summaryrefslogtreecommitdiff
path: root/vendor/github.com/containers/buildah/selinux.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/containers/buildah/selinux.go')
-rw-r--r--vendor/github.com/containers/buildah/selinux.go22
1 files changed, 22 insertions, 0 deletions
diff --git a/vendor/github.com/containers/buildah/selinux.go b/vendor/github.com/containers/buildah/selinux.go
index 00903203e..e7e9fd8c2 100644
--- a/vendor/github.com/containers/buildah/selinux.go
+++ b/vendor/github.com/containers/buildah/selinux.go
@@ -3,8 +3,12 @@
package buildah
import (
+ "fmt"
+
"github.com/opencontainers/runtime-tools/generate"
selinux "github.com/opencontainers/selinux/go-selinux"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
)
func selinuxGetEnabled() bool {
@@ -17,3 +21,21 @@ func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
g.SetLinuxMountLabel(mountLabel)
}
}
+
+func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) error {
+ if !selinuxGetEnabled() || processLabel == "" || mountLabel == "" {
+ // SELinux is completely disabled, or we're not doing anything at all with labeling
+ return nil
+ }
+ pipeContext, err := selinux.ComputeCreateContext(processLabel, mountLabel, "fifo_file")
+ if err != nil {
+ return errors.Wrapf(err, "computing file creation context for pipes")
+ }
+ for i := range stdioPipe {
+ pipeFdName := fmt.Sprintf("/proc/self/fd/%d", stdioPipe[i][0])
+ if err := label.Relabel(pipeFdName, pipeContext, false); err != nil {
+