Skip to content

lsm: handle half initialized SELinux setups#1457

Merged
avagin merged 1 commit intocheckpoint-restore:criu-devfrom
adrianreber:2021-04-27-selinux
May 8, 2021
Merged

lsm: handle half initialized SELinux setups#1457
avagin merged 1 commit intocheckpoint-restore:criu-devfrom
adrianreber:2021-04-27-selinux

Conversation

@adrianreber
Copy link
Member

@adrianreber adrianreber commented Apr 27, 2021

CRIU used to check for the existence of /sys/fs/selinux to see if SELinux is enabled on a system. We have seen systems with SELinux kind of enabled but reading out the labels gives does not return real labels.

To work around this, this commit adds a check during LSM detection if SELinux labels are in the right format. For CRIU this check means to see if there are at least 3 ':' in a label. If not CRIU switches to no LSM mode.

Fixes: #1402

@codecov-commenter
Copy link

codecov-commenter commented Apr 27, 2021
edited
Loading

Codecov Report

Merging #1457 (5e90fdf) into criu-dev (6ac4c93) will decrease coverage by 0.10%.
The diff coverage is 0.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##           criu-dev    #1457      +/-   ##
============================================
- Coverage     68.83%   68.72%   -0.11%     
============================================
  Files           133      133              
  Lines         32318    32327       +9     
============================================
- Hits          22245    22217      -28     
- Misses        10073    10110      +37
Impacted Files Coverage Δ
criu/lsm.c 29.62% <0.00%> (-1.34%) ⬇️
criu/arch/x86/crtools.c 65.39% <0.00%> (-4.10%) ⬇️
compel/arch/x86/src/lib/cpu.c 75.36% <0.00%> (-2.90%) ⬇️
criu/uffd.c 77.10% <0.00%> (-1.95%) ⬇️
criu/arch/x86/cpu.c 75.33% <0.00%> (-0.17%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6ac4c93...5e90fdf. Read the comment docs.

@avagin avagin requested a review from Snorch April 28, 2021 05:16
rst0git
rst0git reviewed May 3, 2021
View reviewed changes
@adrianreber
lsm: handle half initialized SELinux setups
5e90fdf 
CRIU used to check for the existence of /sys/fs/selinux to see if
SELinux is enabled on a system. We have seen systems with SELinux kind
of enabled but reading out the labels gives does not return real labels.

To work around this, this commit adds a check during LSM detection
if SELinux labels are in the right format. For CRIU this check means to
see if there are at least 3 ':' in a label. If not CRIU switches to no
LSM mode.

Signed-off-by: Adrian Reber <areber@redhat.com>
@adrianreber adrianreber force-pushed the 2021-04-27-selinux branch from 8a4f723 to 5e90fdf Compare May 3, 2021 05:54
rajbhar
rajbhar approved these changes May 7, 2021
View reviewed changes
Copy link
Contributor

@rajbhar rajbhar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.
Tested-by: Rajneesh Bhardwaj rajneesh.bhardwaj@amd.com

@avagin avagin merged commit c455c46 into checkpoint-restore:criu-dev May 8, 2021
@adrianreber adrianreber deleted the 2021-04-27-selinux branch April 17, 2023 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rst0git rst0git rst0git approved these changes

@Snorch Snorch Awaiting requested review from Snorch

+1 more reviewer

@rajbhar rajbhar rajbhar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

criu/lsm.c:90: Invalid selinux context kernel

5 participants

@adrianreber @codecov-commenter @rst0git @rajbhar @avagin