cri-o · openshift-merge-robot · Oct 15, 2021 · Sep 30, 2021 · Oct 1, 2021 · Sep 30, 2021
@@ -156,6 +156,6 @@ linters-settings:
       - unnamedResult
       - unnecessaryBlock
   gocyclo:
-    min-complexity: 122
+    min-complexity: 127
   nakedret:
     max-func-lines: 15
@@ -17,6 +17,7 @@
     src: https://ftp.gnu.org/gnu/parallel/parallel-20190322.tar.bz2
     dest: "{{ ansible_env.HOME }}"
     remote_src: yes
+    validate_certs: False
   when: ansible_distribution in ['RedHat', 'CentOS']
 
 - name: install parallel from sources

@@ -43,7 +43,7 @@ require (
 	github.com/opencontainers/runc v1.0.0-rc95.0.20210521141834-a95237f81684
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/runtime-tools v0.9.1-0.20200121211434-d1bf3e66ff0a
-	github.com/opencontainers/selinux v1.8.5
+	github.com/opencontainers/selinux v1.9.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.10.0
 	github.com/psampaz/go-mod-outdated v0.7.0

@@ -169,7 +169,6 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bifurcation/mint v0.0.0-20180715133206-93c51c6ce115/go.mod h1:zVt7zX3K/aDCk9Tj+VM7YymsX66ERvzCJzw8rFCX2JU=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
-github.com/bits-and-blooms/bitset v1.2.0 h1:Kn4yilvwNtMACtf1eYDlG8H77R07mZSPbMjLyS07ChA=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
@@ -1048,8 +1047,8 @@ github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwy
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
-github.com/opencontainers/selinux v1.8.5 h1:OkT6bMHOQ1JQQO4ihjQ49sj0+wciDcjziSVTRn8VeTA=
-github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
+github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y=
+github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/openshift/imagebuilder v1.2.0 h1:uoZFjJICLlTMjlAL/UG2PA2kM8RjAsVflGfHJK7MMDk=
 github.com/openshift/imagebuilder v1.2.0/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=

@@ -27,6 +27,10 @@ const (
 
 	// OCISeccompBPFHookAnnotation is the annotation used by the OCI seccomp BPF hook for tracing container syscalls
 	OCISeccompBPFHookAnnotation = "io.containers.trace-syscall"
+
+	// TrySkipVolumeSELinuxLabelAnnotation is the annotation used for optionally skipping relabeling a volume
+	// with the specified SELinux label.  The relabeling will be skipped if the top layer is already labeled correctly.
+	TrySkipVolumeSELinuxLabelAnnotation = "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"
 )
 
 var AllAllowedAnnotations = []string{
@@ -38,4 +42,5 @@ var AllAllowedAnnotations = []string{
 	CPUQuotaAnnotation,
 	IRQLoadBalancingAnnotation,
 	OCISeccompBPFHookAnnotation,
+	TrySkipVolumeSELinuxLabelAnnotation,
 }
@@ -131,7 +131,7 @@ func addImageVolumes(ctx context.Context, rootfs string, s *Server, containerInf
 				return nil, err1
 			}
 			if mountLabel != "" {
-				if err1 := securityLabel(fp, mountLabel, true); err1 != nil {
+				if err1 := securityLabel(fp, mountLabel, true, false); err1 != nil {
 					return nil, err1
 				}
 			}
@@ -143,7 +143,7 @@ func addImageVolumes(ctx context.Context, rootfs string, s *Server, containerInf
 			}
 			// Label the source with the sandbox selinux mount label
 			if mountLabel != "" {
-				if err1 := securityLabel(src, mountLabel, true); err1 != nil {
+				if err1 := securityLabel(src, mountLabel, true, false); err1 != nil {
 					return nil, err1
 				}
 			}
@@ -235,7 +235,7 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 			return err
 		}
 		if passwdPath != "" {
-			if err := securityLabel(passwdPath, mountLabel, false); err != nil {
+			if err := securityLabel(passwdPath, mountLabel, false, false); err != nil {
 				return err
 			}
 

@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package server
@@ -32,6 +33,7 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 )
 
@@ -132,6 +134,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 
 	// eventually, we'd like to access all of these variables through the interface themselves, and do most
 	// of the translation between CRI config -> oci/storage container in the container package
+
+	// TODO: eventually, this should be in the container package, but it's going through a lot of churn
+	// and SpecAddAnnotations is already being passed too many arguments
+	// Filter early so any use of the annotations don't use the wrong values
+	if err := s.Runtime().FilterDisallowedAnnotations(sb.RuntimeHandler(), ctr.Config().Annotations); err != nil {
+		return nil, err
+	}
+
 	containerID := ctr.ID()
 	containerName := ctr.Name()
 	containerConfig := ctr.Config()
@@ -265,7 +275,20 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 		processLabel = ""
 	}
 
