aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-01-12 13:46:29 -0500
committerGitHub <noreply@github.com>2021-01-12 13:46:29 -0500
commitdb52828621261e631f6db3c1bcf17aa10b46bd48 (patch)
tree94688a647a85d9c479ccf49ec615492f9a52cd16
parentb5c8cee932e046d6b5df08a8d237ca9d838228f6 (diff)
parent020abbfeab3b3f3bc3b82edf1b9374b90d79ae91 (diff)
downloadpodman-db52828621261e631f6db3c1bcf17aa10b46bd48.tar.gz
podman-db52828621261e631f6db3c1bcf17aa10b46bd48.tar.bz2
podman-db52828621261e631f6db3c1bcf17aa10b46bd48.zip
Merge pull request #8946 from JAORMX/sec-errors
Expose security attribute errors with their own messages
-rw-r--r--libpod/define/errors.go13
-rw-r--r--libpod/oci_util.go12
2 files changed, 25 insertions, 0 deletions
diff --git a/libpod/define/errors.go b/libpod/define/errors.go
index b96d36429..568f8e88d 100644
--- a/libpod/define/errors.go
+++ b/libpod/define/errors.go
@@ -2,6 +2,7 @@ package define
import (
"errors"
+ "fmt"
)
var (
@@ -181,4 +182,16 @@ var (
// ErrNoNetwork indicates that a container has no net namespace, like network=none
ErrNoNetwork = errors.New("container has no network namespace")
+
+ // ErrSetSecurityAttribute indicates that a request to set a container's security attribute
+ // was not possible.
+ ErrSetSecurityAttribute = fmt.Errorf("%w: unable to assign security attribute", ErrOCIRuntime)
+
+ // ErrGetSecurityAttribute indicates that a request to get a container's security attribute
+ // was not possible.
+ ErrGetSecurityAttribute = fmt.Errorf("%w: unable to get security attribute", ErrOCIRuntime)
+
+ // ErrSecurityAttribute indicates that an error processing security attributes
+ // for the container
+ ErrSecurityAttribute = fmt.Errorf("%w: unable to process security attribute", ErrOCIRuntime)
)
diff --git a/libpod/oci_util.go b/libpod/oci_util.go
index 2ba85c4b3..d40cf13bd 100644
--- a/libpod/oci_util.go
+++ b/libpod/oci_util.go
@@ -126,5 +126,17 @@ func getOCIRuntimeError(runtimeMsg string) error {
}
return errors.Wrapf(define.ErrOCIRuntimeNotFound, "%s", strings.Trim(errStr, "\n"))
}
+ if match := regexp.MustCompile("`/proc/[a-z0-9-].+/attr.*`").FindString(runtimeMsg); match != "" {
+ errStr := match
+ if includeFullOutput {
+ errStr = runtimeMsg
+ }
+ if strings.HasSuffix(match, "/exec`") {
+ return errors.Wrapf(define.ErrSetSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+ } else if strings.HasSuffix(match, "/current`") {
+ return errors.Wrapf(define.ErrGetSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+ }
+ return errors.Wrapf(define.ErrSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+ }
return errors.Wrapf(define.ErrOCIRuntime, "%s", strings.Trim(runtimeMsg, "\n"))
}