summaryrefslogtreecommitdiff
path: root/pkg/specgen/security.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-04-15 14:28:53 -0700
committerGitHub <noreply@github.com>2020-04-15 14:28:53 -0700
commit0f7162d791076e736a7cee3a45051925fa4d0589 (patch)
tree10751bb96b17a98842fac1cfb4ee5c492064b161 /pkg/specgen/security.go
parent3500a8bc39bfc625444fb343a239d607604f06d6 (diff)
parentac94a96a74e63854ab492e35c6c5c26145a6674a (diff)
downloadpodman-0f7162d791076e736a7cee3a45051925fa4d0589.tar.gz
podman-0f7162d791076e736a7cee3a45051925fa4d0589.tar.bz2
podman-0f7162d791076e736a7cee3a45051925fa4d0589.zip
Merge pull request #5817 from rhatdan/selinux1
Fix up SELinux labeling
Diffstat (limited to 'pkg/specgen/security.go')
-rw-r--r--pkg/specgen/security.go46
1 files changed, 17 insertions, 29 deletions
diff --git a/pkg/specgen/security.go b/pkg/specgen/security.go
index 158e4a7b3..6f835eae4 100644
--- a/pkg/specgen/security.go
+++ b/pkg/specgen/security.go
@@ -1,32 +1,26 @@
package specgen
-// ToCreateOptions convert the SecurityConfig to a slice of container create
-// options.
-/*
-func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error) {
- options := make([]libpod.CtrCreateOption, 0)
- options = append(options, libpod.WithSecLabels(c.LabelOpts))
- options = append(options, libpod.WithPrivileged(c.Privileged))
- return options, nil
-}
-*/
+import (
+ "github.com/containers/libpod/libpod"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+)
// SetLabelOpts sets the label options of the SecurityConfig according to the
// input.
-/*
-func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error {
- if c.Privileged {
- c.LabelOpts = label.DisableSecOpt()
+func (s *SpecGenerator) SetLabelOpts(runtime *libpod.Runtime, pidConfig Namespace, ipcConfig Namespace) error {
+ if !runtime.EnableLabeling() || s.Privileged {
+ s.SelinuxOpts = label.DisableSecOpt()
return nil
}
var labelOpts []string
- if pidConfig.PidMode.IsHost() {
+ if pidConfig.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if pidConfig.PidMode.IsContainer() {
- ctr, err := runtime.LookupContainer(pidConfig.PidMode.Container())
+ } else if pidConfig.IsContainer() {
+ ctr, err := runtime.LookupContainer(pidConfig.Value)
if err != nil {
- return errors.Wrapf(err, "container %q not found", pidConfig.PidMode.Container())
+ return errors.Wrapf(err, "container %q not found", pidConfig.Value)
}
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
if err != nil {
@@ -35,12 +29,12 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
labelOpts = append(labelOpts, secopts...)
}
- if ipcConfig.IpcMode.IsHost() {
+ if ipcConfig.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
- } else if ipcConfig.IpcMode.IsContainer() {
- ctr, err := runtime.LookupContainer(ipcConfig.IpcMode.Container())
+ } else if ipcConfig.IsContainer() {
+ ctr, err := runtime.LookupContainer(ipcConfig.Value)
if err != nil {
- return errors.Wrapf(err, "container %q not found", ipcConfig.IpcMode.Container())
+ return errors.Wrapf(err, "container %q not found", ipcConfig.Value)
}
secopts, err := label.DupSecOpt(ctr.ProcessLabel())
if err != nil {
@@ -49,13 +43,7 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
labelOpts = append(labelOpts, secopts...)
}
- c.LabelOpts = append(c.LabelOpts, labelOpts...)
- return nil
-}
-*/
-
-// SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.).
-func SetSecurityOpts(securityOpts []string) error {
+ s.SelinuxOpts = append(s.SelinuxOpts, labelOpts...)
return nil
}