summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-12-10 00:34:05 -0500
committerDaniel J Walsh <dwalsh@redhat.com>2018-12-12 04:22:44 -0800
commit64ac54625924e226611d53497a941affaddb0a23 (patch)
tree4d723ecbe196b872dfa973b634bd778fba2b5b60 /vendor/github.com/opencontainers/selinux
parent1f547b2936af06656eaf579c3adaf8f345d227fc (diff)
downloadpodman-64ac54625924e226611d53497a941affaddb0a23.tar.gz
podman-64ac54625924e226611d53497a941affaddb0a23.tar.bz2
podman-64ac54625924e226611d53497a941affaddb0a23.zip
Set Socket label for contianer
This will allow container processes to write to the CRIU socket that gets injected into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers/selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label.go18
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go13
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go11
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go13
4 files changed, 51 insertions, 4 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index 2a31cd3c5..bb27ac936 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -9,7 +9,7 @@ func InitLabels(options []string) (string, string, error) {
return "", "", nil
}
-func GetROMountLabel() string {
+func ROMountLabel() string {
return ""
}
@@ -25,7 +25,19 @@ func SetProcessLabel(processLabel string) error {
return nil
}
-func GetFileLabel(path string) (string, error) {
+func ProcessLabel() (string, error) {
+ return "", nil
+}
+
+func SetSocketLabel(processLabel string) error {
+ return nil
+}
+
+func SocketLabel() (string, error) {
+ return "", nil
+}
+
+func FileLabel(path string) (string, error) {
return "", nil
}
@@ -41,7 +53,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
return nil
}
-func GetPidLabel(pid int) (string, error) {
+func PidLabel(pid int) (string, error) {
return "", nil
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index 63c4edd05..de214b2d5 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -95,6 +95,17 @@ func SetProcessLabel(processLabel string) error {
return selinux.SetExecLabel(processLabel)
}
+// SetSocketLabel takes a process label and tells the kernel to assign the
+// label to the next socket that gets created
+func SetSocketLabel(processLabel string) error {
+ return selinux.SetSocketLabel(processLabel)
+}
+
+// SocketLabel retrieves the current default socket label setting
+func SocketLabel() (string, error) {
+ return selinux.SocketLabel()
+}
+
// ProcessLabel returns the process label that the kernel will assign
// to the next program executed by the current process. If "" is returned
// this indicates that the default labeling will happen for the process.
@@ -102,7 +113,7 @@ func ProcessLabel() (string, error) {
return selinux.ExecLabel()
}
-// GetFileLabel returns the label for specified path
+// FileLabel returns the label for specified path
func FileLabel(path string) (string, error) {
return selinux.FileLabel(path)
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index bbaa1e0d7..7832f7497 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -385,6 +385,17 @@ func SetExecLabel(label string) error {
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
}
+// SetSocketLabel takes a process label and tells the kernel to assign the
+// label to the next socket that gets created
+func SetSocketLabel(label string) error {
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label)
+}
+
+// SocketLabel retrieves the current socket label setting
+func SocketLabel() (string, error) {
+ return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
+}
+
// Get returns the Context as a string
func (c Context) Get() string {
if c["level"] != "" {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 5abf8a362..99efa155a 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -96,6 +96,19 @@ func SetExecLabel(label string) error {
return nil
}
+/*
+SetSocketLabel sets the SELinux label that the kernel will use for any programs
+that are executed by the current process thread, or an error.
+*/
+func SetSocketLabel(label string) error {
+ return nil
+}
+
+// SocketLabel retrieves the current socket label setting
+func SocketLabel() (string, error) {
+ return "", nil
+}
+
// Get returns the Context as a string
func (c Context) Get() string {
return ""