container.conf: Add option to set keyring SELinux context

author Maximilian Blenk <Maximilian.Blenk@bmw.de>

Wed, 29 Jan 2020 16:09:50 +0000 (17:09 +0100)

committer Maximilian Blenk <Maximilian.Blenk@bmw.de>

Fri, 31 Jan 2020 13:33:01 +0000 (14:33 +0100)
author Maximilian Blenk <Maximilian.Blenk@bmw.de>
Wed, 29 Jan 2020 16:09:50 +0000 (17:09 +0100)
committer Maximilian Blenk <Maximilian.Blenk@bmw.de>
Fri, 31 Jan 2020 13:33:01 +0000 (14:33 +0100)
diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te

index bb4bfe3a8feb664d363b7cb8590cb4e82aef9e16..d3f78d80b89de5cd64494ba8514e137446bc80a1 100644 (file)
--- a/config/selinux/lxc.te
+++ b/config/selinux/lxc.te
@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
  allow lxc_t self:rawip_socket create_socket_perms;
  allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
  
+# Needed to set label that the keyring will be created with
+allow lxc_t self:process { setkeycreate };
+
  dontaudit lxc_t sysctl_kernel_t:file write;
  dontaudit lxc_t sysctl_modprobe_t:file write;
diff --git a/src/lxc/conf.c b/src/lxc/conf.c

index 457e1e16585b71db1069e7baf4fa86ec5b1acfd8..bc0119bd1ba866f840a0654343a00aff5faabc11 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2742,6 +2742,7 @@ struct lxc_conf *lxc_conf_init(void)
         new->lsm_aa_profile = NULL;
         lxc_list_init(&new->lsm_aa_raw);
         new->lsm_se_context = NULL;
+       new->lsm_se_keyring_context = NULL;
         new->tmp_umount_proc = false;
         new->tmp_umount_proc = 0;
         new->shmount.path_host = NULL;
@@ -3533,6 +3534,7 @@ int lxc_setup(struct lxc_handler *handler)
         int ret;
         const char *lxcpath = handler->lxcpath, *name = handler->name;
         struct lxc_conf *lxc_conf = handler->conf;
+       char *keyring_context = NULL;
  
         ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
         if (ret < 0) {
@@ -3548,7 +3550,13 @@ int lxc_setup(struct lxc_handler *handler)
                 }
         }
  
-       ret = lxc_setup_keyring();
+       if (lxc_conf->lsm_se_keyring_context) {
+               keyring_context = lxc_conf->lsm_se_keyring_context;
+       } else if (lxc_conf->lsm_se_context) {
+               keyring_context = lxc_conf->lsm_se_context;
+       }
+
+       ret = lxc_setup_keyring(keyring_context);
         if (ret < 0)
                 return -1;
  
diff --git a/src/lxc/conf.h b/src/lxc/conf.h

index 3917cfc9417058270f4f2444a63b1345a60dd47a..d916f94dc024f94d9f2daa2b01d695bd4c42098f 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -298,6 +298,7 @@ struct lxc_conf {
         unsigned int lsm_aa_allow_incomplete;
         struct lxc_list lsm_aa_raw;
         char *lsm_se_context;
+       char *lsm_se_keyring_context;
         bool tmp_umount_proc;
         struct lxc_seccomp seccomp;
         int maincmd_fd;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c

index c27d432d8150f5eec530f9014fbd6d80325f82bd..69466648c7f91efcba12283cd4946259ad21e7bc 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -136,6 +136,7 @@ lxc_config_define(seccomp_allow_nesting);
  lxc_config_define(seccomp_notify_cookie);
  lxc_config_define(seccomp_notify_proxy);
  lxc_config_define(selinux_context);
+lxc_config_define(selinux_context_keyring);
  lxc_config_define(signal_halt);
  lxc_config_define(signal_reboot);
  lxc_config_define(signal_stop);
@@ -233,6 +234,7 @@ static struct lxc_config_t config_jump_table[] = {
         { "lxc.seccomp.notify.proxy",      set_config_seccomp_notify_proxy,        get_config_seccomp_notify_proxy,        clr_config_seccomp_notify_proxy,      },
         { "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
         { "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
+       { "lxc.selinux.context.keyring",   set_config_selinux_context_keyring,     get_config_selinux_context_keyring,     clr_config_selinux_context_keyring    },
         { "lxc.signal.halt",               set_config_signal_halt,                 get_config_signal_halt,                 clr_config_signal_halt,               },
         { "lxc.signal.reboot",             set_config_signal_reboot,               get_config_signal_reboot,               clr_config_signal_reboot,             },
         { "lxc.signal.stop",               set_config_signal_stop,                 get_config_signal_stop,                 clr_config_signal_stop,               },
@@ -1469,6 +1471,12 @@ static int set_config_selinux_context(const char *key, const char *value,
         return set_config_string_item(&lxc_conf->lsm_se_context, value);
  }
  
+static int set_config_selinux_context_keyring(const char *key, const char *value,
+                                             struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+}
+
  static int set_config_log_file(const char *key, const char *value,
                               struct lxc_conf *c, void *data)
  {
@@ -3539,6 +3547,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
         return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
  }
  
+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
+                                             struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+}
+
+
  /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
   * just the value(s) will be printed. Since there still could be more than one,
   * it is newline-separated.
@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
         return 0;
  }
  
+static inline int clr_config_selinux_context_keyring(const char *key,
+                                                    struct lxc_conf *c, void *data)
+{
+       free(c->lsm_se_keyring_context);
+       c->lsm_se_keyring_context = NULL;
+       return 0;
+}
+
  static inline int clr_config_cgroup_controller(const char *key,
                                                struct lxc_conf *c, void *data)
  {
@@ -5951,6 +5974,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
                 strprint(retv, inlen, "dir\n");
         } else if (!strcmp(key, "lxc.selinux")) {
                 strprint(retv, inlen, "context\n");
+               strprint(retv, inlen, "context.keyring\n");
         } else if (!strcmp(key, "lxc.mount")) {
                 strprint(retv, inlen, "auto\n");
                 strprint(retv, inlen, "entry\n");
diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c

index 2b80914ca06001d2797a6d02b4498dad13b807b7..553e0c99a101ffd31d7d9b4d6d1785f74fe47f78 100644 (file)
--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
@@ -193,3 +193,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
  
         drv->cleanup(conf, lxcpath);
  }
+
+int lsm_keyring_label_set(char *label) {
+
+       if (!drv) {
+               ERROR("LSM driver not inited");
+               return -1;
+       }
+
+       if (!drv->keyring_label_set)
+               return 0;
+
+       return drv->keyring_label_set(label);
+}
diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h

index 7586d20f2b6c24398bd24c1c4c97a6a308b31df8..ee578bb035cda5a125e564c2b84976ef534af611 100644 (file)
--- a/src/lxc/lsm/lsm.h
+++ b/src/lxc/lsm/lsm.h
@@ -17,6 +17,7 @@ struct lsm_drv {
         char *(*process_label_get)(pid_t pid);
         int (*process_label_set)(const char *label, struct lxc_conf *conf,
                                  bool on_exec);
+       int (*keyring_label_set)(char* label);
         int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
         void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
  };
@@ -32,5 +33,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
  extern int lsm_process_label_set_at(int label_fd, const char *label,
                                     bool on_exec);
  extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
+extern int lsm_keyring_label_set(char *label);
  
  #endif /* __LXC_LSM_H */
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c

index 4e537bb2646f8f490ace7d7e49699337cbcee675..dba0ab584458e5451b047e3b64c728ebb9befb8f 100644 (file)
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -85,11 +85,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
         return 0;
  }
  
+/*
+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
+ *
+ * @label   : label string
+ *
+ * Returns 0 on success, < 0 on failure
+ */
+static int selinux_keyring_label_set(char *label)
+{
+       return setkeycreatecon_raw(label);
+};
+
  static struct lsm_drv selinux_drv = {
         .name = "SELinux",
         .enabled           = is_selinux_enabled,
         .process_label_get = selinux_process_label_get,
         .process_label_set = selinux_process_label_set,
+       .keyring_label_set = selinux_keyring_label_set,
  };
  
  struct lsm_drv *lsm_selinux_drv_init(void)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c

index da2d3112bd65179887c79a3e47bac92c8e1a92ce..406a54c0aa13e342ca3ccc80f55f9bf3a1dda4a4 100644 (file)
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -27,6 +27,7 @@
  
  #include "config.h"
  #include "log.h"
+#include "lsm/lsm.h"
  #include "lxclock.h"
  #include "memory_utils.h"
  #include "namespace.h"
@@ -1835,11 +1836,17 @@ int recursive_destroy(const char *dirname)
         return fret;
  }
  
-int lxc_setup_keyring(void)
+int lxc_setup_keyring(char *keyring_label)
  {
         key_serial_t keyring;
         int ret = 0;
  
+       if (keyring_label) {
+               if (lsm_keyring_label_set(keyring_label) < 0) {
+                       ERROR("Couldn't set keyring label");
+               }
+       }
+
         /* Try to allocate a new session keyring for the container to prevent
          * information leaks.
          */
diff --git a/src/lxc/utils.h b/src/lxc/utils.h

index 8b3cfdfa04adfccd0fbd19e55a66f35463e8d0ac..24d615de468e285ee67393feaa3d7061e10c00b1 100644 (file)
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -232,6 +232,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
  extern int lxc_set_death_signal(int signal, pid_t parent, int parent_status_fd);
  extern int fd_cloexec(int fd, bool cloexec);
  extern int recursive_destroy(const char *dirname);
-extern int lxc_setup_keyring(void);
+extern int lxc_setup_keyring(char *keyring_label);
  
  #endif /* __LXC_UTILS_H */
author	Maximilian Blenk <Maximilian.Blenk@bmw.de>
	Wed, 29 Jan 2020 16:09:50 +0000 (17:09 +0100)
committer	Maximilian Blenk <Maximilian.Blenk@bmw.de>
	Fri, 31 Jan 2020 13:33:01 +0000 (14:33 +0100)
config/selinux/lxc.te		patch \| blob \| blame \| history
src/lxc/conf.c		patch \| blob \| blame \| history
src/lxc/conf.h		patch \| blob \| blame \| history
src/lxc/confile.c		patch \| blob \| blame \| history
src/lxc/lsm/lsm.c		patch \| blob \| blame \| history
src/lxc/lsm/lsm.h		patch \| blob \| blame \| history
src/lxc/lsm/selinux.c		patch \| blob \| blame \| history
src/lxc/utils.c		patch \| blob \| blame \| history
src/lxc/utils.h		patch \| blob \| blame \| history