github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

bump selinux dep

Browse Source 
Includes fixes for the category range and mount labeling.

Signed-off-by: Michael Crosby <michael@thepasture.io>
This commit is contained in:
Michael Crosby 2020-06-15 15:15:35 -04:00
parent 6164822714
commit 713205b369
4 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
vendor.conf
View File

@ -1,6 +1,6 @@
# cri dependencies # cri dependencies
github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f
github.com/opencontainers/selinux v1.5.2 github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4
github.com/tchap/go-patricia v2.2.6 github.com/tchap/go-patricia v2.2.6
# containerd dependencies # containerd dependencies

2
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go generated vendored
View File

@ -73,9 +73,9 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
selinux.ReleaseLabel(processLabel) selinux.ReleaseLabel(processLabel)
} }
processLabel = pcon.Get() processLabel = pcon.Get()
mountLabel = mcon.Get()
selinux.ReserveLabel(processLabel) selinux.ReserveLabel(processLabel)
} }
mountLabel = mcon.Get()
} }
return processLabel, mountLabel, nil return processLabel, mountLabel, nil
} }

8
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go generated vendored
View File

@ -31,6 +31,9 @@ const (
// Disabled constant to indicate SELinux is disabled // Disabled constant to indicate SELinux is disabled
Disabled = -1 Disabled = -1
// DefaultCategoryRange is the upper bound on the category range
DefaultCategoryRange = uint32(1024)
contextFile = "/usr/share/containers/selinux/contexts" contextFile = "/usr/share/containers/selinux/contexts"
selinuxDir = "/etc/selinux/" selinuxDir = "/etc/selinux/"
selinuxConfig = selinuxDir + "config" selinuxConfig = selinuxDir + "config"
@ -57,6 +60,9 @@ var (
// InvalidLabel is returned when an invalid label is specified. // InvalidLabel is returned when an invalid label is specified.
InvalidLabel = errors.New("Invalid Label") InvalidLabel = errors.New("Invalid Label")
// CategoryRange allows the upper bound on the category range to be adjusted
CategoryRange = DefaultCategoryRange
assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
roFileLabel string roFileLabel string
state = selinuxState{ state = selinuxState{
@ -790,7 +796,7 @@ func ContainerLabels() (processLabel string, fileLabel string) {
func addMcs(processLabel, fileLabel string) (string, string) { func addMcs(processLabel, fileLabel string) (string, string) {
scon, _ := NewContext(processLabel) scon, _ := NewContext(processLabel)
if scon["level"] != "" { if scon["level"] != "" {
mcs := uniqMcs(1024) mcs := uniqMcs(CategoryRange)
scon["level"] = mcs scon["level"] = mcs
processLabel = scon.Get() processLabel = scon.Get()
scon, _ = NewContext(fileLabel) scon, _ = NewContext(fileLabel)

4
vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go generated vendored
View File

@ -13,6 +13,8 @@ const (
Permissive = 0 Permissive = 0
// Disabled constant to indicate SELinux is disabled // Disabled constant to indicate SELinux is disabled
Disabled = -1 Disabled = -1
// DefaultCategoryRange is the upper bound on the category range
DefaultCategoryRange = uint32(1024)
) )
var ( var (
@ -20,6 +22,8 @@ var (
ErrMCSAlreadyExists = errors.New("MCS label already exists") ErrMCSAlreadyExists = errors.New("MCS label already exists")
// ErrEmptyPath is returned when an empty path has been specified. // ErrEmptyPath is returned when an empty path has been specified.
ErrEmptyPath = errors.New("empty path") ErrEmptyPath = errors.New("empty path")
// CategoryRange allows the upper bound on the category range to be adjusted
CategoryRange = DefaultCategoryRange
) )
// Context is a representation of the SELinux label broken into 4 parts // Context is a representation of the SELinux label broken into 4 parts