update cri to 8448b92d23

This includes an update of the selinux package and the ability in the CRI configuration to set the upper bounds for the selinux category labels that are generated. Signed-off-by: Michael Crosby <michael@thepasture.io>
2020-07-23 17:11:18 -04:00
parent 1a571fcf1b
commit 3611efdcef
24 changed files with 1995 additions and 308 deletions
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@@ -198,6 +198,9 @@ type PluginConfig struct {
 	StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
+	// SelinuxCategoryRange allows the upper bound on the category range to be set.
+	// If not specified or set to 0, defaults to 1024 from the selinux package.
+	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.
--- a/vendor/github.com/containerd/cri/pkg/config/config_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config_unix.go
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		DisableTCPService:   true,
-		StreamServerAddress: "127.0.0.1",
-		StreamServerPort:    "0",
-		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
-		EnableSelinux:       false,
-		EnableTLSStreaming:  false,
+		DisableTCPService:    true,
+		StreamServerAddress:  "127.0.0.1",
+		StreamServerPort:     "0",
+		StreamIdleTimeout:    streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableSelinux:        false,
+		SelinuxCategoryRange: 1024,
+		EnableTLSStreaming:   false,
 		X509KeyPairStreaming: X509KeyPairStreaming{
 			TLSKeyFile:  "",
 			TLSCertFile: "",
--- a/vendor/github.com/containerd/cri/pkg/server/service_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/service_unix.go
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
 		if !selinux.GetEnabled() {
 			logrus.Warn("Selinux is not supported")
 		}
+		if r := c.config.SelinuxCategoryRange; r > 0 {
+			selinux.CategoryRange = uint32(r)
+		}
 	} else {
 		selinux.SetDisabled()
 	}
--- a/vendor/github.com/containerd/cri/vendor.conf
+++ b/vendor/github.com/containerd/cri/vendor.conf
@@ -1,7 +1,8 @@
 # cri dependencies
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
-github.com/opencontainers/selinux                   v1.5.1
+github.com/opencontainers/selinux                   v1.6.0
 github.com/tchap/go-patricia                        v2.2.6
+github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg

 # containerd dependencies
 github.com/beorn7/perks                             v1.0.1