From 4d32fe99590dcc6e476aa8761f7f01cce94fe71b Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Mon, 24 Feb 2020 13:13:59 -0700
Subject: [PATCH] Support SELinux

---
 Dockerfile.dapper                  |  5 ++++-
 pkg/agent/containerd/containerd.go |  7 +++++++
 pkg/agent/containerd/selinux.go    | 27 +++++++++++++++++++++++++++
 pkg/agent/templates/templates.go   |  2 ++
 scripts/build                      |  8 +++++++-
 5 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 pkg/agent/containerd/selinux.go

diff --git a/Dockerfile.dapper b/Dockerfile.dapper
index ae5d822705..ed23921724 100644
--- a/Dockerfile.dapper
+++ b/Dockerfile.dapper
@@ -3,7 +3,7 @@ FROM golang:1.13.8-alpine3.10
 RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \
     python2 python3 py3-pip python3-dev openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static
 RUN pip3 install 'tox==3.6.0'
-RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static
+RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static libselinux libselinux-dev
 RUN mkdir -p /go/src/golang.org/x && \
     cd /go/src/golang.org/x && git clone https://github.com/golang/tools && \
     git -C /go/src/golang.org/x/tools checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
@@ -17,6 +17,9 @@ RUN if [ "${ARCH}" == "amd64" ]; then \
         curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.15.0; \
     fi
 
+ARG SELINUX=true
+ENV SELINUX $SELINUX
+
 ARG DQLITE=true
 ENV DQLITE $DQLITE
 COPY --from=rancher/dqlite-build:v1.3.1-r1 /dist/artifacts /usr/src/
diff --git a/pkg/agent/containerd/containerd.go b/pkg/agent/containerd/containerd.go
index 9c71e88f0a..ceb58ac39a 100644
--- a/pkg/agent/containerd/containerd.go
+++ b/pkg/agent/containerd/containerd.go
@@ -15,6 +15,7 @@ import (
 	"github.com/containerd/containerd/namespaces"
 	"github.com/natefinch/lumberjack"
 	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/pkg/errors"
 	"github.com/rancher/k3s/pkg/agent/templates"
 	util2 "github.com/rancher/k3s/pkg/agent/util"
 	"github.com/rancher/k3s/pkg/daemons/config"
@@ -170,6 +171,12 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
 		PrivateRegistryConfig: privRegistries,
 	}
 
+	selinux, err := selinuxEnabled()
+	if err != nil {
+		return errors.Wrap(err, "failed to detect selinux")
+	}
+	containerdConfig.SELinuxEnabled = selinux
+
 	containerdTemplateBytes, err := ioutil.ReadFile(cfg.Containerd.Template)
 	if err == nil {
 		logrus.Infof("Using containerd template at %s", cfg.Containerd.Template)
diff --git a/pkg/agent/containerd/selinux.go b/pkg/agent/containerd/selinux.go
new file mode 100644
index 0000000000..2ad2eeb9a8
--- /dev/null
+++ b/pkg/agent/containerd/selinux.go
@@ -0,0 +1,27 @@
+package containerd
+
+import (
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+const (
+	SELinuxContextType = "container_runtime_t"
+)
+
+func selinuxEnabled() (bool, error) {
+	if !selinux.GetEnabled() {
+		return false, nil
+	}
+
+	label, err := selinux.CurrentLabel()
+	if err != nil {
+		return false, err
+	}
+
+	ctx, err := selinux.NewContext(label)
+	if err != nil {
+		return false, err
+	}
+
+	return ctx["type"] == SELinuxContextType, nil
+}
diff --git a/pkg/agent/templates/templates.go b/pkg/agent/templates/templates.go
index a1d8940535..c340eea7ef 100644
--- a/pkg/agent/templates/templates.go
+++ b/pkg/agent/templates/templates.go
@@ -10,6 +10,7 @@ import (
 type ContainerdConfig struct {
 	NodeConfig            *config.Node
 	IsRunningInUserNS     bool
+	SELinuxEnabled        bool
 	PrivateRegistryConfig *Registry
 }
 
@@ -20,6 +21,7 @@ const ContainerdConfigTemplate = `
 [plugins.cri]
   stream_server_address = "127.0.0.1"
   stream_server_port = "10010"
+  enable_selinux = {{ .SELinuxEnabled }}
 
 {{- if .IsRunningInUserNS }}
   disable_cgroup = true
diff --git a/scripts/build b/scripts/build
index 72d3c07ece..0c6d7305dd 100755
--- a/scripts/build
+++ b/scripts/build
@@ -46,6 +46,12 @@ STATIC_SQLITE="
     -extldflags '-static -lm -ldl -lz -lpthread $DQLITE_STATIC_SQLITE'
 "
 TAGS="ctrd apparmor seccomp no_btrfs netcgo osusergo providerless $DQLITE_TAGS"
+RUNC_TAGS="apparmor seccomp"
+
+if [ "$SELINUX" = "true" ]; then
+    TAGS="$TAGS selinux"
+    RUNC_TAGS="$RUNC_TAGS selinux"
+fi
 
 if [ "$STATIC_BUILD" != "true" ]; then
     STATIC="
@@ -109,7 +115,7 @@ ln -s containerd ./bin/ctr
 # echo Building containerd
 # CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/containerd ./cmd/containerd/
 echo Building runc
-make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp" -C ./vendor/github.com/opencontainers/runc static
+make EXTRA_LDFLAGS="-w -s" BUILDTAGS="$RUNC_TAGS" -C ./vendor/github.com/opencontainers/runc static
 cp -f ./vendor/github.com/opencontainers/runc/runc ./bin/runc
 
 echo Building containerd-shim