summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--cmd/podman/images/scp.go4
-rw-r--r--docs/source/markdown/podman-image-scp.1.md2
-rw-r--r--go.mod2
-rw-r--r--go.sum3
-rw-r--r--libpod/container_internal.go36
-rw-r--r--test/e2e/run_cgroup_parent_test.go17
-rw-r--r--test/system/410-selinux.bats12
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go9
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go2
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go54
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go4
-rw-r--r--vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go5
-rw-r--r--vendor/modules.txt2
13 files changed, 97 insertions, 55 deletions
diff --git a/cmd/podman/images/scp.go b/cmd/podman/images/scp.go
index 71399e0b7..a47d01995 100644
--- a/cmd/podman/images/scp.go
+++ b/cmd/podman/images/scp.go
@@ -111,7 +111,7 @@ func scp(cmd *cobra.Command, args []string) (finalErr error) {
if err != nil {
return err
}
- fmt.Println("Loaded images(s): " + strings.Join(report.Names, ","))
+ fmt.Println("Loaded image(s): " + strings.Join(report.Names, ","))
case scpOpts.ToRemote: // remote host load
scpOpts.Save.Format = "oci-archive"
abiErr := abiEng.Save(context.Background(), scpOpts.SourceImageName, []string{}, scpOpts.Save) // save the image locally before loading it on remote, local, or ssh
@@ -137,7 +137,7 @@ func scp(cmd *cobra.Command, args []string) (finalErr error) {
if err != nil {
return err
}
- fmt.Println("Loaded images(s): " + strings.Join(rep.Names, ","))
+ fmt.Println("Loaded image(s): " + strings.Join(rep.Names, ","))
}
return nil
}
diff --git a/docs/source/markdown/podman-image-scp.1.md b/docs/source/markdown/podman-image-scp.1.md
index 7d143c851..420452a4d 100644
--- a/docs/source/markdown/podman-image-scp.1.md
+++ b/docs/source/markdown/podman-image-scp.1.md
@@ -59,7 +59,7 @@ Copying blob 9450ef9feb15 [--------------------------------------] 0.0b / 0.0b
Copying config 1f97f0559c done
Writing manifest to image destination
Storing signatures
-Loaded images(s): docker.io/library/alpine:latest
+Loaded image(s): docker.io/library/alpine:latest
```
## SEE ALSO
diff --git a/go.mod b/go.mod
index 02d7a89d7..df0783c74 100644
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
github.com/opencontainers/runc v1.0.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/runtime-tools v0.9.0
- github.com/opencontainers/selinux v1.8.2
+ github.com/opencontainers/selinux v1.8.3
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.0
github.com/rootless-containers/rootlesskit v0.14.3
diff --git a/go.sum b/go.sum
index f2c1ad631..d2564404b 100644
--- a/go.sum
+++ b/go.sum
@@ -749,8 +749,9 @@ github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pK
github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
-github.com/opencontainers/selinux v1.8.2 h1:c4ca10UMgRcvZ6h0K4HtS15UaVSBEaE+iln2LVpAuGc=
github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
+github.com/opencontainers/selinux v1.8.3 h1:tzZR7AuKB5gU1+53uBkoG4XdIFGZzvJTOVoNbRQI8/4=
+github.com/opencontainers/selinux v1.8.3/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656 h1:WaxyNFpmIDu4i6so9r6LVFIbSaXqsj8oitMitt86ae4=
github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index e7694227a..8ffcccf4c 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap
- processLabel := containerInfo.ProcessLabel
- switch {
- case c.ociRuntime.SupportsKVM():
- processLabel, err = selinux.KVMLabel(processLabel)
- if err != nil {
- return err
- }
- case c.config.Systemd:
- processLabel, err = selinux.InitLabel(processLabel)
- if err != nil {
- return err
- }
+ processLabel, err := c.processLabel(containerInfo.ProcessLabel)
+ if err != nil {
+ return err
}
-
c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir
@@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
return nil
}
+func (c *Container) processLabel(processLabel string) (string, error) {
+ if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
+ return processLabel, nil
+ }
+ ctrSpec, err := c.specFromState()
+ if err != nil {
+ return "", err
+ }
+ label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
+ if !ok || !strings.Contains(label, "type:") {
+ switch {
+ case c.ociRuntime.SupportsKVM():
+ return selinux.KVMLabel(processLabel)
+ case c.config.Systemd:
+ return selinux.InitLabel(processLabel)
+ }
+ }
+ return processLabel, nil
+}
+
// Tear down a container's storage prior to removal
func (c *Container) teardownStorage() error {
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {
diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go
index 300c3a8e0..3e261961b 100644
--- a/test/e2e/run_cgroup_parent_test.go
