Pick up fix for CVE-2019-16884 in opencontainers/selinux
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
18
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
generated
vendored
18
vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
generated
vendored
@@ -13,11 +13,12 @@ import (
|
||||
|
||||
// Valid Label Options
|
||||
var validOptions = map[string]bool{
|
||||
"disable": true,
|
||||
"type": true,
|
||||
"user": true,
|
||||
"role": true,
|
||||
"level": true,
|
||||
"disable": true,
|
||||
"type": true,
|
||||
"filetype": true,
|
||||
"user": true,
|
||||
"role": true,
|
||||
"level": true,
|
||||
}
|
||||
|
||||
var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
|
||||
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
|
||||
return "", mountLabel, nil
|
||||
}
|
||||
if i := strings.Index(opt, ":"); i == -1 {
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
|
||||
}
|
||||
con := strings.SplitN(opt, ":", 2)
|
||||
if !validOptions[con[0]] {
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
|
||||
|
||||
}
|
||||
if con[0] == "filetype" {
|
||||
mcon["type"] = con[1]
|
||||
}
|
||||
pcon[con[0]] = con[1]
|
||||
if con[0] == "level" || con[0] == "user" {
|
||||
mcon[con[0]] = con[1]
|
||||
|
||||
33
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
generated
vendored
33
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
generated
vendored
@@ -18,6 +18,8 @@ import (
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
|
||||
return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
|
||||
}
|
||||
|
||||
func isProcHandle(fh *os.File) (bool, error) {
|
||||
var buf unix.Statfs_t
|
||||
err := unix.Fstatfs(int(fh.Fd()), &buf)
|
||||
return buf.Type == unix.PROC_SUPER_MAGIC, err
|
||||
}
|
||||
|
||||
func readCon(fpath string) (string, error) {
|
||||
if fpath == "" {
|
||||
return "", ErrEmptyPath
|
||||
@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
|
||||
}
|
||||
defer in.Close()
|
||||
|
||||
if ok, err := isProcHandle(in); err != nil {
|
||||
return "", err
|
||||
} else if !ok {
|
||||
return "", fmt.Errorf("%s not on procfs", fpath)
|
||||
}
|
||||
|
||||
var retval string
|
||||
if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
|
||||
return "", err
|
||||
@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
|
||||
}
|
||||
defer out.Close()
|
||||
|
||||
if ok, err := isProcHandle(out); err != nil {
|
||||
return err
|
||||
} else if !ok {
|
||||
return fmt.Errorf("%s not on procfs", fpath)
|
||||
}
|
||||
|
||||
if val != "" {
|
||||
_, err = out.Write([]byte(val))
|
||||
} else {
|
||||
@@ -392,6 +412,14 @@ func SetExecLabel(label string) error {
|
||||
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
|
||||
}
|
||||
|
||||
/*
|
||||
SetTaskLabel sets the SELinux label for the current thread, or an error.
|
||||
This requires the dyntransition permission.
|
||||
*/
|
||||
func SetTaskLabel(label string) error {
|
||||
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
|
||||
}
|
||||
|
||||
// SetSocketLabel takes a process label and tells the kernel to assign the
|
||||
// label to the next socket that gets created
|
||||
func SetSocketLabel(label string) error {
|
||||
@@ -403,6 +431,11 @@ func SocketLabel() (string, error) {
|
||||
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
|
||||
}
|
||||
|
||||
// PeerLabel retrieves the label of the client on the other side of a socket
|
||||
func PeerLabel(fd uintptr) (string, error) {
|
||||
return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
|
||||
}
|
||||
|
||||
// SetKeyLabel takes a process label and tells the kernel to assign the
|
||||
// label to the next kernel keyring that gets created
|
||||
func SetKeyLabel(label string) error {
|
||||
|
||||
13
vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
generated
vendored
13
vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
generated
vendored
@@ -96,6 +96,14 @@ func SetExecLabel(label string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
/*
|
||||
SetTaskLabel sets the SELinux label for the current thread, or an error.
|
||||
This requires the dyntransition permission.
|
||||
*/
|
||||
func SetTaskLabel(label string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
/*
|
||||
SetSocketLabel sets the SELinux label that the kernel will use for any programs
|
||||
that are executed by the current process thread, or an error.
|
||||
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
// PeerLabel retrieves the label of the client on the other side of a socket
|
||||
func PeerLabel(fd uintptr) (string, error) {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
// SetKeyLabel takes a process label and tells the kernel to assign the
|
||||
// label to the next kernel keyring that gets created
|
||||
func SetKeyLabel(label string) error {
|
||||
|
||||
Reference in New Issue
Block a user