-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add selinux validate in runc exec #2031
Conversation
ping @rhatdan ptal |
libcontainer/setns_init_linux.go
Outdated
// If config.json is modified after the container started, we should validate selinux again. | ||
if l.config.ProcessLabel != "" && !selinux.GetEnabled() { | ||
return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From memory, the config.json is not re-parsed for runc exec
-- we use the config that's in /run/runc/$ctr/...
which means that there's no chance it could change between runs (other than runc update
but that only really does cgroup
changes).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From memory, the config.json is not re-parsed for
runc exec
No, it re-parsed in here:
Line 170 in 84cba4c
spec, err := loadSpec(specConfig) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cyphar Besides re-parse
config.json in bundle dir, there are 3 situations use selinux in runc exec
, I have update the PR description.
(1) use '--process-label' in runc exec;
(2) add selinuxLabel in process.json when use --process in runc exec;
(3) add selinuxLabel to config.json in bundle dir after the container started.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I move the selinux
validate to utils_linux.go
when exec
, so we can do this check before we start runc init
. Does it make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it would be much better to do it a lot earlier.
libcontainer/setns_init_linux.go
Outdated
if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { | ||
return err | ||
if l.config.ProcessLabel != "" { | ||
if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhatdan I think that all of the Set*Label
commands should be a no-op if l.config.ProcessLabel
is ""
-- so as to avoid these sorts of problems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it does make sense for don't check nil in definition of label.Set*Label
, because we maybe need to delete the process label, so we should check l.config.ProcessLabel
is ""
for all the Set*Label
call in runc
.
Yeah, I didn't catch this when I reviewed #2012. Looks okay, minus my comments. We really should've fixed this for rc7... Guess it's time for an rc8 then... |
Yes, I think we need to check this in Runc. What I don't understand is why this is blowing up, while the other calls do not. But no SELinux calls should be made if the label is "" |
LGTM |
8d32762
to
dda6158
Compare
I've figured it out -- it's because of older kernels and so this fix actually isn't sufficient (if you're using an older SELinux machine). I'm running AppArmor on a 5.0.3 kernel and I have a So, either runc or go-selinux need to detect whether And if we're going to do that sort of check, I think it would also make sense to no-op go-selinux calls where the label is |
I will submit a PR to go-selinux along the above lines, and then we can update this PR to re-vendor it and then remove some of the changes (but the "is SELinux enabled" for |
"" actuall makes sense as an SELinux label. This tells go-selinux to turn back on the default labeling. label.SetProcessLabel("system_u:system_r:container_t:s0:c1,c2) |
Hmm, so that means really |
We could embed the isselinuxenabled check in the label calls, and only check it if the "" is passed. |
I will send a PR with these changes (the is-selinux-enabled checks and the backwards-compatibility changes) tomorrow. |
Dear experts, after I see opencontainers/selinux#49 , do we really need patch 49 in runc? Because consider:
If
I think it has no meanings to the system even though selinux is enabled. So I think we should check If I'm wrong, please point out. Thanks. |
If labelVar is empty, I think this means the user doesn't want to use selinux in runc. |
@lifubang While it would make the operations a no-op, it's much better to do it in |
I know what's the purpose now. Thank you for your explanation. |
I have opened this PR opencontainers/selinux#49 to fix the issue in go-selinux. |
As the regression is fixed by #2032 , so this PR becomes enhancement. The main purpose of this PR is:
|
libcontainer/setns_init_linux.go
Outdated
@@ -34,10 +34,12 @@ func (l *linuxSetnsInit) Init() error { | |||
defer runtime.UnlockOSThread() | |||
|
|||
if !l.config.Config.NoNewKeyring { | |||
if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { | |||
return err | |||
if l.config.ProcessLabel != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These checks aren't necessary anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
My only comment is we don't need any of the |
Signed-off-by: lifubang <[email protected]>
LGTM. Thanks @lifubang. |
no changes in vendored files full diff: opencontainers/runc@v1.0.0-rc7...029124d - opencontainers/runc#2031 Add selinux validate in runc exec - opencontainers/runc#2032 Fix SELinux failures on disabled SELinux Machines - addresses opencontainers#2030 "container init caused "write /proc/self/attr/keycreate: invalid argument" Signed-off-by: Sebastiaan van Stijn <[email protected]>
no changes in vendored files full diff: opencontainers/runc@v1.0.0-rc7...029124d - opencontainers/runc#2031 Add selinux validate in runc exec - opencontainers/runc#2032 Fix SELinux failures on disabled SELinux Machines - addresses opencontainers#2030 "container init caused "write /proc/self/attr/keycreate: invalid argument" Signed-off-by: Sebastiaan van Stijn <[email protected]>
… stretch-backport v1.0.0~rc8 This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736. Bugs: opencontainers#2032 opencontainers#2031 opencontainers#2043 At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can. Thanks to the following people who made this release possible: * Aleksa Sarai <[email protected]> * Daniel J Walsh <[email protected]> * lifubang <[email protected]> * Michael Crosby <[email protected]> * Mrunal Patel <[email protected]> Vote: +4 -0 opencontainers#1 Signed-off-by: Aleksa Sarai <[email protected]>
Signed-off-by: Lifubang [email protected]
Fix regression introduced by cd96170 , the related commit is in opencontainers/selinux@e5c68ba#diff-08374585d1f5b66358d612f6292a3fae
There is no
if processLabel == "" {
check now.Fixed by Fix SELinux failures on disabled SELinux Machines #2032
Fixes Container Creation error: Container creation error: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: invalid argument\"" #2030 check nil for
selinuxLabel
before welabel.SetKeyLabel
, this is also introduced by cd96170 ;Because the validate is :
runc/libcontainer/configs/validate/validator.go
Lines 96 to 107 in 84cba4c
Fixed by Fix SELinux failures on disabled SELinux Machines #2032
Fix if we use
selinuxLabel
inrunc exec
, we should validate selinux again. If the system disable selinux, it will raise errorexec failed: container_linux.go:345: starting container process caused "write /proc/self/attr/keycreate: invalid argument"
. For example:(1) use '--process-label' in
runc exec
;(2) use
selinuxLabel
inprocess.json
when use--process
inrunc exec
;(3) add
selinuxLabel
to config.json in bundle dir after the container started.