github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-29 04:51:34 +00:00
Code Issues Projects Releases Wiki Activity

runtime: make selinux configurable

Browse Source 
removes --tags selinux handling in the makefile (part of it introduced here: d78ffd6)
and makes selinux configurable via configuration.toml

Fixes: #3631
Signed-off-by: Tanweer Noor <tnoor@apple.com>
This commit is contained in:
Tanweer Noor 2022-02-24 23:08:59 -08:00 committed by Eric Ernst
parent d2d579f1aa
commit 0b6e9f8365
10 changed files with 39 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/runtime/Makefile
View File

@ -165,6 +165,8 @@ DEFDISABLEGUESTSECCOMP := true
#Default experimental features enabled #Default experimental features enabled
DEFAULTEXPFEATURES := [] DEFAULTEXPFEATURES := []
DEFDISABLESELINUX := false
#Default entropy source #Default entropy source
DEFENTROPYSOURCE := /dev/urandom DEFENTROPYSOURCE := /dev/urandom
DEFVALIDENTROPYSOURCES := [\"/dev/urandom\",\"/dev/random\",\"\"] DEFVALIDENTROPYSOURCES := [\"/dev/urandom\",\"/dev/random\",\"\"]
@ -197,9 +199,6 @@ DEFSANDBOXCGROUPONLY ?= false
DEFBINDMOUNTS := [] DEFBINDMOUNTS := []
# Features
FEATURE_SELINUX ?= check
SED = sed SED = sed
CLI_DIR = cmd CLI_DIR = cmd
@ -437,6 +436,7 @@ USER_VARS += DEFNETWORKMODEL_CLH
USER_VARS += DEFNETWORKMODEL_FC USER_VARS += DEFNETWORKMODEL_FC
USER_VARS += DEFNETWORKMODEL_QEMU USER_VARS += DEFNETWORKMODEL_QEMU
USER_VARS += DEFDISABLEGUESTSECCOMP USER_VARS += DEFDISABLEGUESTSECCOMP
USER_VARS += DEFDISABLESELINUX
USER_VARS += DEFAULTEXPFEATURES USER_VARS += DEFAULTEXPFEATURES
USER_VARS += DEFDISABLEBLOCK USER_VARS += DEFDISABLEBLOCK
USER_VARS += DEFBLOCKSTORAGEDRIVER_ACRN USER_VARS += DEFBLOCKSTORAGEDRIVER_ACRN
@ -461,7 +461,6 @@ USER_VARS += DEFVALIDENTROPYSOURCES
USER_VARS += DEFSANDBOXCGROUPONLY USER_VARS += DEFSANDBOXCGROUPONLY
USER_VARS += DEFBINDMOUNTS USER_VARS += DEFBINDMOUNTS
USER_VARS += DEFVFIOMODE USER_VARS += DEFVFIOMODE
USER_VARS += FEATURE_SELINUX
USER_VARS += BUILDFLAGS USER_VARS += BUILDFLAGS
@ -476,21 +475,6 @@ QUIET_TEST = $(Q:@=@echo ' TEST '$@;)
BUILDTAGS := BUILDTAGS :=
ifneq ($(FEATURE_SELINUX),no)
SELINUXTAG := $(shell ./hack/selinux_tag.sh)
ifneq ($(SELINUXTAG),)
override FEATURE_SELINUX = yes
BUILDTAGS += --tags "$(SELINUXTAG)"
else
ifeq ($(FEATURE_SELINUX),yes)
$(error "ERROR: SELinux support requested, but libselinux is not available")
endif
override FEATURE_SELINUX = no
endif
endif
# go build common flags # go build common flags
BUILDFLAGS := -buildmode=pie -mod=vendor ${BUILDTAGS} BUILDFLAGS := -buildmode=pie -mod=vendor ${BUILDTAGS}
@ -762,9 +746,6 @@ endif
@printf "\tKnown: $(sort $(HYPERVISORS))\n" @printf "\tKnown: $(sort $(HYPERVISORS))\n"
@printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n" @printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n"
@printf "\n" @printf "\n"
@printf "• Features:\n"
@printf "\tSELinux (FEATURE_SELINUX): $(FEATURE_SELINUX)\n"
@printf "\n"
@printf "• Summary:\n" @printf "• Summary:\n"
@printf "\n" @printf "\n"
@printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR)) @printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR))

3
src/runtime/config/configuration-acrn.toml.in
View File

@ -200,6 +200,9 @@ internetworking_model="@DEFNETWORKMODEL_ACRN@"
# (default: true) # (default: true)
disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
# disable applying SELinux on the VMM process (default false)
disable_selinux=@DEFDISABLESELINUX@
# If enabled, the runtime will create opentracing.io traces and spans. # If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started). # (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled) # (default: disabled)

3
src/runtime/config/configuration-clh.toml.in
View File

@ -223,6 +223,9 @@ internetworking_model="@DEFNETWORKMODEL_CLH@"
# (default: true) # (default: true)
disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
# disable applying SELinux on the VMM process (default false)
disable_selinux=@DEFDISABLESELINUX@
# If enabled, the runtime will create opentracing.io traces and spans. # If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started). # (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled) # (default: disabled)

3
src/runtime/config/configuration-fc.toml.in
View File

@ -328,6 +328,9 @@ internetworking_model="@DEFNETWORKMODEL_FC@"
# (default: true) # (default: true)
disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
# disable applying SELinux on the VMM process (default false)
disable_selinux=@DEFDISABLESELINUX@
# If enabled, the runtime will create opentracing.io traces and spans. # If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started). # (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled) # (default: disabled)

