diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 59a0b677a9a..6ce1854f687 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -1375,6 +1375,15 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error { }, } + if criuOpts.LsmProfile != "" { + // CRIU older than 3.16 has a bug which breaks the possibility + // to set a different LSM profile. + if err := c.checkCriuVersion(31600); err != nil { + return errors.New("--lsm-profile requires at least CRIU 3.16") + } + req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile) + } + c.handleCriuConfigurationFile(req.Opts) if err := c.handleRestoringNamespaces(req.Opts, &extraFiles); err != nil { diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go index 001c5399c72..0db43e74e8a 100644 --- a/libcontainer/criu_opts_linux.go +++ b/libcontainer/criu_opts_linux.go @@ -29,4 +29,5 @@ type CriuOpts struct { AutoDedup bool // auto deduplication for incremental dumps LazyPages bool // restore memory pages lazily using userfaultfd StatusFd int // fd for feedback when lazy server is ready + LsmProfile string // LSM profile used to restore the container } diff --git a/man/runc-restore.8.md b/man/runc-restore.8.md index e475bd57629..3af42b47250 100644 --- a/man/runc-restore.8.md +++ b/man/runc-restore.8.md @@ -26,3 +26,19 @@ using the runc checkpoint command. --pid-file value specify the file to write the process id to --no-subreaper disable the use of the subreaper used to reap reparented processes --no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk + --empty-ns value create a namespace, but don't restore its properties + --auto-dedup enable auto deduplication of memory images + --lazy-pages use userfaultfd to lazily restore memory pages + --lsm-profile value Specify an LSM profile to be used during restore in the form of TYPE:NAME. + +## OPTION DETAILS + +**--lsm-profile** + +Specify an LSM profile to be used during restore in the form of TYPE:NAME. + +`TYPE` can either be *apparamor* or *selinux* and is followed by *:* and a +valid LSM label. +``` +runc restore --lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137" +``` diff --git a/restore.go b/restore.go index 586772b323b..f7081e4cf5f 100644 --- a/restore.go +++ b/restore.go @@ -91,6 +91,11 @@ using the runc checkpoint command.`, Name: "lazy-pages", Usage: "use userfaultfd to lazily restore memory pages", }, + cli.StringFlag{ + Name: "lsm-profile", + Value: "", + Usage: "Specify an LSM profile to be used during restore in the form of TYPE:NAME.", + }, }, Action: func(context *cli.Context) error { if err := checkArgs(context, 1, exactArgs); err != nil { @@ -139,5 +144,6 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts { AutoDedup: context.Bool("auto-dedup"), LazyPages: context.Bool("lazy-pages"), StatusFd: context.Int("status-fd"), + LsmProfile: context.String("lsm-profile"), } }