applehv: Cannot relabel files without write permission on virtiofs

[tnk4on]

Issue Description

When trying to bind-mount files without write permission (e.g. .git/objects/pack/*) with :Z, Permission denied error occurs.

Steps to reproduce the issue

Steps to reproduce the issue

% mkdir test; cd test
% touch test.txt; chmod 444 test.txt
% podman run --rm -v $PWD:$PWD:Z -w $PWD ubi9/ubi ls -lZd test.txt
ls: cannot access 'test.txt': Permission denied
% podman machine ssh ls -lZd $PWD/test.txt
-r--r--r--. 1 core core system_u:object_r:unlabeled_t:s0 0 Jan 16 23:34 /Users/shtanaka/tmp/test/test.txt

Granting write permissions to a file can relabel it.

% chmod 644 test.txt
% podman run --rm -v $PWD:$PWD:Z -w $PWD ubi9/ubi ls -lZd test.txt
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0:c71,c271 0 Jan 16 14:35 test.txt
% podman machine ssh ls -lZd $PWD/test.txt
-rw-r--r--. 1 core core system_u:object_r:container_file_t:s0:c71,c271 0 Jan 16 23:35 /Users/shtanaka/tmp/test/test.txt

It is also relabelable on Podman machine (FCOS) file system, even read-only.

% podman machine ssh
core@localhost:~$ mkdir test; cd test
core@localhost:~/test$ touch test.txt; chmod 444 test.txt
core@localhost:~/test$ podman run --rm -v $PWD:$PWD:Z -w $PWD ubi9/ubi ls -lZd test.txt
-r--r--r--. 1 root root system_u:object_r:container_file_t:s0:c549,c572 0 Jan 16 14:42 test.txt
core@localhost:~/test$ ls -lZd test.txt
-r--r--r--. 1 core core system_u:object_r:container_file_t:s0:c549,c572 0 Jan 16 23:42 test.txt

Describe the results you received

ls: cannot access 'test.txt': Permission denied

Describe the results you expected

-r--r--r--. 1 root root system_u:object_r:container_file_t:s0:c71,c271 0 Jan 16 14:35 test.txt

podman info output

% podman info
host:
  arch: arm64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 99.97
    systemPercent: 0.01
    userPercent: 0.01
  cpus: 10
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "39"
  eventLogger: journald
  freeLocks: 2048
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
    uidmap:
    - container_id: 0
      host_id: 501
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
  kernel: 6.6.8-200.fc39.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 474877952
  memTotal: 4088643584
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.9.0-1.fc39.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
    package: netavark-1.9.0-1.fc39.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc39.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/user/501/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231204.gb86afe3-1.fc39.aarch64
    version: |
      pasta 0^20231204.gb86afe3-1.fc39.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/501/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.aarch64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 10h 33m 22.00s (Approximately 0.42 days)
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 4446789632
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 9
  runRoot: /run/user/501/containers
  transientStore: false
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.8.2
  Built: 1702300963
  BuiltTime: Mon Dec 11 22:22:43 2023
  GitCommit: ""
  GoVersion: go1.21.4
  Os: linux
  OsArch: linux/arm64
  Version: 4.8.2

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

% podman version
Client:       Podman Engine
Version:      5.0.0-dev
API Version:  5.0.0-dev
Go Version:   go1.21.5
Git Commit:   85921e5ff67d6b026ed31388e113ac13f8bd4885
Built:        Tue Jan 16 23:30:25 2024
OS/Arch:      darwin/arm64

Server:       Podman Engine
Version:      4.8.2
API Version:  4.8.2
Go Version:   go1.21.4
Built:        Mon Dec 11 22:22:43 2023
OS/Arch:      linux/arm64

% sw_vers
ProductName:		macOS
ProductVersion:		14.2.1
BuildVersion:		23C71

% vfkit -v
vfkit version: 0.5.0

% podman machine ls
NAME                     VM TYPE     CREATED       LAST UP            CPUS        MEMORY      DISK SIZE
test                     applehv     10 days ago   Currently running  5           2GiB        100GiB
podman-machine-default*  applehv     12 hours ago  Currently running  10          4GiB        100GiB

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[mheon]

@rhatdan PTAL

[rhatdan]

Could you show me the mounted file system within the linux box. Basically I want to see how $HOME is defined in Linux via the mount command.

mount

[rhatdan]

Ok I did it on my mac, and see that the content is labeled as unlabeled_t instead of the expected virtiofs_t.
I am in contact with the Red Hat SELinux team asking them about it.

I think for now the best we can do is disable SELinux separation for this container and then work to fix this. One option would be to ignore the error, but that might just cause further breakage. If I get the content labeled as virtiofs_t, then I could allow containers to read/write this content (virtiofs_t) always, probably via a boolean. I am not sure you are able to relabel read/only content anywhere inside of a VM. so this is a strange situation.

[tnk4on]

I searched and it seems to be the same problem as below.

crc-org/vfkit#70

[tnk4on]

As reported in this Issue(#21085), :Z is required to volume mount with applehv.
Also, it does not correctly create files in the mounted directory.

% mkdir test;cd test
% podman run --rm -v $PWD:$PWD:Z -w $PWD -it ubi9/ubi
[root@348321ce36c2 test]# touch test.txt
touch: cannot touch 'test.txt': Permission denied
[root@348321ce36c2 test]# ls -ldZ
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c916,c997 96 Jan 18 09:05 .
[root@348321ce36c2 test]# ls -ldZ test.txt
ls: cannot access 'test.txt': Permission denied
[root@348321ce36c2 test]# ls -l
ls: cannot access 'test.txt': Permission denied
total 0
-????????? ? ? ? ?            ? test.txt

[tnk4on]

In lima, the mount option sets the context of the /Users directory to nfs_t. This allows lima with virtiofs to bind mount without the :Z option.
https://github.com/lima-vm/lima/blob/305780647ef19a1a32af4bae29d8096de71f69fb/hack/test-selinux.sh#L15-L23

## When using vz & virtiofs, initially container_file_t selinux label
## was considered which works perfectly for container work loads
## but it might break for other work loads if the process is running with
## different label. Also these are the remote mounts from the host machine,
## so keeping the label as nfs_t fits right. Package container-selinux by
## default adds rules for nfs_t context which allows container workloads to work as well.
## https://github.com/lima-vm/lima/pull/1965

% limactl shell podman
[shtanaka@lima-podman tmp]$ mkdir test; cd test
[shtanaka@lima-podman test]$ touch test.txt; chmod 444 test.txt
[shtanaka@lima-podman test]$ podman run --rm -v $PWD:$PWD -w $PWD ubi9/ubi ls -lZd test.txt
-r--r--r--. 1 root root system_u:object_r:nfs_t:s0 0 Jan 18 13:40 test.txt
[shtanaka@lima-podman test]$ ls -ldZ $PWD
drwxr-xr-x. 3 shtanaka shtanaka system_u:object_r:nfs_t:s0 96 Jan 18 13:40 /Users/shtanaka/tmp/test

I'm not sure if this approach is correct, this at least fully works as expected.