Support changing of lsm mount context on restore

Wire through CRIU's support to change the mount context on restore. This is especially useful if restoring a container in a different pod. Single container restore uses the same SELinux process label and same mount context as during checkpointing. If a container is being restored into an existing pod the process label and the mount context needs to be changed to the context of the pod. Changing process label on restore is already supported by runc. This patch adds the possibility to change the mount context. Signed-off-by: Adrian Reber <[email protected]>
opencontainers · Jul 7, 2021 · 02139ea · 02139ea
1 parent 9a57283
commit 02139ea
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -1344,6 +1344,12 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 		}
 		req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile)
 	}
+	if criuOpts.LsmMountContext != "" {
+		if err := c.checkCriuVersion(31600); err != nil {
+			return errors.New("--mount-context requires at least CRIU 3.16")
+		}
+		req.Opts.LsmMountContext = proto.String(criuOpts.LsmMountContext)
+	}
 
 	if criuOpts.WorkDirectory != "" {
 		// Since a container can be C/R'ed multiple times,

diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go
@@ -30,4 +30,5 @@ type CriuOpts struct {
 	LazyPages               bool               // restore memory pages lazily using userfaultfd
 	StatusFd                int                // fd for feedback when lazy server is ready
 	LsmProfile              string             // LSM profile used to restore the container
+	LsmMountContext         string             // LSM mount context value to use during restore
 }
diff --git a/man/runc-restore.8.md b/man/runc-restore.8.md
@@ -75,6 +75,14 @@ daemon. See [criu --lazy-pages option](https://criu.org/CLI/opt/--lazy-pages).
 **apparamor** or **selinux**, and _label_ is a valid LSM label. For example,
 **--lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137"**.
 
+**--mount-context** _context_
+: Specify an LSM mount context to be used during restore. Only mounts with an
+existing context will have their context replaced. With this option it is
+possible to change SELinux mount options. Instead of mounting with the
+checkpointed context like `context="system_u:object_r:container_file_t:s0:c31,c779"`
+the mount context will be replaced with the value specified using **--mount-context**.
+For example, **--mount-context "system_u:object_r:container_file_t:s0:c82,c137"**.
+
 # SEE ALSO
 **criu**(8),
 **runc-checkpoint**(8),

diff --git a/restore.go b/restore.go
@@ -96,6 +96,11 @@ using the runc checkpoint command.`,
 			Value: "",
 			Usage: "Specify an LSM profile to be used during restore in the form of TYPE:NAME.",
 		},
+		cli.StringFlag{
+			Name:  "lsm-mount-context",
+			Value: "",
+			Usage: "Specify an LSM mount context to be used during restore.",
+		},
 	},
 	Action: func(context *cli.Context) error {
 		if err := checkArgs(context, 1, exactArgs); err != nil {
@@ -145,5 +150,6 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts {
 		LazyPages:               context.Bool("lazy-pages"),
 		StatusFd:                context.Int("status-fd"),
 		LsmProfile:              context.String("lsm-profile"),
+		LsmMountContext:         context.String("lsm-mount-context"),
 	}
 }