zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-09-26 19:41:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

tests/int: add selinux test case

Browse Source 
This is a test case to demonstrate the selinux vs dmz issue.

The issue is, runc calls selinux.SetExecLabel and then execs the
runc-dmz binary, but the execve is denied by selinux:

> type=PROCTITLE msg=audit(10/05/2023 22:54:07.911:10904) : proctitle=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc init
> type=SYSCALL msg=audit(10/05/2023 22:54:07.911:10904) : arch=x86_64 syscall=execveat success=no exit=EACCES(Permission denied) a0=0x6 a1=0xc0000b90fa a2=0xc0000a26a0 a3=0xc000024660 items=0 ppid=105316 pid=105327 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=runc:[2:INIT] exe=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(10/05/2023 22:54:07.911:10904) : avc:  denied  { entrypoint } for  pid=105327 comm=runc:[2:INIT] path=/memfd:runc_cloned:runc-dmz (deleted) dev="tmpfs" ino=2341 scontext=system_u:system_r:container_t:s0:c4,c5 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=file permissive=0

Once that error is fixed (by adding a selinux rule that enables it), we
see one more error, also related to executing a file on tmpfs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin
2023-10-03 17:44:39 -07:00
parent ef1166a554
commit b39781b067
3 changed files with 63 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.cirrus.yml
View File

@@ -57,7 +57,7 @@ task:
mkdir -p -m 0700 /root/.ssh mkdir -p -m 0700 /root/.ssh
vagrant ssh-config >> /root/.ssh/config vagrant ssh-config >> /root/.ssh/config
guest_info_script: | guest_info_script: |
ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"' ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus"'
check_config_script: | check_config_script: |
ssh default /vagrant/script/check-config.sh ssh default /vagrant/script/check-config.sh
unit_tests_script: | unit_tests_script: |
@@ -79,7 +79,7 @@ task:
CIRRUS_WORKING_DIR: /home/runc CIRRUS_WORKING_DIR: /home/runc
GO_VERSION: "1.20" GO_VERSION: "1.20"
BATS_VERSION: "v1.9.0" BATS_VERSION: "v1.9.0"
RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
# yamllint disable rule:key-duplicates # yamllint disable rule:key-duplicates
matrix: matrix:
DISTRO: centos-7 DISTRO: centos-7
@@ -170,6 +170,8 @@ task:
# ----- # -----
df -T df -T
# ----- # -----
sestatus
# -----
cat /proc/cpuinfo cat /proc/cpuinfo
check_config_script: | check_config_script: |
/home/runc/script/check-config.sh /home/runc/script/check-config.sh

5
Vagrantfile.fedora
View File

@@ -23,12 +23,15 @@ Vagrant.configure("2") do |config|
cat << EOF | dnf -y --exclude=kernel,kernel-core shell && break cat << EOF | dnf -y --exclude=kernel,kernel-core shell && break
config install_weak_deps false config install_weak_deps false
update update
install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs container-selinux
ts run ts run
EOF EOF
done done
dnf clean all dnf clean all
# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
mount -o remount,suid /tmp
# Prevent the "fatal: unsafe repository" git complain during build. # Prevent the "fatal: unsafe repository" git complain during build.
git config --global --add safe.directory /vagrant git config --global --add safe.directory /vagrant

55
tests/integration/selinux.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load helpers
function setup() {
requires root # for chcon
if ! selinuxenabled; then
skip "requires SELinux enabled and in enforcing mode"
fi
setup_busybox
# Use a copy of runc binary with proper selinux label set.
cp "$RUNC" .
export RUNC="$PWD/runc"
chcon -u system_u -r object_r -t container_runtime_exec_t "$RUNC"
# Label container fs.
chcon -u system_u -r object_r -t container_file_t -R rootfs
# Save the start date and time for ausearch.
AU_DD="$(date +%x)"
AU_TT="$(date +%H:%M:%S)"
}
function teardown() {
teardown_bundle
# Show any avc denials.
if [[ -v AU_DD && -v AU_TT ]] && command -v ausearch &>/dev/null; then
ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true
fi
}
# Baseline test, to check that runc works with selinux enabled.
@test "runc run (no selinux label)" {
update_config ' .process.args = ["/bin/true"]'
runc run tst
[ "$status" -eq 0 ]
}
# https://github.com/opencontainers/runc/issues/4057
@test "runc run (custom selinux label)" {
update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
| .process.args = ["/bin/true"]'
runc run tst
[ "$status" -eq 0 ]
}
@test "runc run (custom selinux label, RUNC_DMZ=legacy)" {
export RUNC_DMZ=legacy
update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
| .process.args = ["/bin/true"]'
runc run tst
[ "$status" -eq 0 ]
}