dmz: remove SELinux special-casing

Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2024-03-13 16:23:36 +11:00
parent 1950892f69
commit 37581ad340
10 changed files with 30 additions and 69 deletions
-11
View File
@@ -159,17 +159,6 @@ task:
echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
systemctl restart sshd
# Disable the dmz-vs-selinux workaround for distros that have
# container-selinux >= 2.224.0 (CentOS 7 does not have it).
case $DISTRO in
centos-7)
# Do nothing.
;;
*)
echo 'export EXTRA_BUILDTAGS=runc_dmz_selinux_nocompat' >> /root/.bashrc
;;
esac
host_info_script: |
uname -a
# -----
-1
View File
@@ -69,7 +69,6 @@ make BUILDTAGS=""
|---------------|---------------------------------------|--------------------|---------------------|
| `seccomp` | Syscall filtering using `libseccomp`. | yes | `libseccomp` |
| `!runc_nodmz` | Reduce memory usage for CVE-2019-5736 protection by using a small C binary, [see `memfd-bind` for more details][contrib-memfd-bind]. `runc_nodmz` disables this **experimental feature** and causes runc to use a different protection mechanism which will further increases memory usage temporarily during container startup. To enable this feature you also need to set the `RUNC_DMZ=true` environment variable. | yes ||
| `runc_dmz_selinux_nocompat` | Disables a SELinux DMZ workaround (new distros should set this). See [dmz README] for details. | no ||
The following build tags were used earlier, but are now obsoleted:
- **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
-3
View File
@@ -32,9 +32,6 @@ EOF
# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
mount -o remount,suid /tmp
# Disable selinux-vs-dmz workaround as Fedora doesn't need it.
echo 'export EXTRA_BUILDTAGS=runc_dmz_selinux_nocompat' >> /root/.bashrc
# Prevent the "fatal: unsafe repository" git complain during build.
git config --global --add safe.directory /vagrant
-4
View File
@@ -463,10 +463,6 @@ func slicesContains[S ~[]E, E comparable](slice S, needle E) bool {
}
func isDmzBinarySafe(c *configs.Config) bool {
if !dmz.WorksWithSELinux(c) {
return false
}
// Because we set the dumpable flag in nsexec, the only time when it is
// unsafe to use runc-dmz is when the container process would be able to
// race against "runc init" and bypass the ptrace_may_access() checks.
-12
View File
@@ -15,16 +15,4 @@ It also support all the architectures we support in runc.
If the GOARCH we use for compiling doesn't support nolibc, it fallbacks to using the C stdlib.
## SELinux compatibility issue and a workaround
Older SELinux policy can prevent runc to execute the dmz binary. The issue is
fixed in [container-selinux v2.224.0]. Yet, some older distributions may not
have the fix, so runc has a runtime workaround of disabling dmz if it finds
that SELinux is in enforced mode and the container SELinux label is set.
Distributions that have a sufficiently new container-selinux can disable the
workaround by building runc with the `runc_dmz_selinux_nocompat` build flag,
essentially allowing dmz to be used together with SELinux.
[nolibc-upstream]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/include/nolibc?h=v6.6-rc3
[container-selinux v2.224.0]: https://github.com/containers/container-selinux/releases/tag/v2.224.0
-10
View File
@@ -1,10 +0,0 @@
//go:build runc_dmz_selinux_nocompat || !linux
package dmz
import "github.com/opencontainers/runc/libcontainer/configs"
// WorksWithSELinux tells whether runc-dmz can work with SELinux.
func WorksWithSELinux(*configs.Config) bool {
return true
}
-28
View File
@@ -1,28 +0,0 @@
//go:build linux && !runc_dmz_selinux_nocompat
package dmz
import (
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/selinux/go-selinux"
)
// WorksWithSELinux tells whether runc-dmz can work with SELinux.
//
// Older SELinux policy can prevent runc to execute the dmz binary. The issue is
// fixed in container-selinux >= 2.224.0:
//
// - https://github.com/containers/container-selinux/issues/274
// - https://github.com/containers/container-selinux/pull/280
//
// Alas, there is is no easy way to do a runtime check if dmz works with
// SELinux, so the below workaround is enabled by default. It results in
// disabling dmz in case container SELinux label is set and the selinux is in
// enforced mode.
//
// Newer distributions that have the sufficiently new container-selinux version
// can build runc with runc_dmz_selinux_nocompat build flag to disable this
// workaround (essentially allowing dmz to be used together with SELinux).
func WorksWithSELinux(c *configs.Config) bool {
return c.ProcessLabel == "" || selinux.EnforceMode() != selinux.Enforcing
}
+14
View File
@@ -538,6 +538,20 @@ function requires() {
done
}
# Allow a test to specify that it will not work properly on a given OS. The
# fingerprint for the OS used for this test is $ID-$VERSION_ID, using the
# variables in /etc/os-release. The arguments are regular expressions, and any
# match will cause the test to be skipped.
function exclude_os() {
local host
host="$(sh -c '. /etc/os-release ; echo "$ID-$VERSION_ID"')"
for bad_os in "$@"; do
if [[ "$host" =~ ^$bad_os$ ]]; then
skip "test doesn't work on $bad_os"
fi
done
}
# Retry a command $1 times until it succeeds. Wait $2 seconds between retries.
function retry() {
local attempts=$1
+12
View File
@@ -128,6 +128,10 @@ function teardown() {
}
@test "RUNC_DMZ=true runc run [runc-dmz]" {
# centos-7 has an outdated container-selinux (<2.224.0) which means
# runc-dmz won't work.
exclude_os centos-7
RUNC_DMZ=true runc --debug run test_hello
[ "$status" -eq 0 ]
[[ "$output" = *"Hello World"* ]]
@@ -136,6 +140,10 @@ function teardown() {
}
@test "RUNC_DMZ=true runc run [cap_sys_ptrace -> /proc/self/exe clone]" {
# centos-7 has an outdated container-selinux (<2.224.0) which means
# runc-dmz won't work.
exclude_os centos-7
# Add CAP_SYS_PTRACE to the bounding set, the minimum needed to indicate a
# container process _could_ get CAP_SYS_PTRACE.
update_config '.process.capabilities.bounding += ["CAP_SYS_PTRACE"]'
@@ -232,6 +240,10 @@ function teardown() {
}
@test "RUNC_DMZ=true runc run [exec error]" {
# centos-7 has an outdated container-selinux (<2.224.0) which means
# runc-dmz won't work.
exclude_os centos-7
cat <<EOF >rootfs/run.sh
#!/mmnnttbb foo bar
sh
+4
View File
@@ -40,6 +40,10 @@ function teardown() {
# https://github.com/opencontainers/runc/issues/4057
@test "runc run (custom selinux label, RUNC_DMZ=true)" {
# centos-7 has an outdated container-selinux (<2.224.0) which means
# runc-dmz won't work.
exclude_os centos-7
update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
| .process.args = ["/bin/true"]'
RUNC_DMZ=true runc run tst