summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-08-09 16:29:43 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2019-08-13 10:16:01 -0400
commit316e51f0a91d24f75a9191e2226928bc0c1c5b91 (patch)
tree7ab971c3fe4a1eedb291f89e9777dfb77ca90afe /vendor
parentc48243ee1eb3fe36b54057994d5e908d8a3d7f16 (diff)
downloadpodman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.gz
podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.bz2
podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.zip
Add support & documentation to run containers with different file types
Udica is adding new features to allow users to define container process and file types. This would allow us to setup trusted communications channels between multiple security domains. ContainerA -> ContainerB -> ContainerC Add tests to make sure users can change file types Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go18
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go14
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go13
-rw-r--r--vendor/modules.txt2
4 files changed, 39 insertions, 8 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index 1eb9a6bf2..2730fcf4a 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -13,11 +13,12 @@ import (
// Valid Label Options
var validOptions = map[string]bool{
- "disable": true,
- "type": true,
- "user": true,
- "role": true,
- "level": true,
+ "disable": true,
+ "type": true,
+ "filetype": true,
+ "user": true,
+ "role": true,
+ "level": true,
}
var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
return "", mountLabel, nil
}
if i := strings.Index(opt, ":"); i == -1 {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
}
+ if con[0] == "filetype" {
+ mcon["type"] = con[1]
+ }
pcon[con[0]] = con[1]
if con[0] == "level" || con[0] == "user" {
mcon[con[0]] = con[1]
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index d7786c33c..2d4e9f890 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -18,6 +18,7 @@ import (
"strings"
"sync"
"syscall"
+ "golang.org/x/sys/unix"
)
const (
@@ -392,6 +393,14 @@ func SetExecLabel(label string) error {
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
}
+/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
+}
+
// SetSocketLabel takes a process label and tells the kernel to assign the
// label to the next socket that gets created
func SetSocketLabel(label string) error {
@@ -403,6 +412,11 @@ func SocketLabel() (string, error) {
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 79b005d19..0c2e1cd38 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -97,6 +97,14 @@ func SetExecLabel(label string) error {
}
/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return nil
+}
+
+/*
SetSocketLabel sets the SELinux label that the kernel will use for any programs
that are executed by the current process thread, or an error.
*/
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
return "", nil
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return "", nil
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index efb7d99da..c4a410be6 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -365,7 +365,7 @@ github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/filepath
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/error
-# github.com/opencontainers/selinux v1.2.2
+# github.com/opencontainers/selinux v1.3.0
github.com/opencontainers/selinux/go-selinux/label
github.com/opencontainers/selinux/go-selinux
# github.com/openshift/imagebuilder v1.1.0