qm: add seccomp json also deny sched_setscheduler

[dougsland]

Patch originally from talk with @alexlarsson

[alexlarsson]

Also i don't think this change is entirely right. By removing the ALLOW for setschedule you're triggering the default operation, which is return ENOSYS. I think the proper thing is to move the setschedule to the syscall list just above it that generates EPERM instead.

You can probably do this with based on the original json with some creative use of jq.

[alexlarsson]

Seems qm.service failed:

Job for qm.service failed because the control process exited with error code.
See "systemctl status qm.service" and "journalctl -xeu qm.service" for details.

I wonder what the error code is.

[dougsland]

I cannot see why it's failing in the CI systems (no systemctl status from QM), I will try to reproduce locally on CentOS.
cc @Yarboa

[dougsland]

Updated the patch seems related to ExecPreStart, now I am getting the below message.

Apr 14 23:54:28 donald.medogz.local setroubleshoot[48705]: SELinux is preventing /usr/lib/systemd/systemd-update-utmp from map access on the file /usr/lib/systemd/systemd.

                                                           *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

                                                           If you want to allow any process to mmap any file on system with attribute file_type.
                                                           Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.
                                                           You can read 'qm_selinux' man page for more details.
                                                           Do
                                                           setsebool -P domain_can_mmap_files 1

                                                           *****  Plugin catchall (11.6 confidence) suggests   **************************

                                                           If you believe that systemd-update-utmp should be allowed map access on the systemd file by default.
                                                           Then you should report this as a bug.
                                                           You can generate a local policy module to allow this access.
                                                           Do
                                                           allow this access for now by executing:
                                                           # ausearch -c 'systemd-update-' --raw | audit2allow -M my-systemdupdate
                                                           # semodule -X 300 -i my-systemdupdate.pp

cc @rhatdan should we avoid this approach? I am trying to make sure in a scenario containers-common package get updated with new seccomp.json rules we also update qm in a start/restart/reboot using ExecPreStart running qm-seccomp tool, not only in the initial qm setup. Just a note: Setting setenforce 0 makes qm start just run fine.

[rhatdan]

What are the AVC's you are seeing?

[dougsland]

What are the AVC's you are seeing?

@rhatdan

# ausearch -m avc -ts recent
----
time->Mon Apr 15 09:37:03 2024
type=PROCTITLE msg=audit(1713188223.017:1564): proctitle="(null)"
type=SYSCALL msg=audit(1713188223.017:1564): arch=c000003e syscall=59 success=no exit=-13 a0=5556bf141690 a1=5556bf165110 a2=5556bf141a80 a3=0 items=0 ppid=52437 pid=52439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="init" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1713188223.017:1564): avc:  denied  { map } for  pid=52439 comm="init" path="/usr/lib/systemd/systemd" dev="dm-0" ino=136148725 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
----
time->Mon Apr 15 09:37:03 2024
type=PROCTITLE msg=audit(1713188223.430:1573): proctitle="(null)"
type=SYSCALL msg=audit(1713188223.430:1573): arch=c000003e syscall=59 success=no exit=-13 a0=561697029730 a1=56169704d110 a2=561697029a80 a3=0 items=0 ppid=52507 pid=52509 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="init" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1713188223.430:1573): avc:  denied  { map } for  pid=52509 comm="init" path="/usr/lib/systemd/systemd" dev="dm-0" ino=136148725 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
----
time->Mon Apr 15 09:37:03 2024
type=PROCTITLE msg=audit(1713188223.976:1581): proctitle="(null)"
type=SYSCALL msg=audit(1713188223.976:1581): arch=c000003e syscall=59 success=no exit=-13 a0=557b53827730 a1=557b5384b110 a2=557b53827a80 a3=0 items=0 ppid=52598 pid=52607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="init" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1713188223.976:1581): avc:  denied  { map } for  pid=52607 comm="init" path="/usr/lib/systemd/systemd" dev="dm-0" ino=136148725 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
----
time->Mon Apr 15 09:37:04 2024
type=PROCTITLE msg=audit(1713188224.437:1591): proctitle="(null)"
type=SYSCALL msg=audit(1713188224.437:1591): arch=c000003e syscall=59 success=no exit=-13 a0=5566efb14730 a1=5566efb38110 a2=5566efb14a80 a3=0 items=0 ppid=52716 pid=52718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="init" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1713188224.437:1591): avc:  denied  { map } for  pid=52718 comm="init" path="/usr/lib/systemd/systemd" dev="dm-0" ino=136148725 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
----
time->Mon Apr 15 09:37:04 2024
type=PROCTITLE msg=audit(1713188224.961:1598): proctitle="(null)"
type=SYSCALL msg=audit(1713188224.961:1598): arch=c000003e syscall=59 success=no exit=-13 a0=5632ba89e730 a1=5632ba8c2110 a2=5632ba89ea80 a3=0 items=0 ppid=52800 pid=52802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="init" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1713188224.961:1598): avc:  denied  { map } for  pid=52802 comm="init" path="/usr/lib/systemd/systemd" dev="dm-0" ino=136148725 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
[root@donald qm-0]#

