Support changing of lsm mount context on restore

Wire through CRIU's support to change the mount context on restore. This is especially useful if restoring a container in a different pod. Single container restore uses the same SELinux process label and same mount context as during checkpointing. If a container is being restored into an existing pod the process label and the mount context needs to be changed to the context of the pod. Changing process label on restore is already supported by runc. This patch adds the possibility to change the mount context. Signed-off-by: Adrian Reber <areber@redhat.com>
opencontainers · Jul 21, 2021 · 712fc9c · 712fc9c
1 parent 6a25c6e
commit 712fc9c
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -1344,6 +1344,12 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 		}
 		req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile)
 	}
+	if criuOpts.LsmMountContext != "" {
+		if err := c.checkCriuVersion(31600); err != nil {
+			return errors.New("--lsm-mount-context requires at least CRIU 3.16")
+		}
+		req.Opts.LsmMountContext = proto.String(criuOpts.LsmMountContext)
+	}
 
 	if criuOpts.WorkDirectory != "" {
 		// Since a container can be C/R'ed multiple times,

diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go
@@ -30,4 +30,5 @@ type CriuOpts struct {
 	LazyPages               bool               // restore memory pages lazily using userfaultfd
 	StatusFd                int                // fd for feedback when lazy server is ready
 	LsmProfile              string             // LSM profile used to restore the container
+	LsmMountContext         string             // LSM mount context value to use during restore
 }
diff --git a/man/runc-restore.8.md b/man/runc-restore.8.md
@@ -74,6 +74,14 @@ daemon. See [criu --lazy-pages option](https://criu.org/CLI/opt/--lazy-pages).
 : Specify an LSM profile to be used during restore. Here _type_ can either be
 **apparamor** or **selinux**, and _label_ is a valid LSM label. For example,
 **--lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137"**.
+By default, the checkpointed LSM profile is used upon restore.
+
+**--lsm-mount-context** _context_
+: Specify an LSM mount context to be used during restore. Only mounts with an
+existing context will have their context replaced. With this option it is
+possible to change SELinux mount options. Instead of mounting with the
+checkpointed context, the specified _context_ will be used.
+For example, **--lsm-mount-context "system_u:object_r:container_file_t:s0:c82,c137"**.
 
 # SEE ALSO
 **criu**(8),

diff --git a/restore.go b/restore.go
@@ -96,6 +96,11 @@ using the runc checkpoint command.`,
 			Value: "",
 			Usage: "Specify an LSM profile to be used during restore in the form of TYPE:NAME.",
 		},
+		cli.StringFlag{
+			Name:  "lsm-mount-context",
+			Value: "",
+			Usage: "Specify an LSM mount context to be used during restore.",
+		},
 	},
 	Action: func(context *cli.Context) error {
 		if err := checkArgs(context, 1, exactArgs); err != nil {
@@ -145,5 +150,6 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts {
 		LazyPages:               context.Bool("lazy-pages"),
 		StatusFd:                context.Int("status-fd"),
 		LsmProfile:              context.String("lsm-profile"),
+		LsmMountContext:         context.String("lsm-mount-context"),
 	}
 }