vendor: opencontainers/selinux v1.5.2
full diff: https://github.com/opencontainers/selinux/compare/v1.5.1...v1.5.2 - Implement FormatMountLabel unconditionally Implementing FormatMountLabel on situations built without selinux should be possible; the context will be ignored if no SELinux is available. - Remote potential race condition, where mcs label is freed Theorectially if you do not change the MCS Label then we free it and two commands later reserve it. If some other process was grabbing MCS Labels at the same time, the other process could get the same label. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
34
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
generated
vendored
34
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
generated
vendored
@@ -3,7 +3,6 @@
|
||||
package label
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
"strings"
|
||||
@@ -43,7 +42,7 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
mcsLevel := pcon["level"]
|
||||
mcon, err := selinux.NewContext(mountLabel)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
@@ -62,16 +61,21 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
|
||||
}
|
||||
if con[0] == "filetype" {
|
||||
mcon["type"] = con[1]
|
||||
continue
|
||||
}
|
||||
pcon[con[0]] = con[1]
|
||||
if con[0] == "level" || con[0] == "user" {
|
||||
mcon[con[0]] = con[1]
|
||||
}
|
||||
}
|
||||
selinux.ReleaseLabel(processLabel)
|
||||
processLabel = pcon.Get()
|
||||
mountLabel = mcon.Get()
|
||||
selinux.ReserveLabel(processLabel)
|
||||
if pcon.Get() != processLabel {
|
||||
if pcon["level"] != mcsLevel {
|
||||
selinux.ReleaseLabel(processLabel)
|
||||
}
|
||||
processLabel = pcon.Get()
|
||||
mountLabel = mcon.Get()
|
||||
selinux.ReserveLabel(processLabel)
|
||||
}
|
||||
}
|
||||
return processLabel, mountLabel, nil
|
||||
}
|
||||
@@ -82,24 +86,6 @@ func GenLabels(options string) (string, string, error) {
|
||||
return InitLabels(strings.Fields(options))
|
||||
}
|
||||
|
||||
// FormatMountLabel returns a string to be used by the mount command.
|
||||
// The format of this string will be used to alter the labeling of the mountpoint.
|
||||
// The string returned is suitable to be used as the options field of the mount command.
|
||||
// If you need to have additional mount point options, you can pass them in as
|
||||
// the first parameter. Second parameter is the label that you wish to apply
|
||||
// to all content in the mount point.
|
||||
func FormatMountLabel(src, mountLabel string) string {
|
||||
if mountLabel != "" {
|
||||
switch src {
|
||||
case "":
|
||||
src = fmt.Sprintf("context=%q", mountLabel)
|
||||
default:
|
||||
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
|
||||
}
|
||||
}
|
||||
return src
|
||||
}
|
||||
|
||||
// SetFileLabel modifies the "path" label to the specified file label
|
||||
func SetFileLabel(path string, fileLabel string) error {
|
||||
if !selinux.GetEnabled() || fileLabel == "" {
|
||||
|
||||
Reference in New Issue
Block a user