-	containerVolumes, ociMounts, err := addOCIBindMounts(ctx, mountLabel, containerConfig, specgen, s.config.RuntimeConfig.BindMountPrefix, s.config.AbsentMountSourcesToReject)
+	maybeRelabel := false
+	if val, present := sb.Annotations()[crioann.TrySkipVolumeSELinuxLabelAnnotation]; present && val == "true" {
+		maybeRelabel = true
+	}
+
+	skipRelabel := false
+	const superPrivilegedType = "spc_t"
+	if securityContext.SelinuxOptions.Type == superPrivilegedType || // super privileged container
+		(ctr.SandboxConfig().Linux.SecurityContext.SelinuxOptions.Type == superPrivilegedType && // super privileged pod
+			securityContext.SelinuxOptions.Type == "") {
+		skipRelabel = true
+	}
+
+	containerVolumes, ociMounts, err := addOCIBindMounts(ctx, ctr, mountLabel, s.config.RuntimeConfig.BindMountPrefix, s.config.AbsentMountSourcesToReject, maybeRelabel, skipRelabel)
 	if err != nil {
 		return nil, err
 	}
@@ -507,7 +530,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 		options = []string{"ro"}
 	}
 	if sb.ResolvPath() != "" {
-		if err := securityLabel(sb.ResolvPath(), mountLabel, false); err != nil {
+		if err := securityLabel(sb.ResolvPath(), mountLabel, false, false); err != nil {
 			return nil, err
 		}
 		ctr.SpecAddMount(rspec.Mount{
@@ -519,7 +542,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 	}
 
 	if sb.HostnamePath() != "" {
-		if err := securityLabel(sb.HostnamePath(), mountLabel, false); err != nil {
+		if err := securityLabel(sb.HostnamePath(), mountLabel, false, false); err != nil {
 			return nil, err
 		}
 		ctr.SpecAddMount(rspec.Mount{
@@ -574,12 +597,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 		}
 	}()
 
-	// TODO: eventually, this should be in the container package, but it's going through a lot of churn
-	// and SpecAddAnnotations is already passed too many arguments
-	if err := s.Runtime().FilterDisallowedAnnotations(sb.RuntimeHandler(), ctr.Config().Annotations); err != nil {
-		return nil, err
-	}
-
 	err = ctr.SpecAddAnnotations(ctx, sb, containerVolumes, mountPoint, containerImageConfig.Config.StopSignal, imgResult, s.config.CgroupManager().IsSystemd(), node.SystemdHasCollectMode())
 	if err != nil {
 		return nil, err
@@ -744,7 +761,7 @@ func setupWorkingDirectory(rootfs, mountLabel, containerCwd string) error {
 		return err
 	}
 	if mountLabel != "" {
-		if err1 := securityLabel(fp, mountLabel, false); err1 != nil {
+		if err1 := securityLabel(fp, mountLabel, false, false); err1 != nil {
 			return err1
 		}
 	}
@@ -774,9 +791,11 @@ func clearReadOnly(m *rspec.Mount) {
 	m.Options = append(m.Options, "rw")
 }
 
-func addOCIBindMounts(ctx context.Context, mountLabel string, containerConfig *types.ContainerConfig, specgen *generate.Generator, bindMountPrefix string, absentMountSourcesToReject []string) ([]oci.ContainerVolume, []rspec.Mount, error) {
+func addOCIBindMounts(ctx context.Context, ctr ctrIface.Container, mountLabel, bindMountPrefix string, absentMountSourcesToReject []string, maybeRelabel, skipRelabel bool) ([]oci.ContainerVolume, []rspec.Mount, error) {
 	volumes := []oci.ContainerVolume{}
 	ociMounts := []rspec.Mount{}
+	containerConfig := ctr.Config()
+	specgen := ctr.Spec()
 	mounts := containerConfig.Mounts
 
 	// Sort mounts in number of parts. This ensures that high level mounts don't
@@ -880,7 +899,9 @@ func addOCIBindMounts(ctx context.Context, mountLabel string, containerConfig *t
 		}
 
 		if m.SelinuxRelabel {
-			if err := securityLabel(src, mountLabel, false); err != nil {
+			if skipRelabel {
+				logrus.Debugf("Skipping relabel for %s because of super privileged container (type: spc_t)", src)
+			} else if err := securityLabel(src, mountLabel, false, maybeRelabel); err != nil {
 				return nil, nil, err
 			}
 		}

@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package server
@@ -6,28 +7,38 @@ import (
 	"context"
 	"testing"
 
