Merge pull request #3005 from adrianreber/2021-06-07-lsm-profile

opencontainers · Jun 14, 2021 · c4359f8 · c4359f8
2 parents 93a01cd + 535f25c
commit c4359f8
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -1375,6 +1375,15 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 		},
 	}
 
+	if criuOpts.LsmProfile != "" {
+		// CRIU older than 3.16 has a bug which breaks the possibility
+		// to set a different LSM profile.
+		if err := c.checkCriuVersion(31600); err != nil {
+			return errors.New("--lsm-profile requires at least CRIU 3.16")
+		}
+		req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile)
+	}
+
 	c.handleCriuConfigurationFile(req.Opts)
 
 	if err := c.handleRestoringNamespaces(req.Opts, &extraFiles); err != nil {

diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go
@@ -29,4 +29,5 @@ type CriuOpts struct {
 	AutoDedup               bool               // auto deduplication for incremental dumps
 	LazyPages               bool               // restore memory pages lazily using userfaultfd
 	StatusFd                int                // fd for feedback when lazy server is ready
+	LsmProfile              string             // LSM profile used to restore the container
 }
diff --git a/man/runc-restore.8.md b/man/runc-restore.8.md
@@ -26,3 +26,19 @@ using the runc checkpoint command.
     --pid-file value             specify the file to write the process id to
     --no-subreaper               disable the use of the subreaper used to reap reparented processes
     --no-pivot                   do not use pivot root to jail process inside rootfs.  This should be used whenever the rootfs is on top of a ramdisk
+    --empty-ns value             create a namespace, but don't restore its properties
+    --auto-dedup                 enable auto deduplication of memory images
+    --lazy-pages                 use userfaultfd to lazily restore memory pages
+    --lsm-profile value          Specify an LSM profile to be used during restore in the form of TYPE:NAME.
+
+## OPTION DETAILS
+
+**--lsm-profile**
+
+Specify an LSM profile to be used during restore in the form of TYPE:NAME.
+
+`TYPE` can either be *apparamor* or *selinux* and is followed by *:* and a
+valid LSM label.
+```
+runc restore --lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137" <container-id>
+```
diff --git a/restore.go b/restore.go
@@ -91,6 +91,11 @@ using the runc checkpoint command.`,
 			Name:  "lazy-pages",
 			Usage: "use userfaultfd to lazily restore memory pages",
 		},
+		cli.StringFlag{
+			Name:  "lsm-profile",
+			Value: "",
+			Usage: "Specify an LSM profile to be used during restore in the form of TYPE:NAME.",
+		},
 	},
 	Action: func(context *cli.Context) error {
 		if err := checkArgs(context, 1, exactArgs); err != nil {
@@ -139,5 +144,6 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts {
 		AutoDedup:               context.Bool("auto-dedup"),
 		LazyPages:               context.Bool("lazy-pages"),
 		StatusFd:                context.Int("status-fd"),
+		LsmProfile:              context.String("lsm-profile"),
 	}
 }