Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic

dmz: remove SELinux special-casing

Author: AkihiroSuda

.cirrus.yml

@@ -159,17 +159,6 @@ task:
     echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
     sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
     systemctl restart sshd
-
-    # Disable the dmz-vs-selinux workaround for distros that have
-    # container-selinux >= 2.224.0 (CentOS 7 does not have it).
-    case $DISTRO in
-    centos-7)
-      # Do nothing.
-      ;;
-    *)
-      echo 'export EXTRA_BUILDTAGS=runc_dmz_selinux_nocompat' >> /root/.bashrc
-      ;;
-    esac
   host_info_script: |
     uname -a
     # -----

README.md

@@ -69,7 +69,6 @@ make BUILDTAGS=""
 |---------------|---------------------------------------|--------------------|---------------------|
 | `seccomp`     | Syscall filtering using `libseccomp`. | yes                | `libseccomp`        |
 | `!runc_nodmz` | Reduce memory usage for CVE-2019-5736 protection by using a small C binary, [see `memfd-bind` for more details][contrib-memfd-bind]. `runc_nodmz` disables this **experimental feature** and causes runc to use a different protection mechanism which will further increases memory usage temporarily during container startup. To enable this feature you also need to set the `RUNC_DMZ=true` environment variable. | yes ||
-| `runc_dmz_selinux_nocompat` | Disables a SELinux DMZ workaround (new distros should set this). See [dmz README] for details. | no ||
 
 The following build tags were used earlier, but are now obsoleted:
  - **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)

Vagrantfile.fedora

@@ -32,9 +32,6 @@ EOF
     # To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
     mount -o remount,suid /tmp
 
-    # Disable selinux-vs-dmz workaround as Fedora doesn't need it.
-    echo 'export EXTRA_BUILDTAGS=runc_dmz_selinux_nocompat' >> /root/.bashrc
-
     # Prevent the "fatal: unsafe repository" git complain during build.
     git config --global --add safe.directory /vagrant
 

libcontainer/container_linux.go

@@ -463,10 +463,6 @@ func slicesContains[S ~[]E, E comparable](slice S, needle E) bool {
 }
 
 func isDmzBinarySafe(c *configs.Config) bool {
-	if !dmz.WorksWithSELinux(c) {
-		return false
-	}
-
 	// Because we set the dumpable flag in nsexec, the only time when it is
 	// unsafe to use runc-dmz is when the container process would be able to
 	// race against "runc init" and bypass the ptrace_may_access() checks.

libcontainer/dmz/README.md

@@ -15,16 +15,4 @@ It also support all the architectures we support in runc.
 
 If the GOARCH we use for compiling doesn't support nolibc, it fallbacks to using the C stdlib.
 
-## SELinux compatibility issue and a workaround
-
-Older SELinux policy can prevent runc to execute the dmz binary. The issue is
-fixed in [container-selinux v2.224.0]. Yet, some older distributions may not
-have the fix, so runc has a runtime workaround of disabling dmz if it finds
-that SELinux is in enforced mode and the container SELinux label is set.
-
-Distributions that have a sufficiently new container-selinux can disable the
-workaround by building runc with the `runc_dmz_selinux_nocompat` build flag,
-essentially allowing dmz to be used together with SELinux.
-
 [nolibc-upstream]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/include/nolibc?h=v6.6-rc3
-[container-selinux v2.224.0]: https://github.com/containers/container-selinux/releases/tag/v2.224.0

libcontainer/dmz/selinux.go

@@ -538,6 +538,20 @@ function requires() {
 	done
 }
 
+# Allow a test to specify that it will not work properly on a given OS. The
+# fingerprint for the OS used for this test is $ID-$VERSION_ID, using the
+# variables in /etc/os-release. The arguments are regular expressions, and any
+# match will cause the test to be skipped.
+function exclude_os() {
+	local host
+	host="$(sh -c '. /etc/os-release ; echo "$ID-$VERSION_ID"')"
+	for bad_os in "$@"; do
+		if [[ "$host" =~ ^$bad_os$ ]]; then
+			skip "test doesn't work on $bad_os"
+		fi
+	done
+}
+
 # Retry a command $1 times until it succeeds. Wait $2 seconds between retries.
 function retry() {
 	local attempts=$1

libcontainer/dmz/selinux_compat.go

@@ -128,6 +128,10 @@ function teardown() {
 }
 
 @test "RUNC_DMZ=true runc run [runc-dmz]" {
+	# centos-7 has an outdated container-selinux (<2.224.0) which means
+	# runc-dmz won't work.
+	exclude_os centos-7
+
 	RUNC_DMZ=true runc --debug run test_hello
 	[ "$status" -eq 0 ]
 	[[ "$output" = *"Hello World"* ]]
@@ -136,6 +140,10 @@ function teardown() {
 }
 
 @test "RUNC_DMZ=true runc run [cap_sys_ptrace -> /proc/self/exe clone]" {
+	# centos-7 has an outdated container-selinux (<2.224.0) which means
+	# runc-dmz won't work.
+	exclude_os centos-7
+
 	# Add CAP_SYS_PTRACE to the bounding set, the minimum needed to indicate a
 	# container process _could_ get CAP_SYS_PTRACE.
 	update_config '.process.capabilities.bounding += ["CAP_SYS_PTRACE"]'
@@ -232,6 +240,10 @@ function teardown() {
 }
 
 @test "RUNC_DMZ=true runc run [exec error]" {
+	# centos-7 has an outdated container-selinux (<2.224.0) which means
+	# runc-dmz won't work.
+	exclude_os centos-7
+
 	cat <<EOF >rootfs/run.sh
 #!/mmnnttbb foo bar
 sh

tests/integration/helpers.bash

@@ -40,6 +40,10 @@ function teardown() {
 
 # https://github.com/opencontainers/runc/issues/4057
 @test "runc run (custom selinux label, RUNC_DMZ=true)" {
+	# centos-7 has an outdated container-selinux (<2.224.0) which means
+	# runc-dmz won't work.
+	exclude_os centos-7
+
 	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
 			| .process.args = ["/bin/true"]'
 	RUNC_DMZ=true runc run tst