summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/create.go12
-rw-r--r--libpod/oci.go17
-rw-r--r--vendor.conf2
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label.go4
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go62
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go36
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go8
7 files changed, 111 insertions, 30 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 1aa3425a5..065d08df4 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -173,7 +173,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
if err != nil {
return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
}
- labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
}
if config.IpcMode.IsHost() {
@@ -183,7 +187,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
if err != nil {
return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
}
- labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+ secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+ if err != nil {
+ return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+ }
+ labelOpts = append(labelOpts, secopts...)
}
for _, opt := range securityOpts {
diff --git a/libpod/oci.go b/libpod/oci.go
index 3451ddaa8..e55bd57dc 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -356,18 +356,25 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
// Set the label of the conmon process to be level :s0
// This will allow the container processes to talk to fifo-files
// passed into the container by conmon
- var plabel string
+ var (
+ plabel string
+ con selinux.Context
+ )
plabel, err = selinux.CurrentLabel()
if err != nil {
childPipe.Close()
return errors.Wrapf(err, "Failed to get current SELinux label")
}
- c := selinux.NewContext(plabel)
+ con, err = selinux.NewContext(plabel)
+ if err != nil {
+ return errors.Wrapf(err, "Failed to get new context from SELinux label")
+ }
+
runtime.LockOSThread()
- if c["level"] != "s0" && c["level"] != "" {
- c["level"] = "s0"
- if err = label.SetProcessLabel(c.Get()); err != nil {
+ if con["level"] != "s0" && con["level"] != "" {
+ con["level"] = "s0"
+ if err = label.SetProcessLabel(con.Get()); err != nil {
runtime.UnlockOSThread()
return err
}
diff --git a/vendor.conf b/vendor.conf
index 9c9d41a0d..fe7adf6c9 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -54,7 +54,7 @@ github.com/opencontainers/image-spec v1.0.0
github.com/opencontainers/runc v1.0.0-rc6
github.com/opencontainers/runtime-spec 1722abf79c2f8f2675f47367f827c6491472cf27
github.com/opencontainers/runtime-tools v0.8.0
-github.com/opencontainers/selinux v1.0.0
+github.com/opencontainers/selinux v1.1
github.com/ostreedev/ostree-go d0388bd827cfac6fa8eec760246eb8375674b2a0
github.com/pkg/errors v0.8.1
github.com/pmezard/go-difflib v1.0.0
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index bb27ac936..4e9a8c54f 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -75,8 +75,8 @@ func ReleaseLabel(label string) error {
// DupSecOpt takes a process label and returns security options that
// can be used to set duplicate labels on future container processes
-func DupSecOpt(src string) []string {
- return nil
+func DupSecOpt(src string) ([]string, error) {
+ return nil, nil
}
// DisableSecOpt returns a security opt that can disable labeling
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index de214b2d5..d4e26909d 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -4,6 +4,8 @@ package label
import (
"fmt"
+ "os"
+ "os/user"
"strings"
"github.com/opencontainers/selinux/go-selinux"
@@ -35,8 +37,15 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
ReleaseLabel(mountLabel)
}
}()
- pcon := selinux.NewContext(processLabel)
- mcon := selinux.NewContext(mountLabel)
+ pcon, err := selinux.NewContext(processLabel)
+ if err != nil {
+ return "", "", err
+ }
+
+ mcon, err := selinux.NewContext(mountLabel)
+ if err != nil {
+ return "", "", err
+ }
for _, opt := range options {
if opt == "disable" {
return "", mountLabel, nil
@@ -146,13 +155,56 @@ func Relabel(path string, fileLabel string, shared bool) error {
return nil
}
- exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true, "/tmp": true, "/home": true, "/run": true, "/var": true, "/root": true}
+ exclude_paths := map[string]bool{
+ "/": true,
+ "/bin": true,
+ "/boot": true,
+ "/dev": true,
+ "/etc": true,
+ "/etc/passwd": true,
+ "/etc/pki": true,
+ "/etc/shadow": true,
+ "/home": true,
+ "/lib": true,
+ "/lib64": true,
+ "/media": true,
+ "/opt": true,
+ "/proc": true,
+ "/root": true,
+ "/run": true,
+ "/sbin": true,
+ "/srv": true,
+ "/sys": true,
+ "/tmp": true,
+ "/usr": true,
+ "/var": true,
+ "/var/lib": true,
+ "/var/log": true,
+ }
+
+ if home := os.Getenv("HOME"); home != "" {
+ exclude_paths[home] = true
+ }
+
+ if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+ if usr, err := user.Lookup(sudoUser); err == nil {
+ exclude_paths[usr.HomeDir] = true
+ }
+ }
+
+ if path != "/" {
+ path = strings.TrimSuffix(path, "/")
+ }
if exclude_paths[path] {
return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
}
if shared {
- c := selinux.NewContext(fileLabel)
+ c, err := selinux.NewContext(fileLabel)
+ if err != nil {
+ return err
+ }
+
c["level"] = "s0"
fileLabel = c.Get()
}
@@ -195,7 +247,7 @@ func ReleaseLabel(label string) error {
// DupSecOpt takes a process label and returns security options that
// can be used to set duplicate labels on future container processes
-func DupSecOpt(src string) []string {
+func DupSecOpt(src string) ([]string, error) {
return selinux.DupSecOpt(src)
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index 7832f7497..5adafd317 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -52,6 +52,8 @@ var (
ErrMCSAlreadyExists = errors.New("MCS label already exists")
// ErrEmptyPath is returned when an empty path has been specified.
ErrEmptyPath = errors.New("empty path")
+ // InvalidLabel is returned when an invalid label is specified.
+ InvalidLabel = errors.New("Invalid Label")
assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
roFileLabel string
@@ -405,11 +407,14 @@ func (c Context) Get() string {
}
// NewContext creates a new Context struct from the specified label
-func NewContext(label string) Context {
+func NewContext(label string) (Context, error) {
c := make(Context)
if len(label) != 0 {
con := strings.SplitN(label, ":", 4)
+ if len(con) < 3 {
+ return c, InvalidLabel
+ }
c["user"] = con[0]
c["role"] = con[1]
c["type"] = con[2]
@@ -417,7 +422,7 @@ func NewContext(label string) Context {
c["level"] = con[3]
}
}
- return c
+ return c, nil
}
// ClearLabels clears all reserved labels
@@ -630,12 +635,12 @@ func ContainerLabels() (processLabel string, fileLabel string) {
roFileLabel = fileLabel
}
exit:
- scon := NewContext(processLabel)
+ scon, _ := NewContext(processLabel)
if scon["level"] != "" {
mcs := uniqMcs(1024)
scon["level"] = mcs
processLabel = scon.Get()
- scon = NewContext(fileLabel)
+ scon, _ = NewContext(fileLabel)
scon["level"] = mcs
fileLabel = scon.Get()
}
@@ -661,8 +666,14 @@ func CopyLevel(src, dest string) (string, error) {
if err := SecurityCheckContext(dest); err != nil {
return "", err
}
- scon := NewContext(src)
- tcon := NewContext(dest)
+ scon, err := NewContext(src)
+ if err != nil {
+ return "", err
+ }
+ tcon, err := NewContext(dest)
+ if err != nil {
+ return "", err
+ }
mcsDelete(tcon["level"])
mcsAdd(scon["level"])
tcon["level"] = scon["level"]
@@ -714,15 +725,18 @@ func Chcon(fpath string, label string, recurse bool) error {
// DupSecOpt takes an SELinux process label and returns security options that
// can be used to set the SELinux Type and Level for future container processes.
-func DupSecOpt(src string) []string {
+func DupSecOpt(src string) ([]string, error) {
if src == "" {
- return nil
+ return nil, nil
+ }
+ con, err := NewContext(src)
+ if err != nil {
+ return nil, err
}
- con := NewContext(src)
if con["user"] == "" ||
con["role"] == "" ||
con["type"] == "" {
- return nil
+ return nil, nil
}
dup := []string{"user:" + con["user"],
"role:" + con["role"],
@@ -733,7 +747,7 @@ func DupSecOpt(src string) []string {
dup = append(dup, "level:"+con["level"])
}
- return dup
+ return dup, nil
}
// DisableSecOpt returns a security opt that can be used to disable SELinux
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 99efa155a..9497acbd0 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -115,9 +115,9 @@ func (c Context) Get() string {
}
// NewContext creates a new Context struct from the specified label
-func NewContext(label string) Context {
+func NewContext(label string) (Context, error) {
c := make(Context)
- return c
+ return c, nil
}
// ClearLabels clears all reserved MLS/MCS levels
@@ -195,8 +195,8 @@ func Chcon(fpath string, label string, recurse bool) error {
// DupSecOpt takes an SELinux process label and returns security options that
// can be used to set the SELinux Type and Level for future container processes.
-func DupSecOpt(src string) []string {
- return nil
+func DupSecOpt(src string) ([]string, error) {
+ return nil, nil
}
// DisableSecOpt returns a security opt that can be used to disable SELinux