3
src/runtime/config/configuration-qemu.toml.in
View File

@ -504,6 +504,9 @@ internetworking_model="@DEFNETWORKMODEL_QEMU@"
# (default: true) # (default: true)
disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
# disable applying SELinux on the VMM process (default false)
disable_selinux=@DEFDISABLESELINUX@
# If enabled, the runtime will create opentracing.io traces and spans. # If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started). # (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled) # (default: disabled)

2
src/runtime/pkg/katautils/config.go
View File

@ -136,6 +136,7 @@ type hypervisor struct {
GuestSwap bool `toml:"enable_guest_swap"` GuestSwap bool `toml:"enable_guest_swap"`
Rootless bool `toml:"rootless"` Rootless bool `toml:"rootless"`
DisableSeccomp bool `toml:"disable_seccomp"` DisableSeccomp bool `toml:"disable_seccomp"`
DisableSeLinux bool `toml:"disable_selinux"`
} }
type runtime struct { type runtime struct {
@ -881,6 +882,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
SGXEPCSize: defaultSGXEPCSize, SGXEPCSize: defaultSGXEPCSize,
EnableAnnotations: h.EnableAnnotations, EnableAnnotations: h.EnableAnnotations,
DisableSeccomp: h.DisableSeccomp, DisableSeccomp: h.DisableSeccomp,
DisableSeLinux: h.DisableSeLinux,
}, nil }, nil
} }

9
src/runtime/virtcontainers/clh.go
View File

@ -388,10 +388,13 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error {
// virtiofsd are executed by kata-runtime after this call, run with // virtiofsd are executed by kata-runtime after this call, run with
// the SELinux label. If these processes require privileged, we do // the SELinux label. If these processes require privileged, we do
// notwant to run them under confinement. // notwant to run them under confinement.
if err := label.SetProcessLabel(clh.config.SELinuxProcessLabel); err != nil { if !clh.config.DisableSeLinux {
return err
if err := label.SetProcessLabel(clh.config.SELinuxProcessLabel); err != nil {
return err
}
defer label.SetProcessLabel("")
} }
defer label.SetProcessLabel("")
if clh.config.SharedFS == config.VirtioFS { if clh.config.SharedFS == config.VirtioFS {
clh.Logger().WithField("function", "StartVM").Info("Starting virtiofsd") clh.Logger().WithField("function", "StartVM").Info("Starting virtiofsd")

9
src/runtime/virtcontainers/fc.go
View File

@ -793,10 +793,13 @@ func (fc *firecracker) StartVM(ctx context.Context, timeout int) error {
// are executed by kata-runtime after this call, run with the SELinux // are executed by kata-runtime after this call, run with the SELinux
// label. If these processes require privileged, we do not want to run // label. If these processes require privileged, we do not want to run
// them under confinement. // them under confinement.
if err := label.SetProcessLabel(fc.config.SELinuxProcessLabel); err != nil { if !fc.config.DisableSeLinux {
return err
if err := label.SetProcessLabel(fc.config.SELinuxProcessLabel); err != nil {
return err
}
defer label.SetProcessLabel("")
} }
defer label.SetProcessLabel("")
err = fc.fcInit(ctx, fcTimeout) err = fc.fcInit(ctx, fcTimeout)
if err != nil { if err != nil {

3
src/runtime/virtcontainers/hypervisor.go
View File

@ -511,6 +511,9 @@ type HypervisorConfig struct {
// Disable seccomp from the hypervisor process // Disable seccomp from the hypervisor process
DisableSeccomp bool DisableSeccomp bool
// Disable selinux from the hypervisor process
DisableSeLinux bool
} }
// vcpu mapping from vcpu number to thread number // vcpu mapping from vcpu number to thread number

14
src/runtime/virtcontainers/qemu.go
View File

@ -23,18 +23,17 @@ import (
"time" "time"
"unsafe" "unsafe"
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/rootless"
govmmQemu "github.com/kata-containers/govmm/qemu"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
govmmQemu "github.com/kata-containers/govmm/qemu"
"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace" "github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
pkgUtils "github.com/kata-containers/kata-containers/src/runtime/pkg/utils" pkgUtils "github.com/kata-containers/kata-containers/src/runtime/pkg/utils"
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config"
persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api" persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api"
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/rootless"
vcTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/types" vcTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/types"
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/uuid" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/uuid"
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@ -818,10 +817,12 @@ func (q *qemu) StartVM(ctx context.Context, timeout int) error {
// virtiofsd are executed by kata-runtime after this call, run with // virtiofsd are executed by kata-runtime after this call, run with
// the SELinux label. If these processes require privileged, we do // the SELinux label. If these processes require privileged, we do
// notwant to run them under confinement. // notwant to run them under confinement.
if err := label.SetProcessLabel(q.config.SELinuxProcessLabel); err != nil { if !q.config.DisableSeLinux {
return err if err := label.SetProcessLabel(q.config.SELinuxProcessLabel); err != nil {
return err
}
defer label.SetProcessLabel("")
} }
defer label.SetProcessLabel("")
if q.config.SharedFS == config.VirtioFS { if q.config.SharedFS == config.VirtioFS {
err = q.setupVirtiofsd(ctx) err = q.setupVirtiofsd(ctx)
@ -835,7 +836,6 @@ func (q *qemu) StartVM(ctx context.Context, timeout int) error {
} }
} }
}() }()
} }
var strErr string var strErr string