summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/source/markdown/podman-run.1.md19
-rw-r--r--go.mod2
-rw-r--r--go.sum3
-rw-r--r--pkg/api/handlers/compat/images_build.go9
-rw-r--r--pkg/api/server/register_images.go7
-rw-r--r--test/e2e/common_test.go5
-rw-r--r--test/e2e/import_test.go3
-rw-r--r--test/e2e/logs_test.go2
-rw-r--r--test/e2e/push_test.go2
-rw-r--r--test/e2e/run_cgroup_parent_test.go16
-rw-r--r--test/e2e/run_cleanup_test.go2
-rw-r--r--test/e2e/run_privileged_test.go1
-rw-r--r--test/e2e/run_signal_test.go2
-rw-r--r--test/e2e/run_test.go8
-rw-r--r--test/e2e/run_volume_test.go4
-rw-r--r--test/system/030-run.bats2
-rw-r--r--test/system/400-unprivileged-access.bats5
-rw-r--r--test/utils/utils.go1
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go18
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go45
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go8
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go33
-rw-r--r--vendor/modules.txt2
23 files changed, 163 insertions, 36 deletions
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 90c456544..0d9e6dbcd 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1848,6 +1848,25 @@ $ podman run --name container1 --personaity=LINUX32 fedora bash
$ podman run --name container1 --rootfs /path/to/rootfs:O bash
```
+### Handling Timezones in java applications in a container.
+
+In order to use a timezone other than UTC when running a
+Java application within a container, the `TZ` environment variable must be
+set within the container. Java applications will ignore the value set with the
+`--tz` option.
+
+```
+# Example run
+podman run -ti --rm -e TZ=EST mytzimage
+lrwxrwxrwx. 1 root root 29 Nov 3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC
+Now with default timezone:
+Fri Nov 19 18:10:55 EST 2021
+Java default sees the following timezone:
+2021-11-19T18:10:55.651130-05:00
+Forcing UTC:
+Fri Nov 19 23:10:55 UTC 2021
+```
+
### Rootless Containers
Podman runs as a non root user on most systems. This feature requires that a new enough version of **shadow-utils**
diff --git a/go.mod b/go.mod
index 22b1b714e..7e86d63b7 100644
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
github.com/opencontainers/runc v1.0.2
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/runtime-tools v0.9.1-0.20211020193359-09d837bf40a7
- github.com/opencontainers/selinux v1.9.1
+ github.com/opencontainers/selinux v1.10.0
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.0
github.com/rootless-containers/rootlesskit v0.14.6
diff --git a/go.sum b/go.sum
index 0d0953462..3bdbb8bdc 100644
--- a/go.sum
+++ b/go.sum
@@ -787,8 +787,9 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3
github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
github.com/opencontainers/selinux v1.8.4/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
-github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y=
github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=
+github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656 h1:WaxyNFpmIDu4i6so9r6LVFIbSaXqsj8oitMitt86ae4=
github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 6152f1c02..7bbc4b99c 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -134,6 +134,15 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
return
}
+ // if layers field not set assume its not from a valid podman-client
+ // could be a docker client, set `layers=true` since that is the default
+ // expected behviour
+ if !utils.IsLibpodRequest(r) {
+ if _, found := r.URL.Query()["layers"]; !found {
+ query.Layers = true
+ }
+ }
+
// convert addcaps formats
var addCaps = []string{}
if _, found := r.URL.Query()["addcaps"]; found {
diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go
index 38ceea271..bf8eeef40 100644
--- a/pkg/api/server/register_images.go
+++ b/pkg/api/server/register_images.go
@@ -1523,6 +1523,13 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// JSON map of key, value pairs to set as labels on the new image
// (As of version 1.xx)
// - in: query
+ // name: layers
+ // type: boolean
+ // default: true
+ // description: |
+ // Cache intermediate layers during build.
