[release/1.4 backport] selinux: relabel /dev/shm

dweomer · dweomer · commit 1ec7ede44fc7 · 2020-11-11T15:24:49.000-07:00
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go
@@ -101,9 +101,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			sandboxDevShm = devShm
 		}
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: devShm,
-			HostPath:      sandboxDevShm,
-			Readonly:      false,
+			ContainerPath:  devShm,
+			HostPath:       sandboxDevShm,
+			Readonly:       false,
+			SelinuxRelabel: sandboxDevShm != devShm,
 		})
 	}
 	return mounts
diff --git a/pkg/server/container_create_unix_test.go b/pkg/server/container_create_unix_test.go
@@ -457,9 +457,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      true,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -482,9 +483,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -555,9 +557,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -101,9 +101,10 @@ func (c criService) containerMounts(sandboxID string, config runtime.Container`
`101`	`101`	`sandboxDevShm = devShm`
`102`	`102`	`}`
`103`	`103`	`mounts = append(mounts, &runtime.Mount{`
`104`		`- ContainerPath: devShm,`
`105`		`- HostPath: sandboxDevShm,`
`106`		`- Readonly: false,`
	`104`	`+ ContainerPath: devShm,`
	`105`	`+ HostPath: sandboxDevShm,`
	`106`	`+ Readonly: false,`
	`107`	`+ SelinuxRelabel: sandboxDevShm != devShm,`
`107`	`108`	`})`
`108`	`109`	`}`
`109`	`110`	`return mounts`