4c4c1b
From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
4c4c1b
From: Daniel J Walsh <dwalsh@redhat.com>
4c4c1b
Date: Tue, 17 Dec 2019 15:24:29 -0500
4c4c1b
Subject: [PATCH] Add support for FIPS-Mode backends
4c4c1b
4c4c1b
If host is running in fips mode, then RHEL8.2 and beyond container images
4c4c1b
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
4c4c1b
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
4c4c1b
order to make all tools in the container follow the FIPS Mode rules.
4c4c1b
4c4c1b
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
4c4c1b
---
4c4c1b
 pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
4c4c1b
 run_linux.go           |  2 +-
4c4c1b
 2 files changed, 39 insertions(+), 11 deletions(-)
4c4c1b
4c4c1b
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
4c4c1b
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950	2020-02-19 16:11:04.224932088 +0100
4c4c1b
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go	2020-02-19 16:11:04.226932116 +0100
4c4c1b
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string,
4c4c1b
 }
4c4c1b
 
4c4c1b
 // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
4c4c1b
+// Deprecated, Please use SecretMountWithUIDGID
4c4c1b
 func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
4c4c1b
 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
4c4c1b
 }
4c4c1b
 
4c4c1b
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
4c4c1b
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
4c4c1b
+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
4c4c1b
+// mountLabel: MAC/SELinux label for container content
4c4c1b
+// containerWorkingDir: Private data for storing secrets on the host mounted in container.
4c4c1b
+// mountFile: Additional mount points required for the container.
4c4c1b
+// mountPoint: Container image mountpoint
4c4c1b
+// uid: to assign to content created for secrets
4c4c1b
+// gid: to assign to content created for secrets
4c4c1b
+// rootless: indicates whether container is running in rootless mode
4c4c1b
+// disableFips: indicates whether system should ignore fips mode
4c4c1b
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
4c4c1b
 	var (
4c4c1b
 		secretMounts []rspec.Mount
4c4c1b
 		mountFiles   []string
4c4c1b
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel,
4c4c1b
 	}
4c4c1b
 	for _, file := range mountFiles {
4c4c1b
 		if _, err := os.Stat(file); err == nil {
4c4c1b
-			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
4c4c1b
+			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
4c4c1b
 			if err != nil {
4c4c1b
 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
4c4c1b
 			}
4c4c1b
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel,
4c4c1b
 	// Add FIPS mode secret if /etc/system-fips exists on the host
4c4c1b
 	_, err := os.Stat("/etc/system-fips")
4c4c1b
 	if err == nil {
4c4c1b
-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
4c4c1b
+		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
4c4c1b
 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
4c4c1b
 		}
4c4c1b
 	} else if os.IsNotExist(err) {
4c4c1b
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in
4c4c1b
 
4c4c1b
 // addSecretsFromMountsFile copies the contents of host directory to container directory
4c4c1b
 // and returns a list of mounts
4c4c1b
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
4c4c1b
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
4c4c1b
 	var mounts []rspec.Mount
4c4c1b
 	defaultMountsPaths := getMounts(filePath)
4c4c1b
 	for _, path := range defaultMountsPaths {
4c4c1b
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath,
4c4c1b
 		}
4c4c1b
 
4c4c1b
 		m := rspec.Mount{
4c4c1b
-			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
4c4c1b
+			Source:      ctrDirOrFileOnHost,
4c4c1b
 			Destination: ctrDirOrFile,
4c4c1b
 			Type:        "bind",
4c4c1b
 			Options:     []string{"bind", "rprivate"},
4c4c1b
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath,
4c4c1b
 // root filesystem if /etc/system-fips exists on hosts.
4c4c1b
 // This enables the container to be FIPS compliant and run openssl in
4c4c1b
 // FIPS mode as the host is also in FIPS mode.
4c4c1b
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
4c4c1b
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
4c4c1b
 	secretsDir := "/run/secrets"
4c4c1b
 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
4c4c1b
 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
4c4c1b
 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
4c4c1b
-			return errors.Wrapf(err, "making container directory on host failed")
4c4c1b
+			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
4c4c1b
 		}
4c4c1b
 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
4c4c1b
-			return errors.Wrap(err, "error applying correct labels")
4c4c1b
+			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
4c4c1b
 		}
4c4c1b
 	}
4c4c1b
 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
4c4c1b
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M
4c4c1b
 
4c4c1b
 	if !mountExists(*mounts, secretsDir) {
4c4c1b
 		m := rspec.Mount{
4c4c1b
-			Source:      filepath.Join(mountPrefix, secretsDir),
4c4c1b
+			Source:      ctrDirOnHost,
4c4c1b
 			Destination: secretsDir,
4c4c1b
 			Type:        "bind",
4c4c1b
 			Options:     []string{"bind", "rprivate"},
4c4c1b
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M
4c4c1b
 		*mounts = append(*mounts, m)
4c4c1b
 	}
4c4c1b
 
4c4c1b
+	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
4c4c1b
+	destDir := "/etc/crypto-policies/back-ends"
4c4c1b
+	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
4c4c1b
+	if _, err := os.Stat(srcOnHost); err != nil {
4c4c1b
+		if os.IsNotExist(err) {
4c4c1b
+			return nil
4c4c1b
+		}
4c4c1b
+		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
4c4c1b
+	}
4c4c1b
+
4c4c1b
+	if !mountExists(*mounts, destDir) {
4c4c1b
+		m := rspec.Mount{
4c4c1b
+			Source:      srcOnHost,
4c4c1b
+			Destination: destDir,
4c4c1b
+			Type:        "bind",
4c4c1b
+			Options:     []string{"bind", "rprivate"},
4c4c1b
+		}
4c4c1b
+		*mounts = append(*mounts, m)
4c4c1b
+	}
4c4c1b
 	return nil
4c4c1b
 }
4c4c1b
 
4c4c1b
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go
4c4c1b
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950	2020-02-19 16:11:04.197931712 +0100
4c4c1b
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go	2020-02-19 16:11:04.200931754 +0100
4c4c1b
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint
4c4c1b
 	}
4c4c1b
 
4c4c1b
 	// Get the list of secrets mounts.
4c4c1b
-	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
4c4c1b
+	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
4c4c1b
 
4c4c1b
 	// Add temporary copies of the contents of volume locations at the
4c4c1b
 	// volume locations, unless we already have something there.