Support selinux options/label

[miaoyq]

Support selinux optios/label

Signed-off-by: Yanqiang Miao [email protected]

/cc @Random-Liu

[Random-Liu]

@miaoyq Thanks! We do need this, but haven't got time to work on it. Will review it.

[Random-Liu]

Also assign @mikebrow because he's recently working on security related stuff. :)

[Random-Liu]

@miaoyq Do you have a selinux environment? Have you tested this? :)

[miaoyq]

@Random-Liu Not yet:pensive:, I will add this part

[mikebrow]

I'm rooting for ya!

[crosbymichael]

I think the approach is good.

Labels should be generated on the CRI side because you will have to make sure the mount labels match up for various containers in a pod.

I'll add a couple of helper Opts in containerd for setting the labels but I think this is the right approach by generating them here.

[Random-Liu]

Use golang.org/x/sys/unix and move this to the first group, syscall is deprecated.

[Random-Liu]

also include mountlabel in the error message.

[Random-Liu]

nit: Create a local variable for securityContext.GetSelinuxOptions(), so that we could make the next line shorter. :p

[Random-Liu]

Please add unit test for this. Basically, just set selinux options, and check whether ProcessSelinuxLabel and LinuxMountLabel are set correctly.

We don't need to add SelinuxRelabel for any mount, so that Relabel won't be actually run in the unit test.

[miaoyq]

@Random-Liu I have tried to add unit test for this, but the result of test depends on whether
selinux have been enabled, see https://github.com/opencontainers/selinux/blob/4a2974bf1ee960774ffd517717f1f45325af0206/go-selinux/label/label_selinux.go#L28.

[miaoyq]

@Random-Liu I have add the unit test with build tag selinux.

[Random-Liu]

I think we should also set this for privileged container, let's keep it consistent with docker. https://github.com/moby/moby/blob/master/daemon/oci_linux.go#L831-L834

[Random-Liu]

nit: Move this down.

[Random-Liu]

And this seems cleaner https://github.com/opencontainers/selinux/blob/63bd19516561f1973f86c9f777b263ee1e0db140/go-selinux/selinux.go#L572

label.InitLabels(label.DupSecOpt("user:role:type:level")).

[Random-Liu]

nit: unnecessary empty line.

[Random-Liu]

nit: ditto.

[Random-Liu]

@miaoyq Please rebase the PR and address comments.

We don't have selinux test and test environment for CRI validation test.
We do have cluster e2e test for it, but we are not running them in any of our own environment https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L98-L108.

If possible, could you try to verify this in a selinux environment? If it's hard for you, please file an issue, and we could get back to verify this later.

[miaoyq]

@Random-Liu Thanks for review!
Sorry for my late reply, I was busy with other things.
Now I'm free. I'll rebase the PR and address comments.
It's hard for you to verify this actually, but I have built a selinux environment, if it is not urgent, I would like to complete this verification with your guidance. :-)

[Random-Liu]

@miaoyq Thanks! Feel free to comment, file issue or ping me if you encountered any problem on that distro.

[miaoyq]

@Random-Liu OK, I will, thanks!

[miaoyq]

@Random-Liu Rebased and addressed comments, PTAL

[Random-Liu]

LGTM. @miaoyq Please help validate this after merged. Thanks! :)