-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad interaction between selinux and an APFS-backed directory shared over virtiofs #70
Comments
When sharing a directory between a linux guest and the macos host with virtiofs, the behaviour for setting xattrs on a read-only file inside the guest differs between the linux fs and the virtiofs share. For example, on a fedora coreos VM:
This is an issue as when using |
Can the return be changes to ENOSUP rather then EPERM? Podman and container tools now handle ENOSUP on :Z and :z gracefully. |
BTW It seems like the MAC version makes more sense then the Linux one. |
virtiofs is simply a passthrough filesystem. If MacOS host does not allow setfattr operation, it will return that error back to the client. So what you are seeing is not really related to virtiofs. Its just a setfattr behavior difference between macos and linux. I find it odd that one can set xattr on read-only file. Say I want to change selinux label of a read-only file so that a certain process can 't get access to it. How would I do that? My understanding of linux read-only mode is that it is about file data. You can't modify file's data. But it does not prohibit you from changing file's metadata. If you are trying to make metadata also immutable, I think that will be "immutable" file. And one can use "chattr" for that. So I would argue that tcalling it "virtio-fs limitation" is not the correct title for this issue. |
Testing this directly on the mac gives:
errno 13 is EACCES, not EPERM (errno 1)
|
is there a solution in mind? |
So far I was thinking that for this one we were highly dependent on Apple, but seeing these comments from Dan Walsh:
maybe podman could be changed to also ignore EACCES when doing these mappings? |
Can we check if the underlying file system is read-only? |
Why do you have read-only content in your homedir? |
is it not more than a little likely users will have this kind of thing whether they know it or not ? |
Well they have to have a read-only partition on their homedir, and they have to attempt to share it into a container which they want to trigger a relabel. The issue is there is not a clear place to say ignore the relabel on ENOACCESS, if the partition is mounted read-only on a virtiofsd. |
Files in |
Could you look at the labels of those files within the VM with a |
These read-only files exist on the macOS side, on the APFS filesystem it uses, they don't have any labels nor xattrs. podman-machine shares the full home directory over virtio-fs, and when the user of podman wants to expose one of these dirs in a container using |
I understand, the question is if they are not relabeled will they fail to be used within the Container, since SELinux will hit them with a permission denied when a process within a container attempts to read the content, If I know the label, then I can at least tell if SELinux will block reading. As far as the Relabel, we could change the code to only warn on failures to relabel, but this could get mighty noisy. |
@slp could you check if libkrun has the same problems? |
No, it doesn't. In the virtio-fs implementation in libkrun we deliberately exclude macOS from participating in file permission decisions by storing the permission and ownership bits from Linux PoV as extended attributes:
I'm afraid that if the virtio-fs implementation in vfkit tries to store the permission bits in Linux as actual permission bits in APFS we'll find plenty of corner cases like this, as the filesystem semantics between Linux and macOS aren't 1:1. Probably with libkrun we simply noticed those issues earlier because the root filesystem is also mounted via virtio-fs, so we already adopted this alternative strategy for storing the permission and ownership bits. |
Creating an issue for the record, when using virtio-fs:
xattr/setfattr
is working and persisted across reboots, but with one big caveat: on linux,security.selinux
is special, and can be set even on read-only files (0444 permissions). On macOS, this is not true, if the file is read-only,xattr
can't be used to set thesecurity.selinux
xattr.This causes issues with
podman-remote run -v /Users/teuf/some-folder:/some/path:Z
as this this involves somesetfattr
calls which failed (Error: error preparing container a1961ae610561be62638aef839ad9f7f2735a16f3fcf15ece95b09865167e415 for attach: setxattr /Users/teuf/dev/crc/.git/objects/00/63a6fe0324d63105a6649c0b46fb27ad767b17: permission denied
).To avoid this, the filesystem in the VM can be mounted with:
mount -t virtiofs -o context=system_u:object_r:container_file_t:s0
and the container started withpodman-remote run -v /Users/teuf/dev:/test --rm registry.access.redhat.com/ubi8 ls -alZ /test/crc
from macOSThe text was updated successfully, but these errors were encountered: