Introduce container_write_proc_files interface (bsc#1253469) #416
Conversation
Reviewer's guide (collapsed on small PRs)Reviewer's GuideIntroduce a new SELinux interface to allow confined services (like account-utils) to write container /proc uid_map and gid_map files via the container-selinux policy. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Summary of ChangesHello @ca-hu, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a new SELinux interface, Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new SELinux interface, container_write_proc_files, to allow confined services to write to /proc/<pid>/uid_map and gid_map for container processes. While the new interface is useful, the permissions granted are overly broad, which could introduce security risks. I've suggested restricting the permissions to only what is necessary for the intended operation.
container.if
Outdated
| type container_runtime_t; | ||
| ') | ||
|
|
||
| allow $1 container_runtime_t:file write_file_perms; |
There was a problem hiding this comment.
The write_file_perms macro is overly permissive for the intended purpose of writing to uid_map and gid_map. It grants permissions like create, unlink, and rename, which could lead to unintended and potentially insecure operations on the /proc filesystem for the container runtime process. The linked account-utils code only requires open and write permissions. To follow the principle of least privilege, it's better to grant only the necessary permissions.
allow $1 container_runtime_t:file { open write };
ca-hu
force-pushed
the
account-utils-set-uidmap
branch
from
9c06175 to
4d92724
Compare
|
Tests failed. @containers/packit-build please check. |
lsm5
left a comment
lsm5
left a comment
There was a problem hiding this comment.
@ca-hu thanks for the PR. Change LGTM, but needs DCO, could you please signoff on the commit?
@rhatdan @haircommander PTAL.
| type container_runtime_t; | ||
| ') | ||
|
|
||
| allow $1 container_runtime_t:file { open write }; |
There was a problem hiding this comment.
the description seems to imply that this account-utils needs to run inside the container, but I'd xpect container_runtime_t to be used by an oci runtime tosetup for the container. can you explain the case a bit more to make sure we're targeting the right type?
There was a problem hiding this comment.
no, account-utils runs outside of the containers on the host and newidmapd is used to write to the /proc/<pid_of_container_runtime>/uid_map of the container runtime on the host for UID mapping between host and containers. and the /proc of the container runtime is labelled as container_runtime_t
account-utils needs to write /proc/<pid_of_containers>/uid_map and gid_map https://github.com/thkukuk/account-utils/blob/bf57c14f254570b4e5ad24925d8e481bff2ab828/src/newidmapd.c#L216 Signed-off-by: Cathy Hu <cathy.hu@suse.com>
ca-hu
force-pushed
the
account-utils-set-uidmap
branch
from
4d92724 to
c6349ab
Compare
|
Ephemeral COPR build failed. @containers/packit-build please check. |
2 similar comments
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
/packit build |
|
Tests failed. @containers/packit-build please check. |
|
LGTM @lsm5 are you worried about the fedora failures? |
looks like the ELN image changed the rootless user. Can be fixed elsewhere. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ca-hu, lsm5, sourcery-ai[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
wonder if something's wrong with mergebot. Alternatively, might be good to follow whatever podman's gonna do for mergebot replacement. |
|
@ca-hu would you like a new release cut right away? |
openshift-merge-bot
bot
merged commit d72cbcb
into
containers:main
sure if that is fine with you, thanks! |
|
/cherrypick rhaos-maint |
|
@lsm5: new pull request created: #418 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
account-utils needs to write /proc/<pid_of_containers>/uid_map and gid_map.
We are currently working to confining three systemd services of account-utils in the openSUSE
policy (downstream of fedora policy) and this needs an interface from the container-selinux side.
Context:
Summary by Sourcery
New Features: