelType))

diff --git a/test/e2e/quadlet/disableselinux.container b/test/e2e/quadlet/disableselinux.container
@@ -1,3 +1,4 @@
+## assert-podman-final-args localhost/imagename
 ## assert-podman-args "--security-opt" "label:disable"
 
 [Container]

diff --git a/test/e2e/quadlet/nestedselinux.container b/test/e2e/quadlet/nestedselinux.container
@@ -0,0 +1,5 @@
+## assert-podman-args "--security-opt" "label:nested"
+
+[Container]
+Image=localhost/imagename
+SecurityLabelNested=true
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -537,6 +537,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("capabilities.container", "capabilities.container"),
 		Entry("capabilities2.container", "capabilities2.container"),
 		Entry("disableselinux.container", "disableselinux.container"),
+		Entry("nestedselinux.container", "nestedselinux.container"),
 		Entry("devices.container", "devices.container"),
 		Entry("env.container", "env.container"),
 		Entry("escapes.container", "escapes.container"),