diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-04-15 14:28:53 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-15 14:28:53 -0700 |
commit | 0f7162d791076e736a7cee3a45051925fa4d0589 (patch) | |
tree | 10751bb96b17a98842fac1cfb4ee5c492064b161 /pkg/specgen/security.go | |
parent | 3500a8bc39bfc625444fb343a239d607604f06d6 (diff) | |
parent | ac94a96a74e63854ab492e35c6c5c26145a6674a (diff) | |
download | podman-0f7162d791076e736a7cee3a45051925fa4d0589.tar.gz podman-0f7162d791076e736a7cee3a45051925fa4d0589.tar.bz2 podman-0f7162d791076e736a7cee3a45051925fa4d0589.zip |
Merge pull request #5817 from rhatdan/selinux1
Fix up SELinux labeling
Diffstat (limited to 'pkg/specgen/security.go')
-rw-r--r-- | pkg/specgen/security.go | 46 |
1 files changed, 17 insertions, 29 deletions
diff --git a/pkg/specgen/security.go b/pkg/specgen/security.go index 158e4a7b3..6f835eae4 100644 --- a/pkg/specgen/security.go +++ b/pkg/specgen/security.go @@ -1,32 +1,26 @@ package specgen -// ToCreateOptions convert the SecurityConfig to a slice of container create -// options. -/* -func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error) { - options := make([]libpod.CtrCreateOption, 0) - options = append(options, libpod.WithSecLabels(c.LabelOpts)) - options = append(options, libpod.WithPrivileged(c.Privileged)) - return options, nil -} -*/ +import ( + "github.com/containers/libpod/libpod" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/pkg/errors" +) // SetLabelOpts sets the label options of the SecurityConfig according to the // input. -/* -func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error { - if c.Privileged { - c.LabelOpts = label.DisableSecOpt() +func (s *SpecGenerator) SetLabelOpts(runtime *libpod.Runtime, pidConfig Namespace, ipcConfig Namespace) error { + if !runtime.EnableLabeling() || s.Privileged { + s.SelinuxOpts = label.DisableSecOpt() return nil } var labelOpts []string - if pidConfig.PidMode.IsHost() { + if pidConfig.IsHost() { labelOpts = append(labelOpts, label.DisableSecOpt()...) - } else if pidConfig.PidMode.IsContainer() { - ctr, err := runtime.LookupContainer(pidConfig.PidMode.Container()) + } else if pidConfig.IsContainer() { + ctr, err := runtime.LookupContainer(pidConfig.Value) if err != nil { - return errors.Wrapf(err, "container %q not found", pidConfig.PidMode.Container()) + return errors.Wrapf(err, "container %q not found", pidConfig.Value) } secopts, err := label.DupSecOpt(ctr.ProcessLabel()) if err != nil { @@ -35,12 +29,12 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon labelOpts = append(labelOpts, secopts...) } - if ipcConfig.IpcMode.IsHost() { + if ipcConfig.IsHost() { labelOpts = append(labelOpts, label.DisableSecOpt()...) - } else if ipcConfig.IpcMode.IsContainer() { - ctr, err := runtime.LookupContainer(ipcConfig.IpcMode.Container()) + } else if ipcConfig.IsContainer() { + ctr, err := runtime.LookupContainer(ipcConfig.Value) if err != nil { - return errors.Wrapf(err, "container %q not found", ipcConfig.IpcMode.Container()) + return errors.Wrapf(err, "container %q not found", ipcConfig.Value) } secopts, err := label.DupSecOpt(ctr.ProcessLabel()) if err != nil { @@ -49,13 +43,7 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon labelOpts = append(labelOpts, secopts...) } - c.LabelOpts = append(c.LabelOpts, labelOpts...) - return nil -} -*/ - -// SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.). -func SetSecurityOpts(securityOpts []string) error { + s.SelinuxOpts = append(s.SelinuxOpts, labelOpts...) return nil } |