From 712fc9c01b117318323c5da1cb7c81cbdbca7882 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Tue, 29 Jun 2021 15:31:25 +0000 Subject: [PATCH] Support changing of lsm mount context on restore Wire through CRIU's support to change the mount context on restore. This is especially useful if restoring a container in a different pod. Single container restore uses the same SELinux process label and same mount context as during checkpointing. If a container is being restored into an existing pod the process label and the mount context needs to be changed to the context of the pod. Changing process label on restore is already supported by runc. This patch adds the possibility to change the mount context. Signed-off-by: Adrian Reber --- libcontainer/container_linux.go | 6 ++++++ libcontainer/criu_opts_linux.go | 1 + man/runc-restore.8.md | 8 ++++++++ restore.go | 6 ++++++ 4 files changed, 21 insertions(+) diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 19a82bbf6f6..7c1723318f8 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -1344,6 +1344,12 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error { } req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile) } + if criuOpts.LsmMountContext != "" { + if err := c.checkCriuVersion(31600); err != nil { + return errors.New("--lsm-mount-context requires at least CRIU 3.16") + } + req.Opts.LsmMountContext = proto.String(criuOpts.LsmMountContext) + } if criuOpts.WorkDirectory != "" { // Since a container can be C/R'ed multiple times, diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go index 0db43e74e8a..b39476ef352 100644 --- a/libcontainer/criu_opts_linux.go +++ b/libcontainer/criu_opts_linux.go @@ -30,4 +30,5 @@ type CriuOpts struct { LazyPages bool // restore memory pages lazily using userfaultfd StatusFd int // fd for feedback when lazy server is ready LsmProfile string // LSM profile used to restore the container + LsmMountContext string // LSM mount context value to use during restore } diff --git a/man/runc-restore.8.md b/man/runc-restore.8.md index f49aa62b7df..a2b3da6c6fa 100644 --- a/man/runc-restore.8.md +++ b/man/runc-restore.8.md @@ -74,6 +74,14 @@ daemon. See [criu --lazy-pages option](https://criu.org/CLI/opt/--lazy-pages). : Specify an LSM profile to be used during restore. Here _type_ can either be **apparamor** or **selinux**, and _label_ is a valid LSM label. For example, **--lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137"**. +By default, the checkpointed LSM profile is used upon restore. + +**--lsm-mount-context** _context_ +: Specify an LSM mount context to be used during restore. Only mounts with an +existing context will have their context replaced. With this option it is +possible to change SELinux mount options. Instead of mounting with the +checkpointed context, the specified _context_ will be used. +For example, **--lsm-mount-context "system_u:object_r:container_file_t:s0:c82,c137"**. # SEE ALSO **criu**(8), diff --git a/restore.go b/restore.go index f7081e4cf5f..05cececafa8 100644 --- a/restore.go +++ b/restore.go @@ -96,6 +96,11 @@ using the runc checkpoint command.`, Value: "", Usage: "Specify an LSM profile to be used during restore in the form of TYPE:NAME.", }, + cli.StringFlag{ + Name: "lsm-mount-context", + Value: "", + Usage: "Specify an LSM mount context to be used during restore.", + }, }, Action: func(context *cli.Context) error { if err := checkArgs(context, 1, exactArgs); err != nil { @@ -145,5 +150,6 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts { LazyPages: context.Bool("lazy-pages"), StatusFd: context.Int("status-fd"), LsmProfile: context.String("lsm-profile"), + LsmMountContext: context.String("lsm-mount-context"), } }