+++ b/test/e2e/run_cgroup_parent_test.go
@@ -2,6 +2,7 @@ package integration
import (
"fmt"
+ "io/ioutil"
"os"
"path/filepath"
"strings"
@@ -80,7 +81,21 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
exec.WaitWithDefaultTimeout()
Expect(exec).Should(Exit(0))
- cgroup := filepath.Dir(strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n"))
+ containerCgroup := strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n")
+
+ content, err := ioutil.ReadFile(filepath.Join("/sys/fs/cgroup", containerCgroup, "cgroup.procs"))
+ Expect(err).To(BeNil())
+
+ // Move the container process to a sub cgroup
+ subCgroupPath := filepath.Join(filepath.Join("/sys/fs/cgroup", containerCgroup, "old-container"))
+
+ err = os.MkdirAll(subCgroupPath, 0755)
+ Expect(err).To(BeNil())
+
+ err = ioutil.WriteFile(filepath.Join(subCgroupPath, "cgroup.procs"), content, 0644)
+ Expect(err).To(BeNil())
+
+ cgroup := filepath.Dir(containerCgroup)
run = podmanTest.Podman([]string{"--cgroup-manager=cgroupfs", "run", "-d", fmt.Sprintf("--cgroup-parent=%s", cgroup), fedoraMinimal, "sleep", "100"})
run.WaitWithDefaultTimeout()
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 4ef9c8b30..5ee0e0715 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -50,6 +50,18 @@ function check_label() {
check_label "--systemd=always" "container_init_t"
}
+@test "podman selinux: init container with --security-opt type" {
+ check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
+}
+
+@test "podman selinux: init container with --security-opt level&type" {
+ check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
+}
+
+@test "podman selinux: init container with --security-opt level" {
+ check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
+}
+
@test "podman selinux: pid=host" {
# FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index b3d142d8c..14e1e38c2 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -1,12 +1,13 @@
package label
import (
+ "errors"
+ "fmt"
"os"
"os/user"
"strings"
"github.com/opencontainers/selinux/go-selinux"
- "github.com/pkg/errors"
)
// Valid Label Options
@@ -53,11 +54,11 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
return "", selinux.PrivContainerMountLabel(), nil
}
if i := strings.Index(opt, ":"); i == -1 {
- return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
- return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
}
if con[0] == "filetype" {
mcon["type"] = con[1]
@@ -151,7 +152,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
path = strings.TrimSuffix(path, "/")
}
if exclude_paths[path] {
- return errors.Errorf("SELinux relabeling of %s is not allowed", path)
+ return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
}
if shared {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index b336ebad3..9ffd77afa 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -1,7 +1,7 @@
package selinux
import (
- "github.com/pkg/errors"
+ "errors"
)
const (
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index a91a116f8..62df82a34 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -5,6 +5,7 @@ import (
"bytes"
"crypto/rand"
"encoding/binary"
+ "errors"
"fmt"
"io"
"io/ioutil"
@@ -18,7 +19,6 @@ import (
"github.com/bits-and-blooms/bitset"
"github.com/opencontainers/selinux/pkg/pwalk"
- "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -120,7 +120,7 @@ func verifySELinuxfsMount(mnt string) bool {
if err == nil {
break
}
- if err == unix.EAGAIN || err == unix.EINTR {
+ if err == unix.EAGAIN || err == unix.EINTR { //nolint:errorlint // unix errors are bare
continue
}
return false
@@ -250,12 +250,12 @@ func isProcHandle(fh *os.File) error {
if err == nil {
break
}
- if err != unix.EINTR {
- return errors.Wrapf(err, "statfs(%q) failed", fh.Name())
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return &os.PathError{Op: "fstatfs", Path: fh.Name(), Err: err}
}
}
if buf.Type != unix.PROC_SUPER_MAGIC {
- return errors.Errorf("file %q is not on procfs", fh.Name())
+ return fmt.Errorf("file %q is not on procfs", fh.Name())
}
return nil
@@ -311,8 +311,8 @@ func setFileLabel(fpath string, label string) error {
if err == nil {
break
}
- if err != unix.EINTR {
- return errors.Wrapf(err, "failed to set file label on %s", fpath)
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return &os.PathError{Op: "lsetxattr", Path: fpath, Err: err}
}
}
@@ -327,7 +327,7 @@ func fileLabel(fpath string) (string, error) {
label, err := lgetxattr(fpath, xattrNameSelinux)
if err != nil {
- return "", err
+ return "", &os.PathError{Op: "lgetxattr", Path: fpath, Err: err}
}
// Trim the NUL byte at the end of the byte buffer, if present.
