incusd: Set SELinux label on socket

Closes lxc#865 Signed-off-by: Stéphane Graber <[email protected]>
stgraber · May 23, 2024 · f4e79c0 · f4e79c0
1 parent 2fef41c
commit f4e79c0
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 7 deletions.
diff --git a/cmd/incusd/daemon.go b/cmd/incusd/daemon.go
@@ -1165,6 +1165,7 @@ func (d *Daemon) init() error {
 		RestServer:           restServer(d),
 		DevIncusServer:       devIncusServer(d),
 		LocalUnixSocketGroup: d.config.Group,
+		LocalUnixSocketLabel: "system_u:object_r:container_runtime_t:s0",
 		NetworkAddress:       localHTTPAddress,
 		ClusterAddress:       localClusterAddress,
 		DebugAddress:         debugAddress,

diff --git a/internal/server/endpoints/endpoints.go b/internal/server/endpoints/endpoints.go
@@ -42,6 +42,9 @@ type Config struct {
 	// string means "use the default".
 	LocalUnixSocketGroup string
 
+	// SELinux label to apply to the soecket.
+	LocalUnixSocketLabel string
+
 	// NetworkSetAddress sets the address for the network endpoint. If not
 	// set, the network endpoint won't be started (unless it's passed via
 	// socket-based activation).
@@ -195,9 +198,9 @@ func (e *Endpoints) up(config *Config) error {
 	} else {
 		e.listeners = map[kind]net.Listener{}
 
-		e.listeners[local], err = localCreateListener(config.UnixSocket, config.LocalUnixSocketGroup)
+		e.listeners[local], err = localCreateListener(config.UnixSocket, config.LocalUnixSocketGroup, config.LocalUnixSocketLabel)
 		if err != nil {
-			return fmt.Errorf("local endpoint: %w", err)
+			return fmt.Errorf("Local endpoint: %w", err)
 		}
 	}
 

diff --git a/internal/server/endpoints/local.go b/internal/server/endpoints/local.go
@@ -7,7 +7,7 @@ import (
 )
 
 // Create a new net.Listener bound to the unix socket of the local endpoint.
-func localCreateListener(path string, group string) (net.Listener, error) {
+func localCreateListener(path string, group string, label string) (net.Listener, error) {
 	err := CheckAlreadyRunning(path)
 	if err != nil {
 		return nil, err
@@ -23,7 +23,7 @@ func localCreateListener(path string, group string) (net.Listener, error) {
 		return nil, err
 	}
 
-	err = localSetAccess(path, group)
+	err = localSetAccess(path, group, label)
 	if err != nil {
 		_ = listener.Close()
 		return nil, err
@@ -35,7 +35,7 @@ func localCreateListener(path string, group string) (net.Listener, error) {
 // Change the file mode and ownership of the local endpoint unix socket file,
 // so access is granted only to the process user and to the given group (or the
 // process group if group is empty).
-func localSetAccess(path string, group string) error {
+func localSetAccess(path string, group string, label string) error {
 	err := socketUnixSetPermissions(path, 0660)
 	if err != nil {
 		return err
@@ -46,5 +46,10 @@ func localSetAccess(path string, group string) error {
 		return err
 	}
 
+	err = socketUnixSetLabel(path, label)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
diff --git a/internal/server/endpoints/local_test.go b/internal/server/endpoints/local_test.go
@@ -70,7 +70,7 @@ func TestEndpoints_LocalUnknownUnixGroup(t *testing.T) {
 	err := endpoints.Up(config)
 
 	assert.EqualError(
-		t, err, "local endpoint: cannot get group ID of 'xquibaz': group: unknown group xquibaz")
+		t, err, "Local endpoint: cannot get group ID of 'xquibaz': group: unknown group xquibaz")
 }
 
 // If another endpoint is already listening on the unix socket, an error is returned.
@@ -86,7 +86,7 @@ func TestEndpoints_LocalAlreadyRunning(t *testing.T) {
 	defer cleanup2()
 
 	err := endpoints2.Up(config2)
-	assert.EqualError(t, err, "local endpoint: Incus is already running")
+	assert.EqualError(t, err, "Local endpoint: Incus is already running")
 }
 
 // Create a UnixListener using a random and unique file name.

diff --git a/internal/server/endpoints/socket.go b/internal/server/endpoints/socket.go
@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"os/exec"
 	"os/user"
 	"strconv"
 
 	"github.com/lxc/incus/v6/client"
 	"github.com/lxc/incus/v6/shared/logger"
+	"github.com/lxc/incus/v6/shared/subprocess"
 	"github.com/lxc/incus/v6/shared/util"
 )
 
@@ -112,3 +114,22 @@ func socketUnixSetOwnership(path string, groupName string) error {
 
 	return nil
 }
+
+// Set the SELinux label on the socket.
+func socketUnixSetLabel(path string, label string) error {
+	// Skip if no label requested.
+	if label == "" {
+		return nil
+	}
+
+	// Check if chcon is installed.
+	_, err := exec.LookPath("chcon")
+	if err != nil {
+		return nil
+	}
+
+	// Attempt to apply (don't fail as kernel may not support it).
+	_, _ = subprocess.RunCommand("chcon", label, path)
+
+	return nil
+}