+	"github.com/cri-o/cri-o/pkg/container"
 	"github.com/cri-o/cri-o/server/cri/types"
-	"github.com/opencontainers/runtime-tools/generate"
 )
 
 func TestAddOCIBindsForDev(t *testing.T) {
-	specgen, err := generate.New("linux")
+	ctr, err := container.New()
 	if err != nil {
 		t.Error(err)
 	}
-	config := &types.ContainerConfig{
+	if err := ctr.SetConfig(&types.ContainerConfig{
 		Mounts: []*types.Mount{
 			{
 				ContainerPath: "/dev",
 				HostPath:      "/dev",
 			},
 		},
+		Metadata: &types.ContainerMetadata{
+			Name: "testctr",
+		},
+	}, &types.PodSandboxConfig{
+		Metadata: &types.PodSandboxMetadata{
+			Name: "testpod",
+		},
+	}); err != nil {
+		t.Error(err)
 	}
-	_, binds, err := addOCIBindMounts(context.Background(), "", config, &specgen, "", nil)
+
+	_, binds, err := addOCIBindMounts(context.Background(), ctr, "", "", nil, false, false)
 	if err != nil {
 		t.Error(err)
 	}
-	for _, m := range specgen.Mounts() {
+	for _, m := range ctr.Spec().Mounts() {
 		if m.Destination == "/dev" {
 			t.Error("/dev shouldn't be in the spec if it's bind mounted from kube")
 		}
@@ -45,19 +56,29 @@ func TestAddOCIBindsForDev(t *testing.T) {
 }
 
 func TestAddOCIBindsForSys(t *testing.T) {
-	specgen, err := generate.New("linux")
+	ctr, err := container.New()
 	if err != nil {
 		t.Error(err)
 	}
-	config := &types.ContainerConfig{
+	if err := ctr.SetConfig(&types.ContainerConfig{
 		Mounts: []*types.Mount{
 			{
 				ContainerPath: "/sys",
 				HostPath:      "/sys",
 			},
 		},
+		Metadata: &types.ContainerMetadata{
+			Name: "testctr",
+		},
+	}, &types.PodSandboxConfig{
+		Metadata: &types.PodSandboxMetadata{
+			Name: "testpod",
+		},
+	}); err != nil {
+		t.Error(err)
 	}
-	_, binds, err := addOCIBindMounts(context.Background(), "", config, &specgen, "", nil)
+
+	_, binds, err := addOCIBindMounts(context.Background(), ctr, "", "", nil, false, false)
 	if err != nil {
 		t.Error(err)
 	}

@@ -5,10 +5,20 @@ import (
 
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
-func securityLabel(path, secLabel string, shared bool) error {
+func securityLabel(path, secLabel string, shared, maybeRelabel bool) error {
+	if maybeRelabel {
+		currentLabel, err := label.FileLabel(path)
+		if err == nil && currentLabel == secLabel {
+			logrus.Debugf(
+				"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct",
+				path)
+			return nil
+		}
+	}
 	if err := label.Relabel(path, secLabel, shared); err != nil && !errors.Is(err, unix.ENOTSUP) {
 		return fmt.Errorf("relabel failed %s: %v", path, err)
 	}

@@ -1,7 +1,8 @@
+//go:build !linux
 // +build !linux
 
 package server
 
-func securityLabel(path string, seclabel string, shared bool) error {
+func securityLabel(path string, seclabel string, shared, maybeRelabel bool) error {
 	return nil
 }
@@ -15,18 +15,6 @@ function teardown() {
 	cleanup_test
 }
 
-function create_device_runtime() {
-	cat << EOF > "$CRIO_CONFIG_DIR/01-device.conf"
-[crio.runtime]
-default_runtime = "device"
-[crio.runtime.runtimes.device]
-runtime_path = "$RUNTIME_BINARY_PATH"
-runtime_root = "$RUNTIME_ROOT"
-runtime_type = "$RUNTIME_TYPE"
-allowed_annotations = ["io.kubernetes.cri-o.Devices"]
-EOF
-}
-
 @test "additional devices support" {
 	OVERRIDE_OPTIONS="--additional-devices /dev/null:/dev/qifoo:rwm" start_crio
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
@@ -80,7 +68,7 @@ EOF
 }
 
 @test "annotation devices support" {
-	create_device_runtime
+	create_runtime_with_allowed_annotation "device" "io.kubernetes.cri-o.Devices"
 	start_crio
 
 	jq '      .annotations."io.kubernetes.cri-o.Devices" = "/dev/null:/dev/qifoo:rwm"' \
@@ -110,7 +98,7 @@ EOF
 }
 
 @test "annotation should override configured additional_devices" {
-	create_device_runtime
+	create_runtime_with_allowed_annotation "device" "io.kubernetes.cri-o.Devices"
 
 	OVERRIDE_OPTIONS="--additional-devices /dev/urandom:/dev/qifoo:rwm" start_crio
 
@@ -128,7 +116,7 @@ EOF
 }
 
 @test "annotation should configure multiple devices" {
-	create_device_runtime
+	create_runtime_with_allowed_annotation "device" "io.kubernetes.cri-o.Devices"
 	start_crio
 
 	jq '      .annotations."io.kubernetes.cri-o.Devices" = "/dev/null:/dev/qifoo:rwm,/dev/urandom:/dev/peterfoo:rwm"' \
@@ -147,7 +135,7 @@ EOF
 }
 
 @test "annotation should fail if one device is invalid" {
-	create_device_runtime
+	create_runtime_with_allowed_annotation "device" "io.kubernetes.cri-o.Devices"
 	start_crio
 
 	jq '      .annotations."io.kubernetes.cri-o.Devices" = "/dev/null:/dev/qifoo:rwm,/dove/null"' \