We need to release the SELinux label when we destroy the sandbox

This will release the MCS Label to be used again.  Only do this if we
don't have another sandbox using the same label.

Also vendor in the latest selinux go bindings, which fixes a leak and
properly reserves the SELinux label we are going to use.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2017-10-25 02:35:20 +00:00
parent 7ab9c55a12
commit c2c148f18d
4 changed files with 17 additions and 3 deletions

View file

@ -19,6 +19,7 @@ import (
"github.com/kubernetes-incubator/cri-o/pkg/storage" "github.com/kubernetes-incubator/cri-o/pkg/storage"
"github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer"
rspec "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
@ -168,6 +169,7 @@ func New(config *Config) (*ContainerServer, error) {
containers: oci.NewMemoryStore(), containers: oci.NewMemoryStore(),
infraContainers: oci.NewMemoryStore(), infraContainers: oci.NewMemoryStore(),
sandboxes: make(map[string]*sandbox.Sandbox), sandboxes: make(map[string]*sandbox.Sandbox),
processLevels: make(map[string]int),
}, },
config: config, config: config,
}, nil }, nil
@ -609,6 +611,8 @@ type containerServerState struct {
containers oci.ContainerStorer containers oci.ContainerStorer
infraContainers oci.ContainerStorer infraContainers oci.ContainerStorer
sandboxes map[string]*sandbox.Sandbox sandboxes map[string]*sandbox.Sandbox
// processLevels The number of sandboxes using the same SELinux MCS level. Need to release MCS Level, when count reaches 0
processLevels map[string]int
} }
// AddContainer adds a container to the container state store // AddContainer adds a container to the container state store
@ -696,6 +700,7 @@ func (c *ContainerServer) AddSandbox(sb *sandbox.Sandbox) {
c.stateLock.Lock() c.stateLock.Lock()
defer c.stateLock.Unlock() defer c.stateLock.Unlock()
c.state.sandboxes[sb.ID()] = sb c.state.sandboxes[sb.ID()] = sb
c.state.processLevels[selinux.NewContext(sb.ProcessLabel())["level"]]++
} }
// GetSandbox returns a sandbox by its ID // GetSandbox returns a sandbox by its ID
@ -728,7 +733,14 @@ func (c *ContainerServer) HasSandbox(id string) bool {
func (c *ContainerServer) RemoveSandbox(id string) { func (c *ContainerServer) RemoveSandbox(id string) {
c.stateLock.Lock() c.stateLock.Lock()
defer c.stateLock.Unlock() defer c.stateLock.Unlock()
processLabel := c.state.sandboxes[id].ProcessLabel()
delete(c.state.sandboxes, id) delete(c.state.sandboxes, id)
level := selinux.NewContext(processLabel)["level"]
c.state.processLevels[level]--
if c.state.processLevels[level] == 0 {
label.ReleaseLabel(processLabel)
delete(c.state.processLevels, level)
}
} }
// ListSandboxes lists all sandboxes in the state store // ListSandboxes lists all sandboxes in the state store

View file

@ -10,7 +10,7 @@ github.com/ostreedev/ostree-go master
github.com/containers/storage d7921c6facc516358070a1306689eda18adaa20a github.com/containers/storage d7921c6facc516358070a1306689eda18adaa20a
github.com/containernetworking/cni v0.4.0 github.com/containernetworking/cni v0.4.0
google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
github.com/opencontainers/selinux v1.0.0-rc1 github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
github.com/opencontainers/go-digest v1.0.0-rc0 github.com/opencontainers/go-digest v1.0.0-rc0
github.com/opencontainers/runtime-tools d3f7e9e9e631c7e87552d67dc7c86de33c3fb68a github.com/opencontainers/runtime-tools d3f7e9e9e631c7e87552d67dc7c86de33c3fb68a
github.com/opencontainers/runc 45bde006ca8c90e089894508708bcf0e2cdf9e13 github.com/opencontainers/runc 45bde006ca8c90e089894508708bcf0e2cdf9e13

View file

@ -49,8 +49,10 @@ func InitLabels(options []string) (string, string, error) {
mcon[con[0]] = con[1] mcon[con[0]] = con[1]
} }
} }
_ = ReleaseLabel(processLabel)
processLabel = pcon.Get() processLabel = pcon.Get()
mountLabel = mcon.Get() mountLabel = mcon.Get()
_ = ReserveLabel(processLabel)
} }
return processLabel, mountLabel, nil return processLabel, mountLabel, nil
} }

View file

@ -213,7 +213,7 @@ func SetFileLabel(path string, label string) error {
return lsetxattr(path, xattrNameSelinux, []byte(label), 0) return lsetxattr(path, xattrNameSelinux, []byte(label), 0)
} }
// Filecon returns the SELinux label for this path or returns an error. // FileLabel returns the SELinux label for this path or returns an error.
func FileLabel(path string) (string, error) { func FileLabel(path string) (string, error) {
label, err := lgetxattr(path, xattrNameSelinux) label, err := lgetxattr(path, xattrNameSelinux)
if err != nil { if err != nil {
@ -331,7 +331,7 @@ func EnforceMode() int {
} }
/* /*
SetEnforce sets the current SELinux mode Enforcing, Permissive. SetEnforceMode sets the current SELinux mode Enforcing, Permissive.
Disabled is not valid, since this needs to be set at boot time. Disabled is not valid, since this needs to be set at boot time.
*/ */
func SetEnforceMode(mode int) error { func SetEnforceMode(mode int) error {