Delay unshare of CLONE_NEWIPC for SELinux

We ensure that mqueue is owned by user namespace root
by unsharing CLONE_NEWIPC after we become user namespace
root. This allows us to apply the container SELinux label
to mqueue.

Signed-off-by: Mrunal Patel <[email protected]>

Author: mrunalp

libcontainer/nsenter/nsexec.c

@@ -632,14 +632,24 @@ void nsexec(void)
 			/*
 			 * Unshare all of the namespaces. Now, it should be noted that this
 			 * ordering might break in the future (especially with rootless
-			 * containers). But for now, it's not possible to split this into
-			 * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
+			 * containers).
+			 *
+			 * CLONE_NEWIPC needs special handling here when CLONE_NEWUSER is
+			 * also specified to ensure that the user namespace root owns
+			 * mqueue. For that case, we unshare CLONE_NEWIPC after
+			 * switching to root user in the user namespace, so we can apply
+			 * the SELinux label to mqueue.
 			 *
 			 * Note that we don't merge this with clone() because there were
 			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
 			 * was broken, so we'll just do it the long way anyway.
 			 */
-			if (unshare(config.cloneflags) < 0)
+			uint32_t apply_cloneflags = config.cloneflags;
+			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+				apply_cloneflags &= ~CLONE_NEWIPC;
+			}
+
+			if (unshare(apply_cloneflags) < 0)
 				bail("failed to unshare namespaces");
 
 			/*
@@ -735,6 +745,12 @@ void nsexec(void)
 			if (setgroups(0, NULL) < 0)
 				bail("setgroups failed");
 
+			/* Unshare CLONE_NEWIPC after becoming root in user namespace */
+			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+				if (unshare(CLONE_NEWIPC) < 0)
+					bail("unshare ipc failed");
+			}
+
 			s = SYNC_CHILD_READY;
 			if (write(syncfd, &s, sizeof(s)) != sizeof(s))
 				bail("failed to sync with patent: write(SYNC_CHILD_READY)");