if len(label) > 0 && label[len(label)-1] == '\x00' {
@@ -390,7 +390,7 @@ func writeCon(fpath, val string) error {
_, err = out.Write(nil)
}
if err != nil {
- return errors.Wrapf(err, "failed to set %s on procfs", fpath)
+ return &os.PathError{Op: "write", Path: fpath, Err: err}
}
return nil
}
@@ -489,13 +489,13 @@ func (l *level) parseLevel(levelStr string) error {
lvl := strings.SplitN(levelStr, ":", 2)
sens, err := parseLevelItem(lvl[0], sensitivity)
if err != nil {
- return errors.Wrap(err, "failed to parse sensitivity")
+ return fmt.Errorf("failed to parse sensitivity: %w", err)
}
l.sens = sens
if len(lvl) > 1 {
cats, err := catsToBitset(lvl[1])
if err != nil {
- return errors.Wrap(err, "failed to parse categories")
+ return fmt.Errorf("failed to parse categories: %w", err)
}
l.cats = cats
}
@@ -513,14 +513,14 @@ func rangeStrToMLSRange(rangeStr string) (*mlsRange, error) {
case 2:
mlsRange.high = &level{}
if err := mlsRange.high.parseLevel(levelSlice[1]); err != nil {
- return nil, errors.Wrapf(err, "failed to parse high level %q", levelSlice[1])
+ return nil, fmt.Errorf("failed to parse high level %q: %w", levelSlice[1], err)
}
fallthrough
// rangeStr that is single level, e.g. s6:c0,c3,c5,c30.c1023
case 1:
mlsRange.low = &level{}
if err := mlsRange.low.parseLevel(levelSlice[0]); err != nil {
- return nil, errors.Wrapf(err, "failed to parse low level %q", levelSlice[0])
+ return nil, fmt.Errorf("failed to parse low level %q: %w", levelSlice[0], err)
}
}
@@ -697,17 +697,21 @@ func socketLabel() (string, error) {
// peerLabel retrieves the label of the client on the other side of a socket
func peerLabel(fd uintptr) (string, error) {
- return unix.GetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_PEERSEC)
+ label, err := unix.GetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_PEERSEC)
+ if err != nil {
+ return "", &os.PathError{Op: "getsockopt", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
+ }
+ return label, nil
}
// setKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func setKeyLabel(label string) error {
err := writeCon("/proc/self/attr/keycreate", label)
- if os.IsNotExist(errors.Cause(err)) {
+ if errors.Is(err, os.ErrNotExist) {
return nil
}
- if label == "" && os.IsPermission(errors.Cause(err)) {
+ if label == "" && errors.Is(err, os.ErrPermission) {
return nil
}
return err
@@ -784,7 +788,7 @@ func enforceMode() int {
// setEnforceMode sets the current SELinux mode Enforcing, Permissive.
