diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-09-18 09:06:40 -0400 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-09-20 16:01:29 +0000 |
| commit | fbfcc7842e0e3361c53bc607411c200824c111b4 (patch) | |
| tree | 206996ea536a26ed17a8f79326a1e51041c4147f /pkg | |
| parent | 2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96 (diff) | |
| download | podman-fbfcc7842e0e3361c53bc607411c200824c111b4.tar.gz podman-fbfcc7842e0e3361c53bc607411c200824c111b4.tar.bz2 podman-fbfcc7842e0e3361c53bc607411c200824c111b4.zip | |
Add new field to libpod to indicate whether or not to use labelling
Also update some missing fields libpod.conf obtions in man pages.
Fix sort order of security options and add a note about disabling
labeling.
When a process requests a new label. libpod needs to reserve all
labels to make sure that their are no conflicts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1406
Approved by: mheon
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/spec/createconfig.go | 22 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 2 |
2 files changed, 8 insertions, 16 deletions
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index a441b4019..328e3763c 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -15,7 +15,6 @@ import ( "github.com/docker/go-connections/nat" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -126,12 +125,11 @@ type CreateConfig struct { UtsMode namespaces.UTSMode //uts Volumes []string //volume VolumesFrom []string - WorkDir string //workdir - MountLabel string //SecurityOpts - ProcessLabel string //SecurityOpts - NoNewPrivs bool //SecurityOpts - ApparmorProfile string //SecurityOpts - SeccompProfilePath string //SecurityOpts + WorkDir string //workdir + LabelOpts []string //SecurityOpts + NoNewPrivs bool //SecurityOpts + ApparmorProfile string //SecurityOpts + SeccompProfilePath string //SecurityOpts SecurityOpts []string Rootfs string LocalVolumes []string //Keeps track of the built-in volumes of container used in the --volumes-from flag @@ -179,14 +177,10 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e options = append(options, "rw") } if foundz { - if err := label.Relabel(spliti[0], c.MountLabel, true); err != nil { - return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) - } + options = append(options, "z") } if foundZ { - if err := label.Relabel(spliti[0], c.MountLabel, false); err != nil { - return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) - } + options = append(options, "Z") } if rootProp == "" { options = append(options, "rprivate") @@ -449,7 +443,7 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib useImageVolumes := c.ImageVolumeType == "bind" // Gather up the options for NewContainer which consist of With... funcs options = append(options, libpod.WithRootFSFromImage(c.ImageID, c.Image, useImageVolumes)) - options = append(options, libpod.WithSELinuxLabels(c.ProcessLabel, c.MountLabel)) + options = append(options, libpod.WithSecLabels(c.LabelOpts)) options = append(options, libpod.WithConmonPidFile(c.ConmonPidFile)) options = append(options, libpod.WithLabels(c.Labels)) options = append(options, libpod.WithUser(c.User)) diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 3634b0b33..e115bba7f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -211,8 +211,6 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint // SECURITY OPTS g.SetProcessNoNewPrivileges(config.NoNewPrivs) g.SetProcessApparmorProfile(config.ApparmorProfile) - g.SetProcessSelinuxLabel(config.ProcessLabel) - g.SetLinuxMountLabel(config.MountLabel) if canAddResources { blockAccessToKernelFilesystems(config, &g) |