Podman ignores FIPS policy modifiers

[ihatethecloud]

podman/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go

Lines 347 to 395 in b5bfd72

	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
	destDir := "/etc/crypto-policies/back-ends"
	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
	if err := fileutils.Exists(srcOnHost); err != nil {
	if errors.Is(err, os.ErrNotExist) {
	return nil
	}
	return fmt.Errorf("FIPS Backend directory: %w", err)
	}
	if !mountExists(*mounts, destDir) {
	m := rspec.Mount{
	Source: srcOnHost,
	Destination: destDir,
	Type: "bind",
	Options: []string{"bind", "rprivate"},
	}
	*mounts = append(*mounts, m)
	}
	// Make sure we set the config to FIPS so that the container does not overwrite
	// /etc/crypto-policies/back-ends when crypto-policies-scripts is reinstalled.
	cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config")
	file, err := os.Create(cryptoPoliciesConfigFile)
	if err != nil {
	return fmt.Errorf("creating fips config file in container for FIPS mode: %w", err)
	}
	defer file.Close()
	if _, err := file.WriteString("FIPS\n"); err != nil {
	return fmt.Errorf("writing fips config file in container for FIPS mode: %w", err)
	}
	if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil {
	return fmt.Errorf("applying correct labels on fips-config file: %w", err)
	}
	if err := file.Chown(uid, gid); err != nil {
	return fmt.Errorf("chown fips-config file: %w", err)
	}
	policyConfig := "/etc/crypto-policies/config"
	if !mountExists(*mounts, policyConfig) {
	m := rspec.Mount{
	Source: cryptoPoliciesConfigFile,
	Destination: policyConfig,
	Type: "bind",
	Options: []string{"bind", "rprivate"},
	}
	*mounts = append(*mounts, m)
	}
	return nil

podman-4.9.4-1 on almalinux 8.10

If the user has a crypto-policy modifier there is no way for him to have it inside the container.

1 - Create a policy modifier

/usr/share/crypto-policies/policies/modules/TEST-MOD.pmod
cipher = -AES-256-CBC

2 - Activate the policy

update-crypto-policies --set FIPS:TEST-MOD

3 - Reboot
4 - Check crypto-policy

cat /etc/crypto-policies/config
FIPS:TEST-MOD

5 - Check inside container

podman run --rm --it almalinux:8.9 cat /etc/crypto-policies/config
FIPS

6 - Try with bind volume

podman run --rm -v /etc/crypto-policies/:/etc/crypto-policies/ --it almalinux:8.9 cat /etc/crypto-policies/config
FIPS

[rhatdan]

$ cat /tmp/crypto-policies/config
FIPS:TEST-MOD
$ podman run --rm -v /tmp/crypto-policies:/etc/crypto-policies:Z -it almalinux:8.9 cat /etc/crypto-policies/config
FIPS
$ podman run --rm -v /tmp/crypto-policies/config:/etc/crypto-policies/config:Z -it almalinux:8.9 cat /etc/crypto-policies/config
FIPS:TEST-MOD

You would like to change the check in podman/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go

To also check if /etc/crypto-policies is a mount point?

[ihatethecloud]

It would be ideal if podman gives way to bind volumes instead of enforcing the crypto-policy without modifiers.

[ihatethecloud]

As a work around I recompiled podman without the code which enforces fips on the container. Mounting /etc/crypto-policies with bind volumes works really good.

@rhatdan: Can we expect a solution to the discussion in matter?

[rhatdan]

Interested in opening a PR?