+ // (As of version 1.xx)
+ // - in: query
// name: networkmode
// type: string
// default: bridge
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 200faae2d..6180343a7 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -320,7 +320,7 @@ func (p *PodmanTestIntegration) createArtifact(image string) {
}
dest := strings.Split(image, "/")
destName := fmt.Sprintf("/tmp/%s.tar", strings.Replace(strings.Join(strings.Split(dest[len(dest)-1], "/"), ""), ":", "-", -1))
- fmt.Printf("Caching %s at %s...", image, destName)
+ fmt.Printf("Caching %s at %s...\n", image, destName)
if _, err := os.Stat(destName); os.IsNotExist(err) {
pull := p.PodmanNoCache([]string{"pull", image})
pull.Wait(440)
@@ -466,6 +466,9 @@ func (p *PodmanTestIntegration) BuildImageWithLabel(dockerfile, imageName string
// PodmanPID execs podman and returns its PID
func (p *PodmanTestIntegration) PodmanPID(args []string) (*PodmanSessionIntegration, int) {
podmanOptions := p.MakeOptions(args, false, false)
+ if p.RemoteTest {
+ podmanOptions = append([]string{"--remote", "--url", p.RemoteSocket}, podmanOptions...)
+ }
fmt.Printf("Running: %s %s\n", p.PodmanBinary, strings.Join(podmanOptions, " "))
command := exec.Command(p.PodmanBinary, podmanOptions...)
session, err := Start(command, GinkgoWriter, GinkgoWriter)
diff --git a/test/e2e/import_test.go b/test/e2e/import_test.go
index 519a7290c..13a0f6f90 100644
--- a/test/e2e/import_test.go
+++ b/test/e2e/import_test.go
@@ -18,7 +18,6 @@ var _ = Describe("Podman import", func() {
)
BeforeEach(func() {
- SkipIfRemote("FIXME: These look like it is supposed to work in remote")
tempdir, err = CreateTempDirInTempDir()
if err != nil {
os.Exit(1)
@@ -156,6 +155,8 @@ var _ = Describe("Podman import", func() {
})
It("podman import with signature", func() {
+ SkipIfRemote("FIXME: remote ignores --signature-policy, #12357")
+
outfile := filepath.Join(podmanTest.TempDir, "container.tar")
_, ec, cid := podmanTest.RunLsContainer("")
Expect(ec).To(Equal(0))
diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go
index 3beabec4b..d901dde5c 100644
--- a/test/e2e/logs_test.go
+++ b/test/e2e/logs_test.go
@@ -214,7 +214,7 @@ var _ = Describe("Podman logs", func() {
It("two containers showing short container IDs: "+log, func() {
skipIfJournaldInContainer()
- SkipIfRemote("FIXME: podman-remote logs does not support showing two containers at the same time")
+ SkipIfRemote("podman-remote logs does not support showing two containers at the same time")
log1 := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"})
log1.WaitWithDefaultTimeout()
diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go
index 7b35acd35..7038a09e8 100644
--- a/test/e2e/push_test.go
+++ b/test/e2e/push_test.go
@@ -95,7 +95,7 @@ var _ = Describe("Podman push", func() {
})
It("podman push to local registry with authorization", func() {
- SkipIfRootless("FIXME: Creating content in certs.d we use directories in homedir")
+ SkipIfRootless("volume-mounting a certs.d file N/A over remote")
if podmanTest.Host.Arch == "ppc64le" {
Skip("No registry image for ppc64le")
}
diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go
index e0e1d4b1d..6bdc6af08 100644
--- a/test/e2e/run_cgroup_parent_test.go
+++ b/test/e2e/run_cgroup_parent_test.go
@@ -48,21 +48,22 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run).Should(Exit(0))
- ok, _ := run.GrepString(cgroup)
- Expect(ok).To(BeTrue())
+ Expect(run.OutputToString()).To(ContainSubstring(cgroup))
})
Specify("no --cgroup-parent", func() {
- SkipIfRootless("FIXME This seems to be broken in rootless mode")
cgroup := "/libpod_parent"
if !Containerized() && podmanTest.CgroupManager != "cgroupfs" {
- cgroup = "/machine.slice"
+ if isRootless() {
+ cgroup = "/user.slice"
+ } else {
+ cgroup = "/machine.slice"
+ }
}
run := podmanTest.Podman([]string{"run", "--cgroupns=host", fedoraMinimal, "cat", "/proc/self/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run).Should(Exit(0))
- ok, _ := run.GrepString(cgroup)
- Expect(ok).To(BeTrue())
+ Expect(run.OutputToString()).To(ContainSubstring(cgroup))
})
Specify("always honor --cgroup-parent", func() {
@@ -114,7 +115,6 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run).Should(Exit(0))
- ok, _ := run.GrepString(cgroup)
- Expect(ok).To(BeTrue())
+ Expect(run.OutputToString()).To(ContainSubstring(cgroup))
})
})
diff --git a/test/e2e/run_cleanup_test.go b/test/e2e/run_cleanup_test.go
index 6753fcf12..cc4e66751 100644
--- a/test/e2e/run_cleanup_test.go
+++ b/test/e2e/run_cleanup_test.go
@@ -35,7 +35,7 @@ var _ = Describe("Podman run exit", func() {
It("podman run -d mount cleanup test", func() {
SkipIfRemote("podman-remote does not support mount")
- SkipIfRootless("FIXME podman mount requires podman unshare first")
+ SkipIfRootless("TODO rootless podman mount requires podman unshare first")
result := podmanTest.Podman([]string{"run", "-dt", ALPINE, "top"})
result.WaitWithDefaultTimeout()
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index 3e4262cfb..d793a01f8 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -128,7 +128,6 @@ var _ = Describe("Podman privileged container tests", func() {
})
It("podman privileged should inherit host devices", func() {
- SkipIfRootless("FIXME: This seems to be broken for rootless mode, /dev/ is close to the same")
session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
diff --git a/test/e2e/run_signal_test.go b/test/e2e/run_signal_test.go
index e9c073a6c..49f456366 100644
--- a/test/e2e/run_signal_test.go
+++ b/test/e2e/run_signal_test.go
@@ -45,7 +45,6 @@ var _ = Describe("Podman run with --sig-proxy", func() {
})
Specify("signals are forwarded to container using sig-proxy", func() {
- SkipIfRemote("FIXME: This looks like it is supposed to work in remote")
if podmanTest.Host.Arch == "ppc64le" {
Skip("Doesn't work on ppc64le")
}
@@ -111,7 +110,6 @@ var _ = Describe("Podman run with --sig-proxy", func() {
})
Specify("signals are not forwarded to container with sig-proxy false", func() {
- SkipIfRemote("FIXME: This looks like it is supposed to work in remote")
signal := syscall.SIGFPE
if rootless.IsRootless() {
podmanTest.RestoreArtifact(fedoraMinimal)
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 05cb986c6..2be2154ff 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -681,7 +681,7 @@ USER bin`, BB)
})
It("podman run device-read-bps test", func() {
- SkipIfRootless("FIXME: Missing /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control")
+ SkipIfRootless("FIXME: requested cgroup controller `io` is not available")
SkipIfRootlessCgroupsV1("Setting device-read-bps not supported on cgroupv1 for rootless users")
var session *PodmanSessionIntegration
@@ -700,7 +700,7 @@ USER bin`, BB)
})
It("podman run device-write-bps test", func() {
- SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist")
+ SkipIfRootless("FIXME: requested cgroup controller `io` is not available")
SkipIfRootlessCgroupsV1("Setting device-write-bps not supported on cgroupv1 for rootless users")
var session *PodmanSessionIntegration
@@ -718,7 +718,7 @@ USER bin`, BB)
})
It("podman run device-read-iops test", func() {
- SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist")
+ SkipIfRootless("FIXME: requested cgroup controller `io` is not available")
SkipIfRootlessCgroupsV1("Setting device-read-iops not supported on cgroupv1 for rootless users")
var session *PodmanSessionIntegration
@@ -736,7 +736,7 @@ USER bin`, BB)
})
It("podman run device-write-iops test", func() {
- SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist")
+ SkipIfRootless("FIXME: requested cgroup controller `io` is not available")
SkipIfRootlessCgroupsV1("Setting device-write-iops not supported on cgroupv1 for rootless users")
var session *PodmanSessionIntegration
diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
index 634a498b9..5ce4d9acf 100644
--- a/test/e2e/run_volume_test.go
+++ b/test/e2e/run_volume_test.go
@@ -282,8 +282,8 @@ var _ = Describe("Podman run with volumes", func() {
})
It("podman run with tmpfs named volume mounts and unmounts", func() {
- SkipIfRootless("FIXME: rootless podman mount requires you to be in a user namespace")
- SkipIfRemote("podman-remote does not support --volumes this test could be simplified to be tested on Remote.")
+ SkipIfRootless("rootless podman mount requires you to be in a user namespace")
+ SkipIfRemote("podman-remote does not support --volumes. This test could be simplified to be tested on Remote.")
volName := "testvol"
mkVolume := podmanTest.Podman([]string{"volume", "create", "--opt", "type=tmpfs", "--opt", "device=tmpfs", "--opt", "o=nodev", "testvol"})
mkVolume.WaitWithDefaultTimeout()
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index ba21cd21d..5937d38f8 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -236,7 +236,7 @@ echo $rand | 0 | $rand
}
@test "podman run docker-archive" {
- skip_if_remote "podman-remote does not support docker-archive (#7116)"
+ skip_if_remote "podman-remote does not support docker-archive"
# Create an image that, when run, outputs a random magic string
expect=$(random_string 20)
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index f26c97d1e..cf0d0e6bf 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -101,11 +101,6 @@ EOF
# #6957 - mask out /proc/acpi, /sys/dev, and other sensitive system files
@test "sensitive mount points are masked without --privileged" {
- # Weird error, maybe a flake?
- # can only attach to created or running containers: container state improper
- # https://github.com/containers/podman/pull/7111#issuecomment-666858715
- skip_if_remote "FIXME: Weird flake"
-
# FIXME: this should match the list in pkg/specgen/generate/config_linux.go
local -a mps=(
/proc/acpi
diff --git a/test/utils/utils.go b/test/utils/utils.go
index 8d1edb23a..4a57d9ce7 100644
--- a/test/utils/utils.go
+++ b/test/utils/utils.go
@@ -121,6 +121,7 @@ func (p *PodmanTest) WaitForContainer() bool {
}
time.Sleep(1 * time.Second)
}
+ fmt.Printf("WaitForContainer(): timed out\n")
return false
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index cad467507..5a59d151f 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -61,16 +61,30 @@ func ClassIndex(class string) (int, error) {
return classIndex(class)
}
-// SetFileLabel sets the SELinux label for this path or returns an error.
+// SetFileLabel sets the SELinux label for this path, following symlinks,
+// or returns an error.
func SetFileLabel(fpath string, label string) error {
return setFileLabel(fpath, label)
}
-// FileLabel returns the SELinux label for this path or returns an error.
+// LsetFileLabel sets the SELinux label for this path, not following symlinks,
+// or returns an error.
+func LsetFileLabel(fpath string, label string) error {
+ return lSetFileLabel(fpath, label)
+}
+
+// FileLabel returns the SELinux label for this path, following symlinks,
+// or returns an error.
func FileLabel(fpath string) (string, error) {
return fileLabel(fpath)
}
+// LfileLabel returns the SELinux label for this path, not following symlinks,
+// or returns an error.
+func LfileLabel(fpath string) (string, error) {
+ return lFileLabel(fpath)
+}
+
// SetFSCreateLabel tells the kernel what label to use for all file system objects
// created by this task.
// Set the label to an empty string to return to the default label. Calls to SetFSCreateLabel
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index b045843ad..ee602ab96 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -316,8 +316,9 @@ func classIndex(class string) (int, error) {
return index, nil
}
-// setFileLabel sets the SELinux label for this path or returns an error.
