From 713205b3699426076c6f8234a89d27de8fe8d5d5 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 15 Jun 2020 15:15:35 -0400 Subject: [PATCH] bump selinux dep Includes fixes for the category range and mount labeling. Signed-off-by: Michael Crosby --- vendor.conf | 2 +- .../selinux/go-selinux/label/label_selinux.go | 2 +- .../opencontainers/selinux/go-selinux/selinux_linux.go | 8 +++++++- .../opencontainers/selinux/go-selinux/selinux_stub.go | 4 ++++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/vendor.conf b/vendor.conf index 16cdb53b3..564e13e7c 100644 --- a/vendor.conf +++ b/vendor.conf @@ -1,6 +1,6 @@ # cri dependencies github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f -github.com/opencontainers/selinux v1.5.2 +github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4 github.com/tchap/go-patricia v2.2.6 # containerd dependencies diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 779e2e3a8..10ac15a85 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -73,9 +73,9 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { selinux.ReleaseLabel(processLabel) } processLabel = pcon.Get() - mountLabel = mcon.Get() selinux.ReserveLabel(processLabel) } + mountLabel = mcon.Get() } return processLabel, mountLabel, nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 9c979e5e2..f22c04b6c 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -31,6 +31,9 @@ const ( // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) + contextFile = "/usr/share/containers/selinux/contexts" selinuxDir = "/etc/selinux/" selinuxConfig = selinuxDir + "config" @@ -57,6 +60,9 @@ var ( // InvalidLabel is returned when an invalid label is specified. InvalidLabel = errors.New("Invalid Label") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange + assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string state = selinuxState{ @@ -790,7 +796,7 @@ func ContainerLabels() (processLabel string, fileLabel string) { func addMcs(processLabel, fileLabel string) (string, string) { scon, _ := NewContext(processLabel) if scon["level"] != "" { - mcs := uniqMcs(1024) + mcs := uniqMcs(CategoryRange) scon["level"] = mcs processLabel = scon.Get() scon, _ = NewContext(fileLabel) diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index f9f5e2061..c5fbba2fa 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -13,6 +13,8 @@ const ( Permissive = 0 // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) ) var ( @@ -20,6 +22,8 @@ var ( ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange ) // Context is a representation of the SELinux label broken into 4 parts