Check for supportsKVM based on basename of the runtime

Fixes: containers#9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <[email protected]>
rhatdan · Mar 3, 2021 · 252aec1 · 252aec1
1 parent 87e2056
commit 252aec1
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 7 deletions.
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
@@ -113,9 +113,11 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime
 
 	// TODO: probe OCI runtime for feature and enable automatically if
 	// available.
-	runtime.supportsJSON = supportsJSON[name]
-	runtime.supportsNoCgroups = supportsNoCgroups[name]
-	runtime.supportsKVM = supportsKVM[name]
+
+	base := filepath.Base(name)
+	runtime.supportsJSON = supportsJSON[base]
+	runtime.supportsNoCgroups = supportsNoCgroups[base]
+	runtime.supportsKVM = supportsKVM[base]
 
 	foundPath := false
 	for _, path := range paths {

diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
@@ -2,6 +2,7 @@ package integration
 
 import (
 	"os"
+	"path/filepath"
 
 	. "github.com/containers/podman/v3/test/utils"
 	. "github.com/onsi/ginkgo"
@@ -294,4 +295,52 @@ var _ = Describe("Podman run", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(session.OutputToString()).To(ContainSubstring("container_t"))
 	})
+
+	It("podman test --ipc=net", func() {
+		session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring("container_t"))
+	})
+
+	It("podman test --ipc=net", func() {
+		session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring("container_t"))
+	})
+
+	It("podman test --runtime=/PATHTO/kata-runtime", func() {
+		runtime := podmanTest.OCIRuntime
+		podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime")
+		err := os.Symlink("/bin/true", podmanTest.OCIRuntime)
+		Expect(err).To(BeNil())
+		if IsRemote() {
+			podmanTest.StopRemoteService()
+			podmanTest.StartRemoteService()
+		}
+		session := podmanTest.Podman([]string{"create", ALPINE})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		cid := session.OutputToString()
+		session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t"))
+
+		podmanTest.OCIRuntime = runtime
+		if IsRemote() {
+			podmanTest.StopRemoteService()
+			podmanTest.StartRemoteService()
+		}
+	})
+
+	It("podman test init labels", func() {
+		session := podmanTest.Podman([]string{"create", ubi_init, "/sbin/init"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		cid := session.OutputToString()
+		session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("container_init_t"))
+	})
 })
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
@@ -39,17 +39,17 @@ function check_label() {
 }
 
 @test "podman selinux: container with label=disable" {
-    skip_if_rootless
-
     check_label "--security-opt label=disable" "spc_t"
 }
 
 @test "podman selinux: privileged container" {
-    skip_if_rootless
-
     check_label "--privileged --userns=host" "spc_t"
 }
 
+@test "podman selinux: init container" {
+    check_label "--systemd=always" "container_init_t"
+}
+
 @test "podman selinux: pid=host" {
     # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
     # (this is ugly, but better than an unconditional skip)
@@ -74,6 +74,18 @@ function check_label() {
     check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
 }
 
+@test "podman selinux: inspect kvm labels" {
+    skip_if_no_selinux
+    skip_if_remote "runtime flag is not passed over remote"
+    if [ ! -e /usr/bin/kata-runtime ]; then
+        skip "kata-runtime not available"
+    fi
+
+    run_podman create --runtime=kata --name myc $IMAGE
+    run_podman inspect --format='{{ .ProcessLabel }}' myc
+    is "$output" ".*container_kvm_t.*"
+}
+
 # pr #6752
 @test "podman selinux: inspect multiple labels" {
     skip_if_no_selinux