github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

verify selinux level format

Browse Source 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
This commit is contained in:
Yanqiang Miao
2018-08-08 17:32:01 +08:00
parent c9d6151526
commit 415727cd9f
2 changed files with 98 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/server/helpers.go
View File

@@ -21,6 +21,7 @@ import (
"fmt"
"path"
"path/filepath"
"regexp"
"strconv"
"strings"
@@ -375,6 +376,12 @@ func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error)
return "", "", nil
}
// make sure the format of "level" is correct.
ok, err := checkSelinuxLevel(selinuxOpt.GetLevel())
if err != nil || !ok {
return "", "", err
}
labelOpts := fmt.Sprintf("%s:%s:%s:%s",
selinuxOpt.GetUser(),
selinuxOpt.GetRole(),
@@ -383,6 +390,14 @@ func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error)
return label.InitLabels(selinux.DupSecOpt(labelOpts))
}
func checkSelinuxLevel(level string) (bool, error) {
matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
if err != nil || !matched {
return false, fmt.Errorf("the format of 'level' %q is not correct: %v", level, err)
}
return true, nil
}
// isInCRIMounts checks whether a destination is in CRI mount list.
func isInCRIMounts(dst string, mounts []*runtime.Mount) bool {
for _, m := range mounts {