diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-08-09 16:29:43 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-08-13 10:16:01 -0400 |
commit | 316e51f0a91d24f75a9191e2226928bc0c1c5b91 (patch) | |
tree | 7ab971c3fe4a1eedb291f89e9777dfb77ca90afe /vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go | |
parent | c48243ee1eb3fe36b54057994d5e908d8a3d7f16 (diff) | |
download | podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.gz podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.bz2 podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.zip |
Add support & documentation to run containers with different file types
Udica is adding new features to allow users to define container process
and file types. This would allow us to setup trusted communications channels
between multiple security domains. ContainerA -> ContainerB -> ContainerC
Add tests to make sure users can change file types
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go')
-rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index d7786c33c..2d4e9f890 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -18,6 +18,7 @@ import ( "strings" "sync" "syscall" + "golang.org/x/sys/unix" ) const ( @@ -392,6 +393,14 @@ func SetExecLabel(label string) error { return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) } +/* +SetTaskLabel sets the SELinux label for the current thread, or an error. +This requires the dyntransition permission. +*/ +func SetTaskLabel(label string) error { + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label) +} + // SetSocketLabel takes a process label and tells the kernel to assign the // label to the next socket that gets created func SetSocketLabel(label string) error { @@ -403,6 +412,11 @@ func SocketLabel() (string, error) { return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) } +// PeerLabel retrieves the label of the client on the other side of a socket +func PeerLabel(fd uintptr) (string, error) { + return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC) +} + // SetKeyLabel takes a process label and tells the kernel to assign the // label to the next kernel keyring that gets created func SetKeyLabel(label string) error { |