diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-01-28 10:41:41 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-28 10:41:41 -0800 |
| commit | c2cde7de613198753ba53e4cde6dd157b883548c (patch) | |
| tree | eba120cd3065daca3f307f62b78d8ffbb4f76e29 /vendor | |
| parent | 3426c34b77c9da54af85331d615e2111e152c499 (diff) | |
| parent | 12b379a623dee18417c0ac7ea49fcb87cffe72b3 (diff) | |
| download | podman-c2cde7de613198753ba53e4cde6dd157b883548c.tar.gz podman-c2cde7de613198753ba53e4cde6dd157b883548c.tar.bz2 podman-c2cde7de613198753ba53e4cde6dd157b883548c.zip | |
Merge pull request #4989 from containers/dependabot/go_modules/github.com/opencontainers/selinux-1.3.1
build(deps): bump github.com/opencontainers/selinux from 1.3.0 to 1.3.1
Diffstat (limited to 'vendor')
| -rw-r--r-- | vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go | 33 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
2 files changed, 30 insertions, 5 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 2d4e9f890..9fcfd0867 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto/rand" "encoding/binary" - "errors" "fmt" "io" "io/ioutil" @@ -18,6 +17,8 @@ import ( "strings" "sync" "syscall" + + "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -253,6 +254,12 @@ func getSELinuxPolicyRoot() string { return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) } +func isProcHandle(fh *os.File) (bool, error) { + var buf unix.Statfs_t + err := unix.Fstatfs(int(fh.Fd()), &buf) + return buf.Type == unix.PROC_SUPER_MAGIC, err +} + func readCon(fpath string) (string, error) { if fpath == "" { return "", ErrEmptyPath @@ -264,6 +271,12 @@ func readCon(fpath string) (string, error) { } defer in.Close() + if ok, err := isProcHandle(in); err != nil { + return "", err + } else if !ok { + return "", fmt.Errorf("%s not on procfs", fpath) + } + var retval string if _, err := fmt.Fscanf(in, "%s", &retval); err != nil { return "", err @@ -276,7 +289,10 @@ func SetFileLabel(fpath string, label string) error { if fpath == "" { return ErrEmptyPath } - return lsetxattr(fpath, xattrNameSelinux, []byte(label), 0) + if err := lsetxattr(fpath, xattrNameSelinux, []byte(label), 0); err != nil { + return errors.Wrapf(err, "failed to set file label on %s", fpath) + } + return nil } // FileLabel returns the SELinux label for this path or returns an error. @@ -346,12 +362,21 @@ func writeCon(fpath string, val string) error { } defer out.Close() + if ok, err := isProcHandle(out); err != nil { + return err + } else if !ok { + return fmt.Errorf("%s not on procfs", fpath) + } + if val != "" { _, err = out.Write([]byte(val)) } else { _, err = out.Write(nil) } - return err + if err != nil { + return errors.Wrapf(err, "failed to set %s on procfs", fpath) + } + return nil } /* @@ -394,7 +419,7 @@ func SetExecLabel(label string) error { } /* -SetTaskLabel sets the SELinux label for the current thread, or an error. +SetTaskLabel sets the SELinux label for the current thread, or an error. This requires the dyntransition permission. */ func SetTaskLabel(label string) error { diff --git a/vendor/modules.txt b/vendor/modules.txt index df323e0ff..4d96788a8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -403,7 +403,7 @@ github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate/seccomp github.com/opencontainers/runtime-tools/specerror github.com/opencontainers/runtime-tools/validate -# github.com/opencontainers/selinux v1.3.0 +# github.com/opencontainers/selinux v1.3.1 github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label # github.com/openshift/api v0.0.0-20200106203948-7ab22a2c8316 |