Skip to content

Commit

Permalink
fix: selinux handling and apparmor tests
Browse files Browse the repository at this point in the history
Conditionally mount selinuxfs only if it's present.

Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
frezbo committed Nov 7, 2024
1 parent 313bffa commit 1800f81
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 8 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ ZSTD_COMPRESSION_LEVEL ?= 18
CI_RELEASE_TAG := $(shell git log --oneline --format=%B -n 1 HEAD^2 -- 2>/dev/null | head -n 1 | sed -r "/^release\(.*\)/ s/^release\((.*)\):.*$$/\\1/; t; Q")

ARTIFACTS := _out
TOOLS ?= ghcr.io/siderolabs/tools:v1.9.0-alpha.0-5-g63ecd80
TOOLS ?= ghcr.io/siderolabs/tools:v1.9.0-alpha.0-7-g3750064

DEBUG_TOOLS_SOURCE := scratch

Expand Down
4 changes: 3 additions & 1 deletion hack/test/e2e-qemu.sh
Original file line number Diff line number Diff line change
Expand Up @@ -183,10 +183,12 @@ case "${WITH_APPARMOR_LSM_ENABLED:-false}" in
machine:
install:
extraKernelArgs:
- security=apparmor
- lsm=lockdown,capability,yama,apparmor,bpf
- apparmor=1
EOF

QEMU_FLAGS+=("--config-patch=@${TMP}/kernel-security.patch")
QEMU_FLAGS+=("--extra-boot-kernel-args=-selinux")
;;
esac

Expand Down
8 changes: 7 additions & 1 deletion internal/integration/k8s/apparmor.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
"time"

"github.com/siderolabs/talos/internal/integration/base"
"github.com/siderolabs/talos/pkg/machinery/client"
"github.com/siderolabs/talos/pkg/machinery/config/machine"
)

// ApparmorSuite verifies that a pod with apparmor security context with `RuntimeDefault` works.
Expand Down Expand Up @@ -42,7 +44,11 @@ func (suite *ApparmorSuite) TestApparmor() {
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
suite.T().Cleanup(cancel)

reader, err := suite.Client.Read(ctx, "/sys/kernel/security/lsm")
node := suite.RandomDiscoveredNodeInternalIP(machine.TypeWorker)

nodeCtx := client.WithNodes(ctx, node)

reader, err := suite.Client.Read(nodeCtx, "/sys/kernel/security/lsm")
suite.Require().NoError(err)

// read from reader into a buffer
Expand Down
6 changes: 5 additions & 1 deletion internal/pkg/install/install.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"github.com/siderolabs/talos/internal/pkg/containers/image"
"github.com/siderolabs/talos/internal/pkg/environment"
"github.com/siderolabs/talos/internal/pkg/extensions"
"github.com/siderolabs/talos/internal/pkg/selinux"
machineapi "github.com/siderolabs/talos/pkg/machinery/api/machine"
configcore "github.com/siderolabs/talos/pkg/machinery/config"
"github.com/siderolabs/talos/pkg/machinery/config/config"
Expand Down Expand Up @@ -206,13 +207,16 @@ func RunInstallerContainer(disk, platform, ref string, cfg configcore.Config, cf
oci.WithReadonlyPaths(nil),
oci.WithWriteableSysfs,
oci.WithWriteableCgroupfs,
oci.WithSelinuxLabel(constants.SelinuxLabelInstaller),
oci.WithApparmorProfile(""),
oci.WithSeccompUnconfined,
oci.WithAllDevicesAllowed,
oci.WithEnv(environment.Get(cfg)),
}

if selinux.IsEnabled() {
specOpts = append(specOpts, oci.WithSelinuxLabel(constants.SelinuxLabelInstaller))
}

containerOpts := []containerd.NewContainerOpts{
containerd.WithImage(img),
containerd.WithNewSnapshot(containerID, img),
Expand Down
8 changes: 7 additions & 1 deletion internal/pkg/mount/v2/pseudo.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ func PseudoSubMountPoints() Points {
NewPoint("bpf", "/sys/fs/bpf", "bpf"),
NewPoint("securityfs", "/sys/kernel/security", "securityfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_RELATIME)),
NewPoint("tracefs", "/sys/kernel/tracing", "tracefs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV)),
NewPoint("selinuxfs", "/sys/fs/selinux", "selinuxfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME)),
}

if _, err := os.Stat(constants.EFIVarsMountPoint); err == nil {
Expand All @@ -43,5 +42,12 @@ func PseudoSubMountPoints() Points {
)
}

if _, err := os.Stat("/sys/fs/selinux"); err == nil {
// mount selinuxfs if it exists
points = append(points,
NewPoint("selinuxfs", "/sys/fs/selinux", "selinuxfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME)),
)
}

return points
}
2 changes: 1 addition & 1 deletion pkg/imager/imager.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,7 @@ func (i *Imager) buildCmdline() error {

if quirks.New(i.prof.Version).SupportsSELinux() {
// Talos 1.9 introduces SELinux in permissive mode
cmdline.Append("selinux", "1")
cmdline.Append(constants.KernelParamSELinux, "1")
}

// board kernel args
Expand Down
7 changes: 5 additions & 2 deletions pkg/provision/providers/qemu/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,14 @@ func (p *provisioner) createNode(state *vm.State, clusterReq provision.ClusterRe
cmdline.Append("talos.platform", constants.PlatformMetal)

// SELinux
cmdline.Append("selinux", "1")
cmdline.Append(constants.KernelParamSELinux, "1")

// add overrides
if nodeReq.ExtraKernelArgs != nil {
if err = cmdline.AppendAll(nodeReq.ExtraKernelArgs.Strings()); err != nil {
if err = cmdline.AppendAll(
nodeReq.ExtraKernelArgs.Strings(),
procfs.WithDeleteNegatedArgs(),
); err != nil {
return provision.NodeInfo{}, err
}
}
Expand Down

0 comments on commit 1800f81

Please sign in to comment.