virtcontainers: Add SELinux support for running VM Confinement

We want to launch the KVM launcher tool (qemu?) with an SELinux label, similar to what we do with libvirt. Currently when I use kata with Podman, it complains if we specify a label that kata does not support SELinux labels. What I would like to do is have kata just use this label to apply to the KVM launcher. Then I will work to generate a new policy type (container_kvm_t) that will allow the KVM Launcher tool to do its thing, but prevent breakout. Fixes: #2501 Signed-off-by: Fabiano Fidêncio <[email protected]> Signed-off-by: Daniel J Walsh <[email protected]>
kata-containers · Apr 2, 2020 · e4eb553 · e4eb553
1 parent 705713b
commit e4eb553
Show file tree

Hide file tree

Showing 18 changed files with 1,847 additions and 3 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -98,3 +98,7 @@
 [[constraint]]
   name = "github.com/blang/semver"
   version = "3.6.1"
+
+[[constraint]]
+  name = "github.com/opencontainers/selinux"
+  version = "1.3.3"
diff --git a/Makefile b/Makefile
@@ -464,8 +464,11 @@ QUIET_GENERATE = $(Q:@=@echo    '     GENERATE '$@;)
 QUIET_INST     = $(Q:@=@echo    '     INSTALL  '$@;)
 QUIET_TEST     = $(Q:@=@echo    '     TEST     '$@;)
 
+SELINUXTAG := $(shell ./hack/selinux_tag.sh)
+BUILDTAGS := --tags "$(SELINUXTAG)"
+
 # go build common flags
-BUILDFLAGS := -buildmode=pie
+BUILDFLAGS := -buildmode=pie ${BUILDTAGS}
 
 # whether stipping the binary
 ifeq ($(STRIP),yes)

diff --git a/hack/selinux_tag.sh b/hack/selinux_tag.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+# Copyright 2020 Red Hat Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+pkg-config libselinux 2> /dev/null && echo selinux
diff --git a/vendor/github.com/opencontainers/selinux/LICENSE b/vendor/github.com/opencontainers/selinux/LICENSE
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go