Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libpod: leave thread locked on errors #12404

Merged
merged 1 commit into from
Nov 24, 2021
Merged

libpod: leave thread locked on errors #12404

merged 1 commit into from
Nov 24, 2021

Conversation

giuseppe
Copy link
Member

if the SELinux label could not be restored correctly, leave the OS
thread locked so that it is terminated once it returns to the threads
pool.

[NO NEW TESTS NEEDED] the failure is hard to reproduce

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe
libpod: leave thread locked on errors
c7ebaee 
if the SELinux label could not be restored correctly, leave the OS
thread locked so that it is terminated once it returns to the threads
pool.

[NO NEW TESTS NEEDED] the failure is hard to reproduce

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 24, 2021
@giuseppe giuseppe mentioned this pull request Nov 24, 2021
Merged
@adrianreber
Copy link
Collaborator

Sounds very reasonable to me. LGTM.

flouthoc
flouthoc approved these changes Nov 24, 2021
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 24, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

I am not sure what this buys you, but there is other code in oci-conmon-linux that this should apply to also.
SetProcessLabel.

@giuseppe
Copy link
Member Author

If we unlock the thread on errors then it keeps running with the wrong label and we don't what other tasks it will be running

@Luap99
Copy link
Member

Luap99 commented Nov 24, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 24, 2021
@openshift-merge-robot openshift-merge-robot merged commit 9313854 into containers:main Nov 24, 2021
@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

The second call is just setting back the default label, it does only effects any new sockets that get created. If the "" call fails, then Podman will continue creating sockets with the label of the previous container.
In both SELinux calls, we are setting the label for future sockets or future processes. Calling with "" tells the kernel to remove the transition rules, meaning sockets and fork/exec processes will get set with the current process label. (I'm simplifying it for clarity).

@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

BTW the chance of "" failing and "...container_t..." succeeded is just about impossible.

@giuseppe
Copy link
Member Author

The second call is just setting back the default label, it does only effects any new sockets that get created. If the "" call fails, then Podman will continue creating sockets with the label of the previous container.
In both SELinux calls, we are setting the label for future sockets or future processes. Calling with "" tells the kernel to remove the transition rules, meaning sockets and fork/exec processes will get set with the current process label. (I'm simplifying it for clarity).

if we fail to set it back to "" in CheckpointContainer, won't it be kept as the default label for the thread, so every new process created by that thread will inherit it (e.g., common, slirp4netns) and create sockets with that label? I think it would cause the same issues we've seen in #12388 since the thread will be scheduled to take care of other goroutines.

@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

Sadly these are not thread settings, but process settings. So we only want to set them right before we exec and then setting it back to default right afterwards. we don't set the label confined label on slirp4netns or on conmon.

 $ ps -eZ | grep slirp
unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 682337 pts/2 00:00:00 slirp4netns
$ ps -eZ | grep conmon
unconfined_u:system_r:container_runtime_t:s0 682340 ? 00:00:00 conmon
$ ps -eZ | grep top
system_u:system_r:container_t:s0:c121,c653 682349 ? 00:00:00 top

The labels are not set for the ociruntime either, the OCI runtimes set the label just for the container.
Other tools like conmon and slirp4netns and crun need a lot more privs then we give to the container.

@giuseppe
Copy link
Member Author

Sadly these are not thread settings, but process settings.

if that is the case, then don't we need to fork+exec each time we want to set any of those? runtime.LockOSThread only prevents the current OS thread to be re-used by other goroutines while it is locked, but it doesn't prevent other threads from running.

How can we prevent other threads for using the wrong label while it is set?

we don't set the label confined label on slirp4netns or on conmon.

right. But if we fail to reset to the default label, then they will inherit the one we set.

@giuseppe
Copy link
Member Author

Sadly these are not thread settings, but process settings.

one good news: selinux.Set*Label uses /proc/thread-self/attr instead of /proc/self and it seems to affect only the calling thread.

I've tested it with this program:

package main

import (
	"time"
	"runtime"
	"io/ioutil"

	"github.com/opencontainers/selinux/go-selinux/label"
)

func main() {
	runtime.LockOSThread()
	if err := label.SetFileCreateLabel("system_u:system_r:container_t:s0:c285,c463"); err != nil {
		panic(err)
	}

	if err := ioutil.WriteFile("file", []byte(""), 600); err != nil {
		panic(err)
	}

	go func() {
		ioutil.WriteFile("file-2", []byte(""), 600)		
	}()
	
	time.Sleep(time.Second)
}

and I get:

$ go build && ./test && ls -1Z file*
system_u:system_r:container_t:s0:c285,c463 file
       unconfined_u:object_r:user_tmp_t:s0 file-2

I can confirm it by reading all the /proc/$PID/task/$TID/attr/ files and they are different per-thread.

@rhatdan
Copy link
Member

rhatdan commented Nov 29, 2021

Great, I thought this was per process but having it per thread is much better.

@edsantiago edsantiago mentioned this pull request Dec 6, 2021
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@flouthoc flouthoc flouthoc approved these changes

Assignees

@Luap99 Luap99

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@giuseppe @adrianreber @rhatdan @Luap99 @flouthoc @openshift-merge-robot