Fix silent failures in SELinux enabled distros and when keyring is not available (#114)

In order for qubesome to work in environments where SELinux is enforced
the container execution needs to opt-out from SELinux. For profiles, it
is likely that this will be reverse once we ship a qubesome-specific
SELinux policy. For general workloads that is less likely.

This changes will also ensure that mtls data storage errors does not
cause a hard failure.

Author: pjbgf

internal/profiles/profiles.go

@@ -557,7 +557,8 @@ func createNewDisplay(bin string, ca, cert, key []byte, profile *types.Profile,
 		"-e", "Q_MTLS_CERT",
 		"-e", "Q_MTLS_KEY",
 		"--device", "/dev/dri",
-		"--security-opt=no-new-privileges:true",
+		"--security-opt=no-new-privileges=true",
+		"--security-opt=label=disable",
 		"--cap-drop=ALL",
 	}
 
@@ -687,7 +688,7 @@ func createNewDisplay(bin string, ca, cert, key []byte, profile *types.Profile,
 
 	err = storeMtlsData(profile.Name, string(ca), string(cert), string(key))
 	if err != nil {
-		return err
+		slog.Error("failed storing mtls data", "error", err)
 	}
 
 	output, err := cmd.CombinedOutput()

internal/runners/docker/run.go

@@ -60,6 +60,7 @@ func Run(ew types.EffectiveWorkload) error {
 		"--rm",
 		"-d",
 		"--security-opt=seccomp=unconfined",
+		"--security-opt=label=disable",
 		"--security-opt=no-new-privileges=true",
 	}
 
@@ -271,27 +272,16 @@ func Run(ew types.EffectiveWorkload) error {
 		// Since the implementation of mTLS, workloads granted mime handling
 		// need the mTLS creds so that they can communicate with the inception
 		// server.
-		ks := keyring.New(ew.Profile.Name, backend.New())
-		ca, err := ks.Get(keyring.MtlsCA)
-		if err != nil {
-			return err
-		}
 
-		cert, err := ks.Get(keyring.MtlsClientCert)
-		if err != nil {
-			return err
-		}
+		if ca, cert, key, ok := mtlsData(ew.Profile.Name); ok {
+			slog.Debug("mime access: enabled")
 
-		key, err := ks.Get(keyring.MtlsClientKey)
-		if err != nil {
-			return err
+			cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca)
+			cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert)
+			cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key)
+		} else {
+			slog.Debug("mime access: skipped")
 		}
-
-		slog.Debug("enabling mime access")
-
-		cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca)
-		cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert)
-		cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key)
 	}
 
 	cmd.Stderr = os.Stderr
@@ -301,6 +291,29 @@ func Run(ew types.EffectiveWorkload) error {
 	return cmd.Run()
 }
 
+func mtlsData(name string) (string, string, string, bool) {
+	ks := keyring.New(name, backend.New())
+	ca, err := ks.Get(keyring.MtlsCA)
+	if err != nil {
+		slog.Error("failed to fetch mtls-ca", "error", err)
+		return "", "", "", false
+	}
+
+	cert, err := ks.Get(keyring.MtlsClientCert)
+	if err != nil {
+		slog.Error("failed to fetch mtls-client-cert", "error", err)
+		return "", "", "", false
+	}
+
+	key, err := ks.Get(keyring.MtlsClientKey)
+	if err != nil {
+		slog.Error("failed to fetch mtls-client-key", "error", err)
+		return "", "", "", false
+	}
+
+	return ca, cert, key, true
+}
+
 func getHomeDir(image string) (string, error) {
 	args := []string{"run", "--rm", image, "ls", "/home"}
 

internal/runners/podman/run.go

@@ -61,6 +61,7 @@ func Run(ew types.EffectiveWorkload) error {
 		"-d",
 		"--security-opt=seccomp=unconfined",
 		"--security-opt=no-new-privileges=true",
+		"--security-opt=label=disable",
 		"--group-add=keep-groups",
 	}