setup selinux labels for build containers

openshift · Oct 31, 2017 · f8c2cee · f8c2cee
1 parent 9d8e54a
commit f8c2cee
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 0 deletions.
diff --git a/pkg/build/builder/docker.go b/pkg/build/builder/docker.go
@@ -312,6 +312,13 @@ func (d *DockerBuilder) dockerBuild(dir string, tag string, secrets []buildapi.S
 	}
 	opts.NetworkMode = network
 	if len(resolvConfHostPath) != 0 {
+		label, err := getSELinuxLabel()
+		if err != nil {
+			return fmt.Errorf("could not retrieve selinux label due to error: %v", err)
+		}
+		if len(label) != 0 {
+			opts.SecurityOpt = []string{label}
+		}
 		opts.BuildBinds = fmt.Sprintf("[\"%s:/etc/resolv.conf\"]", resolvConfHostPath)
 	}
 	// Though we are capped on memory and cpu at the cgroup parent level,

diff --git a/pkg/build/builder/sti.go b/pkg/build/builder/sti.go
@@ -203,6 +203,13 @@ func (s *S2IBuilder) Build() error {
 	}
 
 	if len(resolvConfHostPath) != 0 {
+		label, err := getSELinuxLabel()
+		if err != nil {
+			return fmt.Errorf("could not retrieve selinux label due to error: %v", err)
+		}
+		if len(label) != 0 {
+			config.SecurityOpt = []string{label}
+		}
 		config.BuildVolumes = []string{fmt.Sprintf("%s:/etc/resolv.conf", resolvConfHostPath)}
 	}
 

diff --git a/pkg/build/builder/util_linux.go b/pkg/build/builder/util_linux.go
@@ -3,9 +3,11 @@
 package builder
 
 import (
+	"bufio"
 	"errors"
 	"fmt"
 	"os"
+	"regexp"
 	"strconv"
 
 	"github.com/google/cadvisor/container/crio"
@@ -15,6 +17,10 @@ import (
 	s2iapi "github.com/openshift/source-to-image/pkg/api"
 )
 
+var (
+	selinuxLabelPattern = regexp.MustCompile(`"system_u:object_r:container_file_t:(.*?)"`)
+)
+
 // getContainerNetworkConfig determines whether the builder is running as a container
 // by examining /proc/self/cgroup. This context is then passed to source-to-image.
 // It returns a suitable argument for NetworkMode.  If the container platform is
@@ -98,3 +104,25 @@ func getCgroupParent() (string, error) {
 	glog.V(6).Infof("found cgroup values map: %v", cgMap)
 	return extractParentFromCgroupMap(cgMap)
 }
+
+// getSELinuxLabel retrieves the selinux label associated w/ this container.
+func getSELinuxLabel() (string, error) {
+	f, err := os.Open("/proc/mounts")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	s := bufio.NewScanner(f)
+
+	for s.Scan() {
+		if err := s.Err(); err != nil {
+			return "", err
+		}
+		if match := selinuxLabelPattern.FindStringSubmatch(s.Text()); match != nil {
+			glog.V(6).Infof("found selinux labels: %v", match[1])
+			return fmt.Sprintf("label=level:%s", match[1]), nil
+		}
+	}
+	glog.V(0).Infof("warning: unable to determine selinux labels from the build pod")
+	return "", nil
+}
diff --git a/pkg/build/builder/util_unsupported.go b/pkg/build/builder/util_unsupported.go
@@ -28,3 +28,8 @@ func GetCGroupLimits() (*s2iapi.CGroupLimits, error) {
 func getCgroupParent() (string, error) {
 	return "", errors.New("getCgroupParent is unsupported on this platform")
 }
+
+// getSELinuxLabel retrieves the selinux label associated w/ this container.
+func getSELinuxLabel() (string, error) {
+	return "", errors.New("getSELinuxLabel is unsupported on this platform")
+}