Skip to content

Commit 5bf8143

Browse files
rhatdanrhatdan
committed
Support label_users in buildah
Fixes: containers#6160 label_users tells buildah and podman to maintain the user and role from the SELinux label, the default is to change the user and role to system_u:system_r. With this change we end up with an unconfined_u user running the container as unconfined_u:unconfined_r. Signed-off-by: Daniel J Walsh <[email protected]>
1 parent 646fb21 commit 5bf8143

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

pkg/parse/parse.go

+32
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ import (
3535
securejoin "github.com/cyphar/filepath-securejoin"
3636
units "github.com/docker/go-units"
3737
specs "github.com/opencontainers/runtime-spec/specs-go"
38+
"github.com/opencontainers/selinux/go-selinux"
3839
"github.com/openshift/imagebuilder"
3940
"github.com/sirupsen/logrus"
4041
"github.com/spf13/cobra"
@@ -81,6 +82,25 @@ func CommonBuildOptions(c *cobra.Command) (*define.CommonBuildOptions, error) {
8182
return CommonBuildOptionsFromFlagSet(c.Flags(), c.Flag)
8283
}
8384

85+
// If user selected to run with currentLabelOpts then append on the current user and role
86+
func currentLabelOpts() ([]string, error) {
87+
label, err := selinux.CurrentLabel()
88+
if err != nil {
89+
return nil, err
90+
}
91+
if label == "" {
92+
return nil, nil
93+
}
94+
con, err := selinux.NewContext(label)
95+
if err != nil {
96+
return nil, err
97+
}
98+
return []string{
99+
fmt.Sprintf("label=user:%s", con["user"]),
100+
fmt.Sprintf("label=role:%s", con["role"]),
101+
}, nil
102+
}
103+
84104
// CommonBuildOptionsFromFlagSet parses the build options from the bud cli
85105
func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name string) *pflag.Flag) (*define.CommonBuildOptions, error) {
86106
var (
@@ -201,6 +221,18 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
201221
OCIHooksDir: ociHooks,
202222
}
203223
securityOpts, _ := flags.GetStringArray("security-opt")
224+
defConfig, err := config.Default()
225+
if err != nil {
226+
return nil, fmt.Errorf("failed to get container config: %w", err)
227+
}
228+
if defConfig.Containers.EnableLabeledUsers {
229+
defSecurityOpts, err := currentLabelOpts()
230+
if err != nil {
231+
return nil, err
232+
}
233+
234+
securityOpts = append(defSecurityOpts, securityOpts...)
235+
}
204236
if err := parseSecurityOpts(securityOpts, commonOpts); err != nil {
205237
return nil, err
206238
}

0 commit comments

Comments
 (0)