lsm: dump and restore any SELinux process label

There was support for SELinux process labels in CRIU but because it was never tested or verified CRIU only supported the 'unconfined_t' process label. This was basically no SELinux support. For successful container checkpoint and restore on a SELinux enabled host it is necessary that the restored container has the same process context as before checkpointing. This commit only removes the check if the label is 'unconfined_t' and now stores any process label to be restored. For 'normal' processes started from the command-line which are usually running in the 'unconfined_t' this just works. For the container use case this needs additional policies. The latest container-selinux package on Fedora has the necessary policy to allow CRIU (running as 'container_runtime_t' when used from Podman) to transition the restored process to 'container_t'. Restoring a process running under systemd's control (which means 'unconfined_service_t' without additional policies) will fail because CRIU will be not allowed to change the context of the restored process. For each additional CRIU use case on SELinux enabled systems, besides container processes and command-line/shell processes, additional SELinux policies are required to allow CRIU to do a 'dyntransition' (change the Signed-off-by: Adrian Reber <areber@redhat.com>

lsm: dump and restore any SELinux process label
There was support for SELinux process labels in CRIU but because it was never tested or verified CRIU only supported the 'unconfined_t' process label. This was basically no SELinux support. For successful container checkpoint and restore on a SELinux enabled host it is necessary that the restored container has the same process context as before checkpointing. This commit only removes the check if the label is 'unconfined_t' and now stores any process label to be restored. For 'normal' processes started from the command-line which are usually running in the 'unconfined_t' this just works. For the container use case this needs additional policies. The latest container-selinux package on Fedora has the necessary policy to allow CRIU (running as 'container_runtime_t' when used from Podman) to transition the restored process to 'container_t'. Restoring a process running under systemd's control (which means 'unconfined_service_t' without additional policies) will fail because CRIU will be not allowed to change the context of the restored process. For each additional CRIU use case on SELinux enabled systems, besides container processes and command-line/shell processes, additional SELinux policies are required to allow CRIU to do a 'dyntransition' (change the Signed-off-by: Adrian Reber <areber@redhat.com>
d9c51a70 · Adrian Reber · Andrei Vagin · fd1653b8 · d9c51a70
Commit d9c51a70 authored Mar 12, 2019 by Adrian Reber Committed by Andrei Vagin Apr 21, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 16 deletions

lsm.c criu/lsm.c +12 -16

No files found.
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -62,45 +62,41 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
 static int selinux_get_label(pid_t pid, char **output)
 {
 	security_context_t ctx;
-	char *pos, *last;
+	char *pos;
 	int i;
+	int ret = -1;
 	if (getpidcon_raw(pid, &ctx) < 0) {
 		pr_perror("getting selinux profile failed");
 		return -1;
 	}
-	*output = NULL;
+	*output = xstrdup((char *)ctx);
+	if (!*output)
+		goto err;
 	/*
-	 * Since SELinux attributes can be finer grained than at the task
+	 * Make sure it is a valid SELinux label. It should look like this:
-	 * level, and we currently don't try to dump any of these other bits,
-	 * let's only allow unconfined profiles, which look something like:
 	 *
 	 *	unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 	 */
 	pos = (char*)ctx;
 	for (i = 0; i < 3; i++) {
-		last = pos;
 		pos = strstr(pos, ":");
 		if (!pos) {
 			pr_err("Invalid selinux context %s\n", (char *)ctx);
-			freecon(ctx);
+			xfree(*output);
-			return -1;
+			goto err;
 		}
 		*pos = 0;
-		if (!strstartswith(last, "unconfined_")) {
-			pr_err("Non unconfined selinux contexts not supported %s\n", last);
-			freecon(ctx);
-			return -1;
-		}
 		pos++;
 	}
-	freecon(ctx);
-	return 0;
+	ret = 0;
+err:
+	freecon(ctx);
+	return ret;
 }
 #endif