// Disabled is not valid, since this needs to be set at boot time.
func setEnforceMode(mode int) error {
- return ioutil.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0644)
+ return ioutil.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
}
// defaultEnforceMode returns the systems default SELinux mode Enforcing,
@@ -985,7 +989,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
// securityCheckContext validates that the SELinux label is understood by the kernel
func securityCheckContext(val string) error {
- return ioutil.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0644)
+ return ioutil.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
}
// copyLevel returns a label with the MLS/MCS level from src label replaced on
@@ -1023,7 +1027,7 @@ func badPrefix(fpath string) error {
badPrefixes := []string{"/usr"}
for _, prefix := range badPrefixes {
if strings.HasPrefix(fpath, prefix) {
- return errors.Errorf("relabeling content in %s is not allowed", prefix)
+ return fmt.Errorf("relabeling content in %s is not allowed", prefix)
}
}
return nil
@@ -1050,7 +1054,7 @@ func chcon(fpath string, label string, recurse bool) error {
return pwalk.Walk(fpath, func(p string, info os.FileInfo, err error) error {
e := SetFileLabel(p, label)
// Walk a file tree can race with removal, so ignore ENOENT
- if os.IsNotExist(errors.Cause(e)) {
+ if errors.Is(e, os.ErrNotExist) {
return nil
}
return e
@@ -1072,7 +1076,8 @@ func dupSecOpt(src string) ([]string, error) {
con["type"] == "" {
return nil, nil
}
- dup := []string{"user:" + con["user"],
+ dup := []string{
+ "user:" + con["user"],
"role:" + con["role"],
"type:" + con["type"],
}
@@ -1140,9 +1145,8 @@ func findUserInContext(context Context, r io.Reader, verifier func(string) error
return outConn, nil
}
}
-
if err := scanner.Err(); err != nil {
- return "", errors.Wrap(err, "failed to scan for context")
+ return "", fmt.Errorf("failed to scan for context: %w", err)
}
return "", nil
@@ -1155,7 +1159,7 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
context, err := newContext(c.scon)
if err != nil {
- return "", errors.Wrapf(err, "failed to create label for %s", c.scon)
+ return "", fmt.Errorf("failed to create label for %s: %w", c.scon, err)
}
// set so the verifier validates the matched context with the provided user and level.
@@ -1180,7 +1184,7 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
return conn, nil
}
- return "", errors.Wrapf(ErrContextMissing, "context not found: %q", c.scon)
+ return "", fmt.Errorf("context %q not found: %w", c.scon, ErrContextMissing)
}
func getDefaultContextWithLevel(user, level, scon string) (string, error) {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
index 117c255be..c6b0a7f26 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
@@ -10,7 +10,7 @@ func lgetxattr(path, attr string) ([]byte, error) {
// Start with a 128 length byte array
dest := make([]byte, 128)
sz, errno := doLgetxattr(path, attr, dest)
- for errno == unix.ERANGE {
+ for errno == unix.ERANGE { //nolint:errorlint // unix errors are bare
// Buffer too small, use zero-sized buffer to get the actual size
sz, errno = doLgetxattr(path, attr, []byte{})
if errno != nil {
@@ -31,7 +31,7 @@ func lgetxattr(path, attr string) ([]byte, error) {
func doLgetxattr(path, attr string, dest []byte) (int, error) {
for {
sz, err := unix.Lgetxattr(path, attr, dest)
- if err != unix.EINTR {
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
return sz, err
}
}
diff --git a/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
index 437b12b3e..a8088a196 100644
--- a/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
+++ b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
@@ -1,12 +1,11 @@
package pwalk
import (
+ "fmt"
"os"
"path/filepath"
"runtime"
"sync"
-
- "github.com/pkg/errors"
)
type WalkFunc = filepath.WalkFunc
@@ -42,7 +41,7 @@ func Walk(root string, walkFn WalkFunc) error {
func WalkN(root string, walkFn WalkFunc, num int) error {
// make sure limit is sensible
if num < 1 {
- return errors.Errorf("walk(%q): num must be > 0", root)
+ return fmt.Errorf("walk(%q): num must be > 0", root)
}
files := make(chan *walkArgs, 2*num)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ee4f9f25e..0626f45c9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -525,7 +525,7 @@ github.com/opencontainers/runtime-tools/generate
github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/validate
-# github.com/opencontainers/selinux v1.8.2
+# github.com/opencontainers/selinux v1.8.3
github.com/opencontainers/selinux/go-selinux
github.com/opencontainers/selinux/go-selinux/label
github.com/opencontainers/selinux/pkg/pwalk
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-12-27 08:01:44 +0000