-func setFileLabel(fpath string, label string) error {
+// lSetFileLabel sets the SELinux label for this path, not following symlinks,
+// or returns an error.
+func lSetFileLabel(fpath string, label string) error {
if fpath == "" {
return ErrEmptyPath
}
@@ -334,12 +335,50 @@ func setFileLabel(fpath string, label string) error {
return nil
}
-// fileLabel returns the SELinux label for this path or returns an error.
+// setFileLabel sets the SELinux label for this path, following symlinks,
+// or returns an error.
+func setFileLabel(fpath string, label string) error {
+ if fpath == "" {
+ return ErrEmptyPath
+ }
+ for {
+ err := unix.Setxattr(fpath, xattrNameSelinux, []byte(label), 0)
+ if err == nil {
+ break
+ }
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return &os.PathError{Op: "setxattr", Path: fpath, Err: err}
+ }
+ }
+
+ return nil
+}
+
+// fileLabel returns the SELinux label for this path, following symlinks,
+// or returns an error.
func fileLabel(fpath string) (string, error) {
if fpath == "" {
return "", ErrEmptyPath
}
+ label, err := getxattr(fpath, xattrNameSelinux)
+ if err != nil {
+ return "", &os.PathError{Op: "getxattr", Path: fpath, Err: err}
+ }
+ // Trim the NUL byte at the end of the byte buffer, if present.
+ if len(label) > 0 && label[len(label)-1] == '\x00' {
+ label = label[:len(label)-1]
+ }
+ return string(label), nil
+}
+
+// lFileLabel returns the SELinux label for this path, not following symlinks,
+// or returns an error.
+func lFileLabel(fpath string) (string, error) {
+ if fpath == "" {
+ return "", ErrEmptyPath
+ }
+
label, err := lgetxattr(fpath, xattrNameSelinux)
if err != nil {
return "", &os.PathError{Op: "lgetxattr", Path: fpath, Err: err}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 42657759c..78743b020 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -17,10 +17,18 @@ func setFileLabel(fpath string, label string) error {
return nil
}
+func lSetFileLabel(fpath string, label string) error {
+ return nil
+}
+
func fileLabel(fpath string) (string, error) {
return "", nil
}
+func lFileLabel(fpath string) (string, error) {
+ return "", nil
+}
+
func setFSCreateLabel(label string) error {
return nil
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
index c6b0a7f26..9e473ca16 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
@@ -36,3 +36,36 @@ func doLgetxattr(path, attr string, dest []byte) (int, error) {
}
}
}
+
+// getxattr returns a []byte slice containing the value of
+// an extended attribute attr set for path.
+func getxattr(path, attr string) ([]byte, error) {
+ // Start with a 128 length byte array
+ dest := make([]byte, 128)
+ sz, errno := dogetxattr(path, attr, dest)
+ for errno == unix.ERANGE { //nolint:errorlint // unix errors are bare
+ // Buffer too small, use zero-sized buffer to get the actual size
+ sz, errno = dogetxattr(path, attr, []byte{})
+ if errno != nil {
+ return nil, errno
+ }
+
+ dest = make([]byte, sz)
+ sz, errno = dogetxattr(path, attr, dest)
+ }
+ if errno != nil {
+ return nil, errno
+ }
+
+ return dest[:sz], nil
+}
+
+// dogetxattr is a wrapper that retries on EINTR
+func dogetxattr(path, attr string, dest []byte) (int, error) {
+ for {
+ sz, err := unix.Getxattr(path, attr, dest)
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return sz, err
+ }
+ }
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3000d4212..71658bf35 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -569,7 +569,7 @@ github.com/opencontainers/runtime-tools/generate
github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/validate
-# github.com/opencontainers/selinux v1.9.1
+# github.com/opencontainers/selinux v1.10.0
## explicit
github.com/opencontainers/selinux/go-selinux
github.com/opencontainers/selinux/go-selinux/label