-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
restore: support restoring threads with SELinux #657
restore: support restoring threads with SELinux #657
Conversation
This is a follow-up to #648 The main problem with #648 is that SELinux only partially supports changing the process context of a threaded process. According to the manpage:
For my current use case (getting Podman checkpoint/restore with SELinux working) this pull request works with the following two policies:
The first line is to enable the restorer to write to the log-file and should not be a problem. The second line could be a bit more problematic, but is is necessary so that each thread can write to The approach in this PR only works if all threads are using the same process context, but if it is not possible to change the context of a single thread during restore, it is also not possible to have a container with threads running with different process context. So the restore is limited, but only in the same way the original process startup is limited. In parallel I am having the discussion if the approach in this PR with the necessary policy changes can be implemented in the corresponding selinux policy. CC: @tych0 (just FYI, it's complicated 😉) |
Restoring a multi-threaded process with CRIU's SELinux support fails because SELinux does not always support changing the process context of a multi-threaded process. Reading the man-page for setcon(), to change the context of a running process, it states that changing the SELinux context of a multi-threaded process can only work 'if the new security context is bounded by the old security context'. To be able to restore a process without the need to have 'the new security context [] bounded by the old security context', this sets the SELinux process context before creating the threads. Thus all threads are created with the process context of the main process. Signed-off-by: Adrian Reber <areber@redhat.com>
6ab133d
to
32abe2d
Compare
The feedback I got so far from SELinux experts is that setting the process context of threads is only possible if the security context is bounded and this cannot change. On Fedora bounded security context are rarely used at all. So this approach to set the process context before creating the threads seems to be the right thing to do and the additional policies, especially the one to write to ns_last_pid, are acceptable. |
The necessary policy to label ns_last_pid correctly has been merged into Fedora's SELinux policy package: fedora-selinux/selinux-policy@f1ba302 There should also soon be a new container-selinux package which actually allows CRIU to write to ns_last_pid from threads. @avagin: From my side everything is ready for 3.12. |
Restoring a multi-threaded process with CRIU's SELinux support fails
because SELinux does not always support changing the process context of
a multi-threaded process.
Reading the man-page for setcon(), to change the context of a running
process, it states that changing the SELinux context of a multi-threaded
process can only work 'if the new security context is bounded by the old
security context'.
To be able to restore a process without the need to have 'the new
security context [] bounded by the old security context', this sets the
SELinux process context before creating the threads. Thus all threads
are created with the process context of the main process.
Signed-off-by: Adrian Reber areber@redhat.com