diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-01-18 15:01:53 -0500 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-01-18 17:08:46 -0500 |
commit | 8cf929c0950e985880b268ae4c8ad08d98bc4073 (patch) | |
tree | c7cdbd76bed38d32073a91913f5fda37630ef197 /cmd | |
parent | 37002ad549fc6bd5dd7cb126433d3a9580451a70 (diff) | |
download | podman-8cf929c0950e985880b268ae4c8ad08d98bc4073.tar.gz podman-8cf929c0950e985880b268ae4c8ad08d98bc4073.tar.bz2 podman-8cf929c0950e985880b268ae4c8ad08d98bc4073.zip |
Vendor in latest opencontainers/selinux
This will now verify labels passed in by the user.
Will also prevent users from accidently relabeling their homedir.
podman run -ti -v ~/home/user:Z fedora sh
Is not a good idea.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/podman/create.go | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index 1aa3425a5..065d08df4 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -173,7 +173,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { if err != nil { return errors.Wrapf(err, "container %q not found", config.PidMode.Container()) } - labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + secopts, err := label.DupSecOpt(ctr.ProcessLabel()) + if err != nil { + return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel()) + } + labelOpts = append(labelOpts, secopts...) } if config.IpcMode.IsHost() { @@ -183,7 +187,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { if err != nil { return errors.Wrapf(err, "container %q not found", config.IpcMode.Container()) } - labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + secopts, err := label.DupSecOpt(ctr.ProcessLabel()) + if err != nil { + return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel()) + } + labelOpts = append(labelOpts, secopts...) } for _, opt := range securityOpts { |