osbuilder: Create guest image for SELinux

Create a guest image to support SELinux for containers inside the guest if `SELINUX=yes` is specified. This works only if the guest rootfs is CentOS and the init service is systemd, not the agent init. To enable labeling the guest image on the host, selinuxfs must be mounted on the host. The kata-agent will be labeled as `container_runtime_exec_t` type. Fixes: #4812 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-09-15 13:58:55 +00:00 · 2022-08-08 09:42:41 +09:00
parent a9c746f284
commit a75f99d20d
4 changed files with 82 additions and 2 deletions
--- a/tools/osbuilder/image-builder/image_builder.sh
+++ b/tools/osbuilder/image-builder/image_builder.sh
@@ -64,6 +64,8 @@ readonly -a systemd_files=(

 # Set a default value
 AGENT_INIT=${AGENT_INIT:-no}
+SELINUX=${SELINUX:-no}
+SELINUXFS="/sys/fs/selinux"

 # Align image to 128M
 readonly mem_boundary_mb=128
@@ -93,6 +95,10 @@ Extra environment variables:
 	                DEFAULT: not set
 	USE_PODMAN:     If set and USE_DOCKER not set, will build image in a Podman Container (requries podman)
 	                DEFAULT: not set
+	SELINUX:        If set to "yes", the rootfs is labeled for SELinux.
+	                Make sure that selinuxfs is mounted to /sys/fs/selinux on the host
+	                and the rootfs is built with SELINUX=yes.
+	                DEFAULT value: "no"


 Following diagram shows how the resulting image will look like
@@ -134,6 +140,7 @@ build_with_container() {
 	local nsdax_bin="$9"
 	local container_image_name="image-builder-osbuilder"
 	local shared_files=""
+	local selinuxfs=""

 	image_dir=$(readlink -f "$(dirname "${image}")")
 	image_name=$(basename "${image}")
@@ -157,6 +164,14 @@ build_with_container() {
 		shared_files+="-v ${mke2fs_conf}:${mke2fs_conf}:ro "
 	fi

+	if [ "${SELINUX}" == "yes" ]; then
+		if mountpoint $SELINUXFS > /dev/null; then
+			selinuxfs="-v ${SELINUXFS}:${SELINUXFS}"
+		else
+			die "Make sure that SELinux is enabled on the host"
+		fi
+	fi
+
 	#Make sure we use a compatible runtime to build rootfs
 	# In case Clear Containers Runtime is installed we dont want to hit issue:
 	#https://github.com/clearcontainers/runtime/issues/828
@@ -170,12 +185,14 @@ build_with_container() {
 		   --env BLOCK_SIZE="${block_size}" \
 		   --env ROOT_FREE_SPACE="${root_free_space}" \
 		   --env NSDAX_BIN="${nsdax_bin}" \
+		   --env SELINUX="${SELINUX}" \
 		   --env DEBUG="${DEBUG}" \
 		   -v /dev:/dev \
 		   -v "${script_dir}":"/osbuilder" \
 		   -v "${script_dir}/../scripts":"/scripts" \
 		   -v "${rootfs}":"/rootfs" \
 		   -v "${image_dir}":"/image" \
+		   ${selinuxfs} \
 		   ${shared_files} \
 		   ${container_image_name} \
 		   bash "/osbuilder/${script_name}" -o "/image/${image_name}" /rootfs
@@ -384,6 +401,7 @@ create_rootfs_image() {
 	local img_size="$3"
 	local fs_type="$4"
 	local block_size="$5"
+	local agent_bin="$6"

 	create_disk "${image}" "${img_size}" "${fs_type}" "${rootfs_start}"

@@ -402,6 +420,31 @@ create_rootfs_image() {

 	info "Copying content from rootfs to root partition"
 	cp -a "${rootfs}"/* "${mount_dir}"
+
+	if [ "${SELINUX}" == "yes" ]; then
+		if [ "${AGENT_INIT}" == "yes" ]; then
+			die "Guest SELinux with the agent init is not supported yet"
+		fi
+
+		info "Labeling rootfs for SELinux"
+		selinuxfs_path="${mount_dir}${SELINUXFS}"
+		mkdir -p $selinuxfs_path
+		if mountpoint $SELINUXFS > /dev/null && \
+			chroot "${mount_dir}" command -v restorecon > /dev/null; then
+			mount -t selinuxfs selinuxfs $selinuxfs_path
+			chroot "${mount_dir}" restorecon -RF -e ${SELINUXFS} /
+			# TODO: This operation will be removed after the updated container-selinux that
+			# includes the following commit is released.
+			# https://github.com/containers/container-selinux/commit/39f83cc74d50bd10ab6be4d0bdd98bc04857469f
+			# We use chcon as an interim solution until then.
+			chroot "${mount_dir}" chcon -t container_runtime_exec_t "/usr/bin/${agent_bin}"
+			umount $selinuxfs_path
+		else
+			die "Could not label the rootfs. Make sure that SELinux is enabled on the host \
+and the rootfs is built with SELINUX=yes"
+		fi
+	fi
+
 	sync
 	OK "rootfs copied"

@@ -529,7 +572,7 @@ main() {
 	# consider in calculate_img_size
 	rootfs_img_size=$((img_size - dax_header_sz))
 	create_rootfs_image "${rootfs}" "${image}" "${rootfs_img_size}" \
-						"${fs_type}" "${block_size}"
+						"${fs_type}" "${block_size}" "${agent_bin}"

 	# insert at the beginning of the image the MBR + DAX header
 	set_dax_header "${image}" "${img_size}" "${fs_type}" "${nsdax_bin}"