SELinux in enforcing mode breaks nested gVisor container

[apyrgio]

Problem

While debugging a Dangerzone 0.7.0 bug report on a Fedora 40 system (#871), we found out that SELinux in enforcing mode breaks the inner gVisor container that runs within the outer Podman container.

Original error

$ dangerzone-cli ~/Downloads/sample.pdf
[...]
[DEBUG] Marking doc qyU8c4 as 'converting'
[INFO] > /usr/bin/podman run --log-driver none --security-opt no-new-privileges --cap-drop all --cap-add SYS_CHROOT --network=none -u dangerzone --rm -i --name dangerzone-doc-to-pixels-qyU8c4 --userns nomap dangerzone.rocks/dangerzone /usr/bin/python3 -m dangerzone.conversion.doc_to_pixels
[ERROR] [doc qyU8c4] 0% Unspecified error
[DEBUG] Marking doc qyU8c4 as 'failed'

Output from Podman container with gVisor debug logging enabled

$ /usr/bin/podman run -e RUNSC_DEBUG=1 --log-driver none --security-opt no-new-privileges --cap-drop all --cap-add SYS_CHROOT --network=none -u dangerzone --rm -i --name dangerzone-doc-to-pixels-qyU8c4 --userns nomap dangerzone.rocks/dangerzone /usr/bin/python3 -m dangerzone.conversion.doc_to_pixels

8< ... snip ... >8

I0725 14:19:04.811776      20 main.go:197] **************** gVisor ****************
I0725 14:19:04.812445      20 boot.go:258] Setting product_name: "Standard PC (Q35 + ICH9, 2009)"
W0725 14:19:04.813081      20 specutils.go:129] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I0725 14:19:04.813105      20 chroot.go:91] Setting up sandbox chroot in "/tmp"
W0725 14:19:04.813312      20 chroot.go:108] Failed to copy /etc/localtime: open /etc/localtime: no such file or directory. UTC timezone will be used.
I0725 14:19:04.813335      20 chroot.go:36] Mounting "/proc" at "/tmp/proc"
W0725 14:19:04.813394      20 util.go:64] FATAL ERROR: error setting up chroot: error remounting chroot in read-only: permission denied
error setting up chroot: error remounting chroot in read-only: permission denied
D0725 14:19:04.814640       7 sandbox.go:1278] Destroying sandbox "dangerzone"
D0725 14:19:04.814726       7 sandbox.go:1287] Killing sandbox "dangerzone"
D0725 14:19:04.814809       7 container.go:776] Destroy container, cid: dangerzone
D0725 14:19:04.814847       7 container.go:1087] Killing gofer for container, cid: dangerzone, PID: 15
W0725 14:19:04.814928       7 util.go:64] FATAL ERROR: running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
W0725 14:19:04.815004       7 main.go:227] Failure to execute command, err: 1
gVisor quit with exit code: 128

SELinux denial taken from audit logs

Jul 25 17:51:56 10.0.2.15 audit[8164]: AVC avc: denied { mounton } for pid=8164 comm="exe" path="/proc/fs" dev="proc" ino=4026531847 scontext=system_u:system_r:container_t:s0:c139,c177 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

Workarounds

We are currently aware of the following two workarounds:

1. Set SELinux to permissive mode: sudo setenforce Permissive
2. Disable SELinux labeling for the spawned Podman container with --security-opt label=disable (requires changes to Dangerzone code).

[apyrgio]

Proper solution

The workarounds we've mentioned above work, but each has their caveats:

1. Setting SELinux to permissive undermines the security of the whole system, just to run Dangerzone. Also, it requires a user action. For these two reasons, we don't plan to use it.
2. Using --security-opt label=disable disables SELinux protections for both the outer Podman container and inner gVisor container. Thankfully, gVisor adds its own, non-SELinux protections, but it would be nice to have the best of both worlds.

Let's try to find an alternative.

gVisor + SELinux

First of all, let's see what's the relationship between gVisor and SELinux.

From the get go, we see that any attempt to set an SELinux flag at the gVisor level will fail (possibly even label=disable edited: this particular option works):

	if len(spec.Process.SelinuxLabel) != 0 {
		return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel)
	}

(from https://github.com/google/gvisor/blob/bbbecc35cc1ef0d2ec82db91a8178be958f3b783/runsc/specutils/specutils.go#L117-L119)

Futhermore, we see the following statement in google/gvisor#8957 (comment), where the original poster is bitten by a similar issue as ours:

As SELinux is not supported by gVisor, it's expected that it will crash on startup. While gVisor does check the runtime spec to see if SELinux is enabled, it does not check the system during runtime.

So, it doesn't seem we have too much leeway here.

Further exploration

We tried to see if we could label the outer container process with a more relaxed type label, that applies to proc_t filetypes. To do so, we listed the SELinux policies that allow the mounton action on proc_t filetypes, and filtered by those that apply to containers:

$ sesearch -t proc_t -p mounton -A | grep container_
allow container_engine_t filesystem_type:dir { mounton write };
allow container_engine_t filesystem_type:file mounton;
allow container_init_t proc_t:dir mounton;
allow container_kvm_t proc_t:dir mounton;
allow container_userns_t proc_t:dir mounton;

The original Podman container is labeled with container_t, which is not present in this list. Running the Podman container with container_engine_t type (i.e., with --security-opt label=type:container_engine_t) seems to do the job 🎉.

Note

Our cue for trying this is a similar workaround we saw in gVisor's issue tracker: google/gvisor#8747 (comment)

Is container_engine_t suitable for this use-case though? We looked into the file where it's defined (see container.te and the container_engine_t extra permissions), and saw the following:

container_engine_t is for running a container engine within a container

This is spot-on the thing we're doing here, running gVisor's runsc container engine within Podman's crun. This looks like a good match, and adds some assurances that things won't break in the future.

Future work

We could slim down the container_engine_t label further, by providing a Type Enforcement file (TE) that extends the container_t label with the bare minimum permissions to make gVisor work. There's prior work on how to do that (see "K3S SELinux" blog post), and it doesn't look too hard. However, this would have to happen in coordination with the gVisor team, to ensure that it doesn't break when something is added in runsc.

[EtiennePerot]

Wish I had seen this over the weekend. Glad it's figured out regardless. Yes, container_engine_t does sound like the right thing to use here.

[apyrgio]

Thanks for taking a look Etienne, it's good to know it makes sense to you as well.

[apyrgio]

Final note on the release plan for this patch. Because it strictly affects Fedora systems, and the change is a one-liner, we don't plan to release a new Dangerzone version (e.g., 0.7.1). Instead, we've decided to do the following:

• Cherry-pick this fix from the main branch into a hotfix-0.7.0 branch.
• Bump the patch level of the RPM spec from 1 to 2 in the hotfix branch, so that existing installations can be updated.
• Build the new Fedora RPMs, and test that they work in a Fedora system with SELinux in enforcing mode.
• Sign and publish the new Fedora RPMs in our yum-tools-prod repo.

This way, the next time Fedora users perform a dnf update, they will get a working Dangerzone version.