Skip to content

Commit

Permalink
Set secontext for bind volumes in selinux enabled distros
Browse files Browse the repository at this point in the history
Fixes #1882

Signed-off-by: T K Chandra Hasan <[email protected]>
  • Loading branch information
hasan4791 committed Oct 26, 2023
1 parent 1a72344 commit f8ff938
Show file tree
Hide file tree
Showing 4 changed files with 101 additions and 4 deletions.
12 changes: 10 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,12 @@ jobs:
name: "vz"
runs-on: macos-13
timeout-minutes: 120
strategy:
fail-fast: false
matrix:
template:
- experimental/vz.yaml
- fedora.yaml
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -417,12 +423,14 @@ jobs:
with:
path: ~/Library/Caches/lima/download
# hashFiles do not seem to support symlinks
key: ${{ runner.os }}-${{ hashFiles('examples/experimental/vz.yaml') }}
key: ${{ runner.os }}-${{ hashFiles('examples/*.yaml') }}
- name: Make
run: make
- name: Install
run: make install
- name: Install test dependencies
run: brew install qemu bash coreutils
- name: Test
run: ./hack/test-templates.sh templates/experimental/vz.yaml
env:
LIMACTL_CREATE_ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT"
run: ./hack/test-templates.sh templates/${{ matrix.template }}
53 changes: 53 additions & 0 deletions hack/test-selinux.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
#!/usr/bin/env bash

set -eu -o pipefail

scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=common.inc.sh
source "${scriptdir}/common.inc.sh"

if [ "$#" -ne 1 ]; then
ERROR "Usage: $0 NAME"
exit 1
fi

NAME="$1"
expected="context=system_u:object_r:container_file_t:s0"
#Skip Rosetta checks for x86 GHA mac runners
if [ "$(arch)" == "arm64" ]; then
INFO "Testing secontext is set for rosetta mounts"
got=$(limactl shell "$NAME" mount | grep "rosetta" | awk '{print $6}')
INFO "secontext rosetta: expected=${expected}, got=${got}"
if [[ $got != *$expected* ]]; then
ERROR "secontext for rosetta mount is not set or Invalid"
exit 1
fi
fi
INFO "Testing secontext is set for bind mounts"
INFO "Checking in mounts"
got=$(limactl shell "$NAME" mount | grep "$HOME" | awk '{print $6}')
INFO "secontext ${HOME}: expected=${expected}, got=${got}"
if [[ $got != *$expected* ]]; then
ERROR "secontext for \"$HOME\" dir is not set or Invalid"
exit 1
fi
got=$(limactl shell "$NAME" mount | grep "/tmp/lima" | awk '{print $6}')
INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
if [[ $got != *$expected* ]]; then
ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'
exit 1
fi
INFO "Checking in fstab file"
expected='context="system_u:object_r:container_file_t:s0"'
got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')
INFO "secontext ${HOME}: expected=${expected}, got=${got}"
if [[ $got != *$expected* ]]; then
ERROR "secontext for \"$HOME\" dir is not set or Invalid"
exit 1
fi
got=$(limactl shell "$NAME" cat /etc/fstab | grep "/tmp/lima" | awk '{print $4}')
INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
if [[ $got != *$expected* ]]; then
ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'
exit 1
fi
15 changes: 13 additions & 2 deletions hack/test-templates.sh
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,15 @@ if [[ -n ${CHECKS["disk"]} ]]; then
fi

set -x
"${LIMACTL_CREATE[@]}" "$FILE"
set +u
if [ -z "${LIMACTL_CREATE_ARGS}" ]; then
"${LIMACTL_CREATE[@]}" "$FILE"
else
# shellcheck disable=SC2086
"${LIMACTL_CREATE[@]}" ${LIMACTL_CREATE_ARGS} "$FILE"
fi
set +x
set -u

INFO "Starting \"$NAME\""
set -x
Expand Down Expand Up @@ -223,7 +230,7 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then
if [ "${NAME}" = "debian" ]; then
limactl shell "$NAME" sudo apt-get install -y netcat-openbsd
fi
if [ "${NAME}" = "fedora" ]; then
if [[ ${NAME} == *"fedora"* ]]; then
limactl shell "$NAME" sudo dnf install -y nc
fi
if [ "${NAME}" = "opensuse" ]; then
Expand Down Expand Up @@ -389,6 +396,10 @@ if [[ -n ${CHECKS["snapshot-offline"]} ]]; then
limactl start "$NAME"
fi

if [[ $NAME == "fedora" && "$(limactl ls --json "$NAME" | jq -r .vmType)" == "vz" ]]; then
"${scriptdir}"/test-selinux.sh "$NAME"
fi

INFO "Stopping \"$NAME\""
limactl stop "$NAME"
sleep 3
Expand Down
25 changes: 25 additions & 0 deletions pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/bash

set -eux -o pipefail

# Check if mount type is virtiofs and vm type as vz
if ! [[ ${LIMA_CIDATA_VMTYPE} == "vz" && ${LIMA_CIDATA_MOUNTTYPE} == "virtiofs" ]]; then
exit 0
fi

# Update fstab entries and unmount/remount the volumes with secontext options
# when selinux is enabled in kernel
if [ -d /sys/fs/selinux ]; then
# shellcheck disable=SC2013
for line in $(grep -n virtiofs </etc/fstab | cut -d':' -f1); do
OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
if [[ ${OPTIONS} != *"context"* ]]; then
sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:container_file_t:s0\"/g" /etc/fstab
TAG=$(awk -v line="$line" 'NR==line {print $1}' /etc/fstab)
MOUNT_POINT=$(awk -v line="$line" 'NR==line {print $2}' /etc/fstab)
OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
umount "${TAG}"
mount -t virtiofs "${TAG}" "${MOUNT_POINT}" -o "${OPTIONS}"
fi
done
fi

0 comments on commit f8ff938

Please sign in to comment.