From 01c889fb666d0f131a99edf6f6232bd17245d438 Mon Sep 17 00:00:00 2001 From: Manabu Sugimoto Date: Wed, 6 Jul 2022 15:35:24 +0900 Subject: [PATCH] runtime: Fix DisableSelinux config Enable Kata runtime to handle `disable_selinux` flag properly in order to be able to change the status by the runtime configuration whether the runtime applies the SELinux label to VMM process. Fixes: #4599 Signed-off-by: Manabu Sugimoto --- src/runtime/config/configuration-acrn.toml.in | 6 +++--- src/runtime/config/configuration-clh.toml.in | 6 +++--- src/runtime/config/configuration-fc.toml.in | 6 +++--- src/runtime/config/configuration-qemu.toml.in | 6 +++--- src/runtime/pkg/katautils/config.go | 3 +++ 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/runtime/config/configuration-acrn.toml.in b/src/runtime/config/configuration-acrn.toml.in index f0be92ad08..5f1368ce82 100644 --- a/src/runtime/config/configuration-acrn.toml.in +++ b/src/runtime/config/configuration-acrn.toml.in @@ -118,6 +118,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_ACRN@" # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [agent.@PROJECT_TYPE@] # If enabled, make the agent display debug-level messages. # (default: disabled) @@ -186,9 +189,6 @@ internetworking_model="@DEFNETWORKMODEL_ACRN@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 5d2d9c2f10..f09c095f0e 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -39,6 +39,9 @@ image = "@IMAGEPATH@" # Default false # confidential_guest = true +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # Path to the firmware. # If you want Cloud Hypervisor to use a specific firmware, set its path below. # This is option is only used when confidential_guest is enabled. @@ -319,9 +322,6 @@ internetworking_model="@DEFNETWORKMODEL_CLH@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index 8761d8a02e..b7f349c0dd 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -221,6 +221,9 @@ valid_entropy_sources = @DEFVALIDENTROPYSOURCES@ # Default 0-sized value means unlimited rate. #tx_rate_limiter_max_rate = 0 +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and @@ -309,9 +312,6 @@ internetworking_model="@DEFNETWORKMODEL_FC@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 115cd19ccd..3ec44c8b6e 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -406,6 +406,9 @@ valid_entropy_sources = @DEFVALIDENTROPYSOURCES@ # use legacy serial for guest console if available and implemented for architecture. Default false #use_legacy_serial = true +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and @@ -523,9 +526,6 @@ internetworking_model="@DEFNETWORKMODEL_QEMU@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 4edc0c1108..0903c8ea9e 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -669,6 +669,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { RxRateLimiterMaxRate: rxRateLimiterMaxRate, TxRateLimiterMaxRate: txRateLimiterMaxRate, EnableAnnotations: h.EnableAnnotations, + DisableSeLinux: h.DisableSeLinux, }, nil } @@ -805,6 +806,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { GuestSwap: h.GuestSwap, Rootless: h.Rootless, LegacySerial: h.LegacySerial, + DisableSeLinux: h.DisableSeLinux, }, nil } @@ -869,6 +871,7 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { BlockDeviceDriver: blockDriver, DisableVhostNet: h.DisableVhostNet, GuestHookPath: h.guestHookPath(), + DisableSeLinux: h.DisableSeLinux, EnableAnnotations: h.EnableAnnotations, }, nil }