summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-01-18 15:01:53 -0500
committerDaniel J Walsh <dwalsh@redhat.com>2019-01-18 17:08:46 -0500
commit8cf929c0950e985880b268ae4c8ad08d98bc4073 (patch)
treec7cdbd76bed38d32073a91913f5fda37630ef197 /cmd
parent37002ad549fc6bd5dd7cb126433d3a9580451a70 (diff)
downloadpodman-8cf929c0950e985880b268ae4c8ad08d98bc4073.tar.gz
podman-8cf929c0950e985880b268ae4c8ad08d98bc4073.tar.bz2
podman-8cf929c0950e985880b268ae4c8ad08d98bc4073.zip
Vendor in latest opencontainers/selinux
This will now verify labels passed in by the user. Will also prevent users from accidently relabeling their homedir. podman run -ti -v ~/home/user:Z fedora sh Is not a good idea. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/create.go12
1 files changed, 10 insertions, 2 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 1aa3425a5..065d08df4 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -173,7 +173,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
if err != nil {
return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
}
- labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
}
if config.IpcMode.IsHost() {
@@ -183,7 +187,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
if err != nil {
return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
}
- labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
}
for _, opt := range securityOpts {