github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #5507 from dims/bump-selinux-to-1.8.1

Browse Source 
Bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1
This commit is contained in:
Akihiro Suda 2021-05-19 15:48:38 +09:00 committed by GitHub
commit cf7e0002cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -42,7 +42,7 @@ require (
github.com/opencontainers/image-spec v1.0.1 github.com/opencontainers/image-spec v1.0.1
github.com/opencontainers/runc v1.0.0-rc94 github.com/opencontainers/runc v1.0.0-rc94
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux v1.8.0 github.com/opencontainers/selinux v1.8.1
github.com/pelletier/go-toml v1.8.1 github.com/pelletier/go-toml v1.8.1
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.7.1 github.com/prometheus/client_golang v1.7.1

2
go.sum
View File

@ -353,6 +353,8 @@ github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM= github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM=
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/opencontainers/selinux v1.8.1 h1:yvEZh7CsfnJNwKzG9ZeXwbvR05RAZsu5RS/3vA6qFTA=
github.com/opencontainers/selinux v1.8.1/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM= github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=

4
vendor/github.com/opencontainers/selinux/go-selinux/doc.go generated vendored
View File

@ -1,10 +1,6 @@
/* /*
Package selinux provides a high-level interface for interacting with selinux. Package selinux provides a high-level interface for interacting with selinux.
This package uses a selinux build tag to enable the selinux functionality. This
allows non-linux and linux users who do not have selinux support to still use
tools that rely on this library.
Usage: Usage:
import "github.com/opencontainers/selinux/go-selinux" import "github.com/opencontainers/selinux/go-selinux"

5
vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go generated vendored
View File

@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
// the container. A list of options can be passed into this function to alter // the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is // the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique. // guaranteed to be unique.
// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
// to the container_file label with the maximum category. This label is not usable by any confined label.
func InitLabels(options []string) (plabel string, mlabel string, retErr error) { func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
if !selinux.GetEnabled() { if !selinux.GetEnabled() {
return "", "", nil return "", "", nil
@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
} }
for _, opt := range options { for _, opt := range options {
if opt == "disable" { if opt == "disable" {
return "", mountLabel, nil selinux.ReleaseLabel(mountLabel)
return "", selinux.PrivContainerMountLabel(), nil
} }
if i := strings.Index(opt, ":"); i == -1 { if i := strings.Index(opt, ":"); i == -1 {
return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

10
vendor/github.com/opencontainers/selinux/go-selinux/selinux.go generated vendored
View File

@ -11,9 +11,10 @@ const (
Permissive = 0 Permissive = 0
// Disabled constant to indicate SELinux is disabled // Disabled constant to indicate SELinux is disabled
Disabled = -1 Disabled = -1
// maxCategory is the maximum number of categories used within containers
maxCategory = 1024
// DefaultCategoryRange is the upper bound on the category range // DefaultCategoryRange is the upper bound on the category range
DefaultCategoryRange = uint32(1024) DefaultCategoryRange = uint32(maxCategory)
) )
var ( var (
@ -276,3 +277,8 @@ func DisableSecOpt() []string {
func GetDefaultContextWithLevel(user, level, scon string) (string, error) { func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
return getDefaultContextWithLevel(user, level, scon) return getDefaultContextWithLevel(user, level, scon)
} }
// PrivContainerMountLabel returns mount label for privileged containers
func PrivContainerMountLabel() string {
return privContainerMountLabel
}

11
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go generated vendored
View File

@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
return os.Open(lxcPath) return os.Open(lxcPath)
} }
var labels = loadLabels() var labels, privContainerMountLabel = loadLabels()
func loadLabels() map[string]string { func loadLabels() (map[string]string, string) {
labels := make(map[string]string) labels := make(map[string]string)
in, err := openContextFile() in, err := openContextFile()
if err != nil { if err != nil {
return labels return labels, ""
} }
defer in.Close() defer in.Close()
@ -920,7 +920,10 @@ func loadLabels() map[string]string {
} }
} }
return labels con, _ := NewContext(labels["file"])
con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
reserveLabel(con.get())
return labels, con.get()
} }
// kvmContainerLabels returns the default processLabel and mountLabel to be used // kvmContainerLabels returns the default processLabel and mountLabel to be used

2
vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go generated vendored
View File

@ -2,6 +2,8 @@
package selinux package selinux
const privContainerMountLabel = ""
func setDisabled() { func setDisabled() {
} }

2
vendor/modules.txt vendored
View File

@ -274,7 +274,7 @@ github.com/opencontainers/runc/libcontainer/user
# github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 # github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
## explicit ## explicit
github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/runtime-spec/specs-go
# github.com/opencontainers/selinux v1.8.0 # github.com/opencontainers/selinux v1.8.1
## explicit ## explicit
github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux
github.com/opencontainers/selinux/go-selinux/label github.com/opencontainers/selinux/go-selinux/label