diff --git a/src/runtime/Makefile b/src/runtime/Makefile index ff0f1fb385..73805741ed 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -158,6 +158,8 @@ DEFDISABLEGUESTSECCOMP := true #Default experimental features enabled DEFAULTEXPFEATURES := [] +DEFDISABLESELINUX := false + #Default entropy source DEFENTROPYSOURCE := /dev/urandom DEFVALIDENTROPYSOURCES := [\"/dev/urandom\",\"/dev/random\",\"\"] @@ -193,9 +195,6 @@ DEFSTATICRESOURCEMGMT ?= false DEFBINDMOUNTS := [] -# Features -FEATURE_SELINUX ?= check - SED = sed CLI_DIR = cmd @@ -433,6 +432,7 @@ USER_VARS += DEFNETWORKMODEL_CLH USER_VARS += DEFNETWORKMODEL_FC USER_VARS += DEFNETWORKMODEL_QEMU USER_VARS += DEFDISABLEGUESTSECCOMP +USER_VARS += DEFDISABLESELINUX USER_VARS += DEFAULTEXPFEATURES USER_VARS += DEFDISABLEBLOCK USER_VARS += DEFBLOCKSTORAGEDRIVER_ACRN @@ -460,7 +460,6 @@ USER_VARS += DEFSTATICRESOURCEMGMT USER_VARS += DEFSTATICRESOURCEMGMT_FC USER_VARS += DEFBINDMOUNTS USER_VARS += DEFVFIOMODE -USER_VARS += FEATURE_SELINUX USER_VARS += BUILDFLAGS @@ -475,21 +474,6 @@ QUIET_TEST = $(Q:@=@echo ' TEST '$@;) BUILDTAGS := -ifneq ($(FEATURE_SELINUX),no) - SELINUXTAG := $(shell ./hack/selinux_tag.sh) - - ifneq ($(SELINUXTAG),) - override FEATURE_SELINUX = yes - BUILDTAGS += --tags "$(SELINUXTAG)" - else - ifeq ($(FEATURE_SELINUX),yes) - $(error "ERROR: SELinux support requested, but libselinux is not available") - endif - - override FEATURE_SELINUX = no - endif -endif - # go build common flags BUILDFLAGS := -buildmode=pie -mod=vendor ${BUILDTAGS} @@ -749,9 +733,6 @@ endif @printf "\tKnown: $(sort $(HYPERVISORS))\n" @printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n" @printf "\n" - @printf "• Features:\n" - @printf "\tSELinux (FEATURE_SELINUX): $(FEATURE_SELINUX)\n" - @printf "\n" @printf "• Summary:\n" @printf "\n" @printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR)) diff --git a/src/runtime/config/configuration-acrn.toml.in b/src/runtime/config/configuration-acrn.toml.in index 4ef211835b..2a9736e9ee 100644 --- a/src/runtime/config/configuration-acrn.toml.in +++ b/src/runtime/config/configuration-acrn.toml.in @@ -185,6 +185,9 @@ internetworking_model="@DEFNETWORKMODEL_ACRN@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 1296d20b95..afb5370757 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -232,6 +232,9 @@ internetworking_model="@DEFNETWORKMODEL_CLH@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index ad3e5c6721..d9eb093c2d 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -309,6 +309,9 @@ internetworking_model="@DEFNETWORKMODEL_FC@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 804849a132..00c5dbfff0 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -503,6 +503,9 @@ internetworking_model="@DEFNETWORKMODEL_QEMU@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index e623559339..1a4d3e1c6f 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -136,6 +136,7 @@ type hypervisor struct { GuestSwap bool `toml:"enable_guest_swap"` Rootless bool `toml:"rootless"` DisableSeccomp bool `toml:"disable_seccomp"` + DisableSeLinux bool `toml:"disable_selinux"` } type runtime struct { @@ -878,6 +879,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { EnableAnnotations: h.EnableAnnotations, DisableSeccomp: h.DisableSeccomp, ConfidentialGuest: h.ConfidentialGuest, + DisableSeLinux: h.DisableSeLinux, }, nil } diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 11c1f7e353..db82ab337f 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -1,5 +1,6 @@ //go:build linux // +build linux + // // Copyright (c) 2019 Ericsson Eurolab Deutschland GmbH // @@ -469,10 +470,13 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error { // virtiofsd are executed by kata-runtime after this call, run with // the SELinux label. If these processes require privileged, we do // notwant to run them under confinement. - if err := label.SetProcessLabel(clh.config.SELinuxProcessLabel); err != nil { - return err + if !clh.config.DisableSeLinux { + + if err := label.SetProcessLabel(clh.config.SELinuxProcessLabel); err != nil { + return err + } + defer label.SetProcessLabel("") } - defer label.SetProcessLabel("") if clh.config.SharedFS == config.VirtioFS || clh.config.SharedFS == config.VirtioFSNydus { clh.Logger().WithField("function", "StartVM").Info("Starting virtiofsDaemon") diff --git a/src/runtime/virtcontainers/fc.go b/src/runtime/virtcontainers/fc.go index 39985907f7..7fd7909f4e 100644 --- a/src/runtime/virtcontainers/fc.go +++ b/src/runtime/virtcontainers/fc.go @@ -1,5 +1,6 @@ //go:build linux // +build linux + // // Copyright (c) 2018 Intel Corporation // @@ -795,10 +796,13 @@ func (fc *firecracker) StartVM(ctx context.Context, timeout int) error { // are executed by kata-runtime after this call, run with the SELinux // label. If these processes require privileged, we do not want to run // them under confinement. - if err := label.SetProcessLabel(fc.config.SELinuxProcessLabel); err != nil { - return err + if !fc.config.DisableSeLinux { + + if err := label.SetProcessLabel(fc.config.SELinuxProcessLabel); err != nil { + return err + } + defer label.SetProcessLabel("") } - defer label.SetProcessLabel("") err = fc.fcInit(ctx, fcTimeout) if err != nil { diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 26f33f5d6b..cebc515705 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -498,6 +498,9 @@ type HypervisorConfig struct { // Disable seccomp from the hypervisor process DisableSeccomp bool + + // Disable selinux from the hypervisor process + DisableSeLinux bool } // vcpu mapping from vcpu number to thread number diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index ba3bb9588e..67b24b9a47 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -1,5 +1,6 @@ //go:build linux // +build linux + // // Copyright (c) 2016 Intel Corporation // @@ -845,11 +846,13 @@ func (q *qemu) StartVM(ctx context.Context, timeout int) error { // virtiofsd are executed by kata-runtime after this call, run with // the SELinux label. If these processes require privileged, we do // notwant to run them under confinement. - if err := label.SetProcessLabel(q.config.SELinuxProcessLabel); err != nil { - return err - } - defer label.SetProcessLabel("") + if !q.config.DisableSeLinux { + if err := label.SetProcessLabel(q.config.SELinuxProcessLabel); err != nil { + return err + } + defer label.SetProcessLabel("") + } if q.config.SharedFS == config.VirtioFS || q.config.SharedFS == config.VirtioFSNydus { err = q.setupVirtiofsDaemon(ctx) if err != nil {