[dougsland]

@Yarboa could be a cache in the CI/CD machines?

I see: ./usr/share/qm/seccomp/qm-seccomp or I am looking to a different path?

# rpm2cpio qm-0-1.noarch.rpm | cpio -div
./usr/share/containers/systemd/qm.container
./usr/share/doc/qm
./usr/share/doc/qm/CODE-OF-CONDUCT.md
./usr/share/doc/qm/NOTICE
./usr/share/doc/qm/README.md
./usr/share/doc/qm/SECURITY.md
./usr/share/licenses/qm
./usr/share/licenses/qm/LICENSE
./usr/share/man/man8/qm.8.gz
./usr/share/man/man8/qm_selinux.8.gz
./usr/share/qm
./usr/share/qm/containers.conf
./usr/share/qm/contexts
./usr/share/qm/file_contexts
./usr/share/qm/seccomp/qm-seccomp
./usr/share/qm/setup
./usr/share/selinux
./usr/share/selinux/devel
./usr/share/selinux/devel/include
./usr/share/selinux/devel/include/services
./usr/share/selinux/devel/include/services/qm.if
./usr/share/selinux/packages
./usr/share/selinux/packages/qm.pp.bz2
164 blocks

[dougsland]

talked with @alexlarsson , no need to do on qm systemd unit. I will redo this part of the patch and update here.

[dougsland]

The solution works, without the patch I don't see the "Operation not permitted".

# podman exec -it qm bash
# ./test_program
Failed to set scheduler: Operation not permitted

The test program:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <errno.h>
#include <string.h>

int main() {
    int pid = getpid(); 
    int policy = SCHED_FIFO;  // Desired scheduling policy
    struct sched_param param;

    // Assign the maximum priority for the SCHED_FIFO policy
    param.sched_priority = sched_get_priority_max(policy);
    if (param.sched_priority == -1) {
        fprintf(stderr, "Failed to get max priority for SCHED_FIFO: %s\n", strerror(errno));
        return EXIT_FAILURE;
    }

    // Attempt to set the scheduling policy and priority
    if (sched_setscheduler(pid, policy, &param) == -1) {
        fprintf(stderr, "Failed to set scheduler: %s\n", strerror(errno));
        return EXIT_FAILURE;
    }

    printf("Scheduler set to SCHED_FIFO with priority %d\n", param.sched_priority);
    return EXIT_SUCCESS;
}

@alexlarsson @rhatdan @Yarboa ready for review.

[dougsland]

@rhatdan the selinux issue I shared seems related to try to start qm service without setup complete 100%. I will create an issue. Thanks!

[Yarboa]

@dougsland
Did i get it right?
setup generates qm partition seccomp.json based on host seccomp.json
Once created, qm quadlet call the qm partition seccomp.json in podman args parameters

[dougsland]

@dougsland Did i get it right? setup generates qm partition seccomp.json based on host seccomp.json Once created, qm quadlet call the qm partition seccomp.json in podman args parameters

correct.