Fail early when "socket activation" provides a Unix socket and SELINUX is active and there is no --security-opt label=disable

Question

Fail early when "socket activation" provides a Unix socket and SELINUX is active and there is no --security-opt label=disable

eriksjolund opened this issue 3 years ago · 4 comments

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

Before Podman starts a container with socket activation, Podman should check if there is any Unix socket among the socket-activated sockets. If that is the case and SELINUX is active and there is no --security-opt label=disable, Podman should fail before starting the container. The reason is that the container will not be able to use that socket (and probably fail).
See also the comment.

The application might work if also TCP sockets are provided, but I guess it's better to just fail as soon as there is at least one Unix socket. That would be a simpler user interface.

In principle this feature would be a backwards incompatible change, but I think few people would be impacted. Socket activation via Podman is a rather new feature and I haven't seen any examples or blog posts about it. (That's why I wrote this example: https://github.com/eriksjolund/mariadb-podman-socket-activation/).

Output of podman version:

Client:       Podman Engine
Version:      4.0.0-rc4
API Version:  4.0.0-rc4
Go Version:   go1.16.13

Built:      Fri Feb  4 16:25:35 2022
OS/Arch:    linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: '
  cpus: 8
  distribution:
    distribution: fedora
    variant: workstation
    version: "35"
  eventLogger: journald
  hostname: laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1035
      size: 1
    - container_id: 1
      host_id: 2638224
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1035
      size: 1
    - container_id: 1
      host_id: 2703760
      size: 65536
  kernel: 5.16.5-200.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 6060683264
  memTotal: 33452257280
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.2-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.2
      commit: f6fbc8f840df1a414f31a60953ae514fa497c748
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1035/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 9021083648
  swapTotal: 9124700160
  uptime: 130h 30m 27.75s (Approximately 5.42 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/test40/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/test40/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 14
  runRoot: /run/user/1035/containers
  volumePath: /home/test40/.local/share/containers/storage/volumes
version:
  APIVersion: 4.0.0-rc4
  Built: 1643988335
  BuiltTime: Fri Feb  4 16:25:35 2022
  GitCommit: ""
  GoVersion: go1.16.13
  OsArch: linux/amd64
  Version: 4.0.0-rc4

Package info (e.g. output of rpm -q podman or apt list podman):

podman-4.0.0-0.5.rc4.fc35.x86_64

Answer 1 · 2022-02-10T19:15:00.000Z

What AVC are you seeing. We might want to allow this.

Answer 2 · 2022-02-10T19:16:09.000Z

If this is just an inherited socket owned by systemd, it can be allowed.

Could you setenforce 0
and then use the service. Then attach all of the AVCs.

Answer 3 · 2022-02-10T21:26:33.000Z

I booted up a Fedora CoreOS next stream VM and ran

rpm-ostree install --apply-live --allow-inactive mariadb
rpm-ostree install --apply-live --allow-inactive audit
systemctl start auditd.service

Then I followed roughly
https://github.com/eriksjolund/mariadb-podman-socket-activation/
(there are a few small bugs I need to fix there)

[esjolund@tutorial mariadb-podman-socket-activation]$ systemctl --user start mariadb-unix@instance7.socket
[esjolund@tutorial mariadb-podman-socket-activation]$ mariadb --socket ~/mariadb-socket.instance7 -u example-user -p
Enter password: 
ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 104

Then I ran

sudo setenforce 0

and performed a new test

[esjolund@tutorial ~]$ systemctl --user start mariadb-unix@instance20.socket
[esjolund@tutorial ~]$ mariadb --socket ~/mariadb-socket.instance20 -u example-user -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \q
Bye

As root I ran ausearch -ts recent.
The last entries were

----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.502:242): avc:  denied  { getattr } for  pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.503:243): avc:  denied  { getopt } for  pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.509:244): avc:  denied  { accept } for  pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.509:245): avc:  denied  { setopt } for  pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

Answer 4 · 2022-02-11T01:23:48.000Z

Fixed in v2.178.0