From 805482413a87f8fbbffd660f34fa163933e3350d Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Wed, 26 Oct 2022 13:56:28 +0200 Subject: [PATCH] Fix SELinux check of mounted volumes In PodExistsInVolume with volumeObj.seLinuxMountContext != nil we know that the volume has been previously mounted with a given SELinuxMountContext. Either it has been mounted by this kubelet and we know it's correct or it was by a previous instance of kubelet and the context has been reconstructed from the filesystem. In both cases, the actual context is correct, regardless if the volume plugin or PV access mode supports SELinux mounts. --- .../cache/actual_state_of_world.go | 12 +++---- .../cache/actual_state_of_world_test.go | 35 +++++++++++++++++-- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go index e23dc4dad7d..2c7e3bf3476 100644 --- a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go +++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go @@ -817,15 +817,11 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa return false, "", newVolumeNotAttachedError(volumeName) } + // The volume exists, check its SELinux context mount option if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) { - if volumeObj.seLinuxMountContext != nil { - // The volume is mounted, check its SELinux context mount option - if *volumeObj.seLinuxMountContext != seLinuxLabel { - fullErr := newSELinuxMountMismatchError(volumeName) - if util.VolumeSupportsSELinuxMount(volumeObj.spec) { - return false, volumeObj.devicePath, fullErr - } - } + if volumeObj.seLinuxMountContext != nil && *volumeObj.seLinuxMountContext != seLinuxLabel { + fullErr := newSELinuxMountMismatchError(volumeName) + return false, volumeObj.devicePath, fullErr } } diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go index fd4be85f0df..e69018c4d1c 100644 --- a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go +++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go @@ -892,7 +892,8 @@ func Test_AddPodToVolume_Positive_SELinux(t *testing.T) { verifyVolumeExistsAswWithSELinux(t, generatedVolumeName, "system_u:object_r:container_file_t:s0:c0,c1", asw) verifyVolumeDoesntExistInUnmountedVolumes(t, generatedVolumeName, asw) verifyVolumeDoesntExistInGloballyMountedVolumes(t, generatedVolumeName, asw) - verifyPodExistsInVolumeAsw(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, asw) + verifyPodExistsInVolumeAswWithSELinux(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, "system_u:object_r:container_file_t:s0:c0,c1", asw) + verifyPodExistsInVolumeSELinuxMismatch(t, podName, generatedVolumeName, "" /* wrong SELinux label */, asw) verifyVolumeExistsWithSpecNameInVolumeAsw(t, podName, volumeSpec.Name(), asw) verifyVolumeMountedElsewhere(t, podName, generatedVolumeName, false /*expectedMountedElsewhere */, asw) } @@ -1154,8 +1155,18 @@ func verifyPodExistsInVolumeAsw( expectedVolumeName v1.UniqueVolumeName, expectedDevicePath string, asw ActualStateOfWorld) { + verifyPodExistsInVolumeAswWithSELinux(t, expectedPodName, expectedVolumeName, expectedDevicePath, "", asw) +} + +func verifyPodExistsInVolumeAswWithSELinux( + t *testing.T, + expectedPodName volumetypes.UniquePodName, + expectedVolumeName v1.UniqueVolumeName, + expectedDevicePath string, + expectedSELinuxLabel string, + asw ActualStateOfWorld) { podExistsInVolume, devicePath, err := - asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, "") + asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, expectedSELinuxLabel) if err != nil { t.Fatalf( "ASW PodExistsInVolume failed. Expected: Actual: <%v>", err) @@ -1221,6 +1232,26 @@ func verifyPodDoesntExistInVolumeAsw( } } +func verifyPodExistsInVolumeSELinuxMismatch( + t *testing.T, + podToCheck volumetypes.UniquePodName, + volumeToCheck v1.UniqueVolumeName, + unexpectedSELinuxLabel string, + asw ActualStateOfWorld) { + + podExistsInVolume, _, err := asw.PodExistsInVolume(podToCheck, volumeToCheck, resource.Quantity{}, unexpectedSELinuxLabel) + if podExistsInVolume { + t.Errorf("expected Pod %s not to exists, but it does", podToCheck) + } + if err == nil { + t.Error("expected PodExistsInVolume to return error, but it returned nil") + } + + if !IsSELinuxMountMismatchError(err) { + t.Errorf("expected PodExistsInVolume to return SELinuxMountMismatchError, got %s", err) + } +} + func verifyVolumeExistsWithSpecNameInVolumeAsw( t *testing.T, expectedPodName volumetypes.UniquePodName,