github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

vendor: opencontainers/selinux v1.5.2

Browse Source 
full diff: https://github.com/opencontainers/selinux/compare/v1.5.1...v1.5.2

- Implement FormatMountLabel unconditionally
  Implementing FormatMountLabel on situations built without selinux
  should be possible; the context will be ignored if no SELinux is available.
- Remote potential race condition, where mcs label is freed
  Theorectially if you do not change the MCS Label then we free it and two
  commands later reserve it. If some other process was grabbing MCS Labels
  at the same time, the other process could get the same label.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2020-05-26 16:30:35 +02:00
parent e10e07b50e
commit 0b3c7e1479
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
4 changed files with 32 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
vendor.conf
View File

@ -1,6 +1,6 @@
# cri dependencies # cri dependencies
github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f
github.com/opencontainers/selinux v1.5.1 github.com/opencontainers/selinux v1.5.2
github.com/tchap/go-patricia v2.2.6 github.com/tchap/go-patricia v2.2.6
# containerd dependencies # containerd dependencies

22
vendor/github.com/opencontainers/selinux/go-selinux/label/label.go generated vendored
View File

@ -1,6 +1,8 @@
package label package label
import ( import (
"fmt"
"github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux"
) )
@ -46,7 +48,7 @@ var PidLabel = selinux.PidLabel
// Init initialises the labeling system // Init initialises the labeling system
func Init() { func Init() {
selinux.GetEnabled() _ = selinux.GetEnabled()
} }
// ClearLabels will clear all reserved labels // ClearLabels will clear all reserved labels
@ -75,3 +77,21 @@ func ReleaseLabel(label string) error {
// can be used to set duplicate labels on future container processes // can be used to set duplicate labels on future container processes
// Deprecated: use selinux.DupSecOpt // Deprecated: use selinux.DupSecOpt
var DupSecOpt = selinux.DupSecOpt var DupSecOpt = selinux.DupSecOpt
// FormatMountLabel returns a string to be used by the mount command.
// The format of this string will be used to alter the labeling of the mountpoint.
// The string returned is suitable to be used as the options field of the mount command.
// If you need to have additional mount point options, you can pass them in as
// the first parameter. Second parameter is the label that you wish to apply
// to all content in the mount point.
func FormatMountLabel(src, mountLabel string) string {
if mountLabel != "" {
switch src {
case "":
src = fmt.Sprintf("context=%q", mountLabel)
default:
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
}
}
return src
}

26
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go generated vendored
View File

@ -3,7 +3,6 @@
package label package label
import ( import (
"fmt"
"os" "os"
"os/user" "os/user"
"strings" "strings"
@ -43,7 +42,7 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
if err != nil { if err != nil {
return "", "", err return "", "", err
} }
mcsLevel := pcon["level"]
mcon, err := selinux.NewContext(mountLabel) mcon, err := selinux.NewContext(mountLabel)
if err != nil { if err != nil {
return "", "", err return "", "", err
@ -62,17 +61,22 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
} }
if con[0] == "filetype" { if con[0] == "filetype" {
mcon["type"] = con[1] mcon["type"] = con[1]
continue
} }
pcon[con[0]] = con[1] pcon[con[0]] = con[1]
if con[0] == "level" || con[0] == "user" { if con[0] == "level" || con[0] == "user" {
mcon[con[0]] = con[1] mcon[con[0]] = con[1]
} }
} }
if pcon.Get() != processLabel {
if pcon["level"] != mcsLevel {
selinux.ReleaseLabel(processLabel) selinux.ReleaseLabel(processLabel)
}
processLabel = pcon.Get() processLabel = pcon.Get()
mountLabel = mcon.Get() mountLabel = mcon.Get()
selinux.ReserveLabel(processLabel) selinux.ReserveLabel(processLabel)
} }
}
return processLabel, mountLabel, nil return processLabel, mountLabel, nil
} }
@ -82,24 +86,6 @@ func GenLabels(options string) (string, string, error) {
return InitLabels(strings.Fields(options)) return InitLabels(strings.Fields(options))
} }
// FormatMountLabel returns a string to be used by the mount command.
// The format of this string will be used to alter the labeling of the mountpoint.
// The string returned is suitable to be used as the options field of the mount command.
// If you need to have additional mount point options, you can pass them in as
// the first parameter. Second parameter is the label that you wish to apply
// to all content in the mount point.
func FormatMountLabel(src, mountLabel string) string {
if mountLabel != "" {
switch src {
case "":
src = fmt.Sprintf("context=%q", mountLabel)
default:
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
}
}
return src
}
// SetFileLabel modifies the "path" label to the specified file label // SetFileLabel modifies the "path" label to the specified file label
func SetFileLabel(path string, fileLabel string) error { func SetFileLabel(path string, fileLabel string) error {
if !selinux.GetEnabled() || fileLabel == "" { if !selinux.GetEnabled() || fileLabel == "" {

4
vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go generated vendored
View File

@ -15,10 +15,6 @@ func GenLabels(options string) (string, string, error) {
return "", "", nil return "", "", nil
} }
func FormatMountLabel(src string, mountLabel string) string {
return src
}
func SetFileLabel(path string, fileLabel string) error { func SetFileLabel(path string, fileLabel string) error {
return nil return nil
} }