run: ensure that stdio pipes are labeled correctly

Label stdio pipes to ensure that processes we run can read through
/dev/stdin and write through the /dev/stdout and /dev/stderr links.

Signed-off-by: Nalin Dahyabhai <[email protected]>

Author: nalind

run_linux.go

@@ -863,6 +863,9 @@ func runUsingRuntime(isolation define.Isolation, options RunOptions, configureNe
 			if stdioPipe, err = runMakeStdioPipe(int(uid), int(gid)); err != nil {
 				return 1, err
 			}
+			if err = runLabelStdioPipes(stdioPipe, spec.Process.SelinuxLabel, spec.Linux.MountLabel); err != nil {
+				return 1, err
+			}
 			errorFds = []int{stdioPipe[unix.Stdout][0], stdioPipe[unix.Stderr][0]}
 			closeBeforeReadingErrorFds = []int{stdioPipe[unix.Stdout][1], stdioPipe[unix.Stderr][1]}
 			// Set stdio to our pipes.

selinux.go

@@ -3,8 +3,12 @@
 package buildah
 
 import (
+	"fmt"
+
 	"github.com/opencontainers/runtime-tools/generate"
 	selinux "github.com/opencontainers/selinux/go-selinux"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
 )
 
 func selinuxGetEnabled() bool {
@@ -17,3 +21,23 @@ func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
 		g.SetLinuxMountLabel(mountLabel)
 	}
 }
+
+func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) error {
+	if !selinuxGetEnabled() || processLabel == "" || mountLabel == "" {
+		// SELinux is completely disabled, or we're not doing anything at all with labeling
+		return nil
+	}
+	pipeContext, err := selinux.ComputeCreateContext(processLabel, mountLabel, "fifo_file")
+	if err != nil {
+		return errors.Wrapf(err, "computing file creation context for pipes")
+	}
+	const xattrNameSelinux = "security.selinux"
+	for i := range stdioPipe {
+		pipeFdName := fmt.Sprintf("/proc/self/fd/%d", stdioPipe[i][0])
+		// selinux.SetFileLabel() doesn't follow symlinks, but we need to do that here, so do it the hard way
+		if err := unix.Setxattr(pipeFdName, xattrNameSelinux, []byte(pipeContext), 0); err != nil {
+			return errors.Wrapf(err, "setting label")
+		}
+	}
+	return nil
+}

selinux_unsupported.go

@@ -12,3 +12,7 @@ func selinuxGetEnabled() bool {
 
 func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
 }
+
+func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) error {
+	return nil
+}

tests/bud.bats

@@ -7,6 +7,10 @@ load helpers
   expect_output --substring "non-directory/Dockerfile: not a directory"
 }
 
+@test "bud stdio is usable pipes" {
+  run_buildah build ${TESTSDIR}/bud/stdio
+}
+
 @test "bud with --dns* flags" {
   _prefetch alpine
   run_buildah build --dns-search=example.com --dns=223.5.5.5 --dns-option=use-vc  --signature-policy ${TESTSDIR}/policy.json -f ${TESTSDIR}/bud/dns/Dockerfile  ${TESTSDIR}/bud/dns

tests/bud/stdio/Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine
+# Will stall if this is connected to a terminal, or fail if it's not readable
+RUN cat        /dev/stdin
+# Will fail if it's not writable
+RUN echo foo > /dev/stdout
+# Will fail if it's not writable
+RUN echo foo > /dev/stderr