Set secontext for bind volumes in selinux enabled distros

Fixes #1882 Signed-off-by: T K Chandra Hasan <[email protected]>
lima-vm · Oct 25, 2023 · 92e3c21 · 92e3c21
1 parent 1a72344
commit 92e3c21
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 7 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -405,6 +405,17 @@ jobs:
     name: "vz"
     runs-on: macos-13
     timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        template:
+        - experimental/vz.yaml
+        - fedora.yaml
+        include:
+        - template: experimental/vz.yaml
+          name: default
+        - template: fedora.yaml
+          name: vz-fedora
     steps:
     - uses: actions/checkout@v4
       with:
@@ -417,12 +428,14 @@ jobs:
       with:
         path: ~/Library/Caches/lima/download
         # hashFiles do not seem to support symlinks
-        key: ${{ runner.os }}-${{ hashFiles('examples/experimental/vz.yaml') }}
+        key: ${{ runner.os }}-${{ hashFiles('examples/*.yaml') }}
     - name: Make
       run: make
     - name: Install
       run: make install
     - name: Install test dependencies
       run: brew install qemu bash coreutils
     - name: Test
-      run: ./hack/test-templates.sh templates/experimental/vz.yaml
+      env:
+        ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT --containerd none"
+      run: ./hack/test-templates.sh templates/${{ matrix.template }} ${{ matrix.name }}
diff --git a/hack/test-selinux.sh b/hack/test-selinux.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=common.inc.sh
+source "${scriptdir}/common.inc.sh"
+
+if [ "$#" -ne 1 ]; then
+	ERROR "Usage: $0 NAME"
+	exit 1
+fi
+
+NAME="$1"
+expected="context=system_u:object_r:container_file_t:s0"
+#Skip Rosetta checks for x86 GHA mac runners
+if [ "$(arch)" == "arm64" ]; then
+	INFO "Testing secontext is set for rosetta mounts"
+	got=$(limactl shell "$NAME" mount | grep "rosetta" | awk '{print $6}')
+	INFO "secontext rosetta: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR "secontext for rosetta mount is not set or Invalid"
+		exit 1
+	fi
+fi
+INFO "Testing secontext is set for bind mounts"
+INFO "Checking in mounts"
+got=$(limactl shell "$NAME" mount | grep "$HOME" | awk '{print $6}')
+INFO "secontext ${HOME}: expected=${expected}, got=${got}"
+if [[ $got != *$expected* ]]; then
+	ERROR "secontext for \"$HOME\" dir is not set or Invalid"
+	exit 1
+fi
+got=$(limactl shell "$NAME" mount | grep "/tmp/lima" | awk '{print $6}')
+INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
+if [[ $got != *$expected* ]]; then
+	ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'
+	exit 1
+fi
+INFO "Checking in fstab file"
+expected='context="system_u:object_r:container_file_t:s0"'
+got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')
+INFO "secontext ${HOME}: expected=${expected}, got=${got}"
+if [[ $got != *$expected* ]]; then
+	ERROR "secontext for \"$HOME\" dir is not set or Invalid"
+	exit 1
+fi
+got=$(limactl shell "$NAME" cat /etc/fstab | grep "/tmp/lima" | awk '{print $4}')
+INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
+if [[ $got != *$expected* ]]; then
+	ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'
+	exit 1
+fi
diff --git a/hack/test-templates.sh b/hack/test-templates.sh
@@ -5,19 +5,24 @@ scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=common.inc.sh
 source "${scriptdir}/common.inc.sh"
 
-if [ "$#" -ne 1 ]; then
-	ERROR "Usage: $0 FILE.yaml"
+if [ "$#" -eq 0 ]; then
+	ERROR "Usage: $0 FILE.yaml VM_NAME"
 	exit 1
 fi
 
 FILE="$1"
-NAME="$(basename -s .yaml "$FILE")"
+if [[ $# -eq 2 && $2 != "default" ]]; then
+	NAME="$2"
+else
+	NAME="$(basename -s .yaml "$FILE")"
+fi
 
 INFO "Validating \"$FILE\""
 limactl validate "$FILE"
 
 # --cpus=1 is needed for running vz on GHA: https://github.com/lima-vm/lima/pull/1511#issuecomment-1574937888
 LIMACTL_CREATE=(limactl --tty=false create --cpus=1 --memory=1)
+LIMACTL_ARGS=""
 
 CONTAINER_ENGINE="nerdctl"
 
@@ -34,6 +39,7 @@ declare -A CHECKS=(
 	["vmnet"]=""
 	["disk"]=""
 	["user-v2"]=""
+	["vz-selinux"]=""
 )
 
 case "$NAME" in
@@ -67,6 +73,12 @@ case "$NAME" in
 "docker")
 	CONTAINER_ENGINE="docker"
 	;;
+"vz-fedora")
+	WARNING "Relaxing systemd tests for vz-fedora (For avoiding CI failure)"
+	CHECKS["systemd-strict"]=
+	CHECKS["vz-selinux"]=1
+	LIMACTL_ARGS="${ARGS}"
+	;;
 esac
 
 if limactl ls -q | grep -q "$NAME"; then
@@ -109,7 +121,13 @@ if [[ -n ${CHECKS["disk"]} ]]; then
 fi
 
 set -x
-"${LIMACTL_CREATE[@]}" "$FILE"
+# shellcheck disable=SC2128
+if [ "${LIMACTL_ARGS}" == "" ]; then
+	"${LIMACTL_CREATE[@]}" "$FILE"
+else
+	# shellcheck disable=SC2086
+	"${LIMACTL_CREATE[@]}" ${LIMACTL_ARGS} --name "$NAME" "$FILE"
+fi
 set +x
 
 INFO "Starting \"$NAME\""
@@ -223,7 +241,7 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then
 	if [ "${NAME}" = "debian" ]; then
 		limactl shell "$NAME" sudo apt-get install -y netcat-openbsd
 	fi
-	if [ "${NAME}" = "fedora" ]; then
+	if [[ ${NAME} == *"fedora"* ]]; then
 		limactl shell "$NAME" sudo dnf install -y nc
 	fi
 	if [ "${NAME}" = "opensuse" ]; then
@@ -389,6 +407,10 @@ if [[ -n ${CHECKS["snapshot-offline"]} ]]; then
 	limactl start "$NAME"
 fi
 
+if [[ -n ${CHECKS["vz-selinux"]} ]]; then
+	"${scriptdir}"/test-selinux.sh "$NAME"
+fi
+
 INFO "Stopping \"$NAME\""
 limactl stop "$NAME"
 sleep 3

diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eux -o pipefail
+
+# Check if mount type is virtiofs and vm type as vz
+if ! [[ ${LIMA_CIDATA_VMTYPE} == "vz" && ${LIMA_CIDATA_MOUNTTYPE} == "virtiofs" ]]; then
+	exit 0
+fi
+
+# Update fstab entries and unmount/remount the volumes with secontext options
+# when selinux is enabled in kernel
+if [ -d /sys/fs/selinux ]; then
+	# shellcheck disable=SC2013
+	for line in $(grep -n virtiofs </etc/fstab | cut -d':' -f1); do
+		OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
+		if [[ ${OPTIONS} != *"context"* ]]; then
+			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:container_file_t:s0\"/g" /etc/fstab
+			TAG=$(awk -v line="$line" 'NR==line {print $1}' /etc/fstab)
+			MOUNT_POINT=$(awk -v line="$line" 'NR==line {print $2}' /etc/fstab)
+			OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
+			umount "${TAG}"
+			mount -t virtiofs "${TAG}" "${MOUNT_POINT}" -o "${OPTIONS}"
+		fi
+	done
+fi