Add correct selinux label at plugin socket directory

vikaschoudhary16 · vikaschoudhary16 · commit 58d1b4d564df · 2019-05-18T12:35:17.000+05:30
diff --git a/pkg/kubelet/BUILD b/pkg/kubelet/BUILD
@@ -109,6 +109,7 @@ go_library(
         "//pkg/util/node:go_default_library",
         "//pkg/util/oom:go_default_library",
         "//pkg/util/removeall:go_default_library",
+        "//pkg/util/selinux:go_default_library",
         "//pkg/util/taints:go_default_library",
         "//pkg/volume:go_default_library",
         "//pkg/volume/csi:go_default_library",
diff --git a/pkg/kubelet/cm/devicemanager/BUILD b/pkg/kubelet/cm/devicemanager/BUILD
@@ -26,6 +26,7 @@ go_library(
         "//pkg/kubelet/metrics:go_default_library",
         "//pkg/kubelet/util/pluginwatcher:go_default_library",
         "//pkg/scheduler/nodeinfo:go_default_library",
+        "//pkg/util/selinux:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
diff --git a/pkg/kubelet/cm/devicemanager/manager.go b/pkg/kubelet/cm/devicemanager/manager.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	watcher "k8s.io/kubernetes/pkg/kubelet/util/pluginwatcher"
 	schedulernodeinfo "k8s.io/kubernetes/pkg/scheduler/nodeinfo"
+	"k8s.io/kubernetes/pkg/util/selinux"
 )
 
 // ActivePodsFunc is a function that returns a list of pods to reconcile.
@@ -206,6 +207,11 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc
 
 	socketPath := filepath.Join(m.socketdir, m.socketname)
 	os.MkdirAll(m.socketdir, 0755)
+	if selinux.SELinuxEnabled() {
+		if err := selinux.SetFileLabel(m.socketdir, config.KubeletPluginsDirSELinuxLabel); err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", m.socketdir, err)
+		}
+	}
 
 	// Removes all stale sockets in m.socketdir. Device plugins can monitor
 	// this and use it as a signal to re-register with the new Kubelet.
diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go
@@ -26,4 +26,5 @@ const (
 	DefaultKubeletContainersDirName          = "containers"
 	DefaultKubeletPluginContainersDirName    = "plugin-containers"
 	DefaultKubeletPodResourcesDirName        = "pod-resources"
+	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
 )
diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
@@ -113,6 +113,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/mount"
 	nodeutil "k8s.io/kubernetes/pkg/util/node"
 	"k8s.io/kubernetes/pkg/util/oom"
+	"k8s.io/kubernetes/pkg/util/selinux"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csi"
 	utilexec "k8s.io/utils/exec"
@@ -1225,6 +1226,8 @@ type Kubelet struct {
 // 4.  the pod-resources directory
 func (kl *Kubelet) setupDataDirs() error {
 	kl.rootDirectory = path.Clean(kl.rootDirectory)
+	pluginRegistrationDir := kl.getPluginsRegistrationDir()
+	pluginsDir := kl.getPluginsDir()
 	if err := os.MkdirAll(kl.getRootDir(), 0750); err != nil {
 		return fmt.Errorf("error creating root directory: %v", err)
 	}
@@ -1243,6 +1246,16 @@ func (kl *Kubelet) setupDataDirs() error {
 	if err := os.MkdirAll(kl.getPodResourcesDir(), 0750); err != nil {
 		return fmt.Errorf("error creating podresources directory: %v", err)
 	}
+	if selinux.SELinuxEnabled() {
+		err := selinux.SetFileLabel(pluginRegistrationDir, config.KubeletPluginsDirSELinuxLabel)
+		if err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", pluginRegistrationDir, err)
+		}
+		err = selinux.SetFileLabel(pluginsDir, config.KubeletPluginsDirSELinuxLabel)
+		if err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", pluginsDir, err)
+		}
+	}
 	return nil
 }
 
diff --git a/pkg/kubelet/kubelet_getters.go b/pkg/kubelet/kubelet_getters.go
@@ -159,6 +159,11 @@ func (kl *Kubelet) getPodResourcesDir() string {
 	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPodResourcesDirName)
 }
 
+// getPluginsDirSELinuxLabel returns the selinux label to be applied on plugin directories
+func (kl *Kubelet) getPluginsDirSELinuxLabel() string {
+	return config.KubeletPluginsDirSELinuxLabel
+}
+
 // GetPods returns all pods bound to the kubelet and their spec, and the mirror
 // pods.
 func (kl *Kubelet) GetPods() []*v1.Pod {
diff --git a/pkg/util/selinux/selinux_linux.go b/pkg/util/selinux/selinux_linux.go
@@ -50,3 +50,8 @@ func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
 	}
 	return selinux.FileLabel(path)
 }
+
+// SetFileLabel applies the SELinux label on the path or returns an error.
+func SetFileLabel(path string, label string) error {
+	return selinux.SetFileLabel(path, label)
+}
diff --git a/pkg/util/selinux/selinux_unsupported.go b/pkg/util/selinux/selinux_unsupported.go
@@ -31,3 +31,8 @@ var _ SELinuxRunner = &realSELinuxRunner{}
 func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
 	return "", nil
 }
+
+// FileLabel returns the SELinux label for this path or returns an error.
+func SetFileLabel(path string, label string) error {
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -26,4 +26,5 @@ const (`
`26`	`26`	`DefaultKubeletContainersDirName = "containers"`
`27`	`27`	`DefaultKubeletPluginContainersDirName = "plugin-containers"`
`28`	`28`	`DefaultKubeletPodResourcesDirName = "pod-resources"`
	`29`	`+ KubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0"`
`29`	`30`	`)`
Original file line number	Diff line number	Diff line change
`@@ -50,3 +50,8 @@ func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {`
`50`	`50`	`}`
`51`	`51`	`return selinux.FileLabel(path)`
`52`	`52`	`}`
	`53`	`+`
	`54`	`+// SetFileLabel applies the SELinux label on the path or returns an error.`
	`55`	`+func SetFileLabel(path string, label string) error {`
	`56`	`+ return selinux.SetFileLabel(path, label)`
	`57`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -31,3 +31,8 @@ var _ SELinuxRunner = &realSELinuxRunner{}`
`31`	`31`	`func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {`
`32`	`32`	`return "", nil`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+// FileLabel returns the SELinux label for this path or returns an error.`
	`36`	`+func SetFileLabel(path string, label string) error {`
	`37`	`+ return nil`
	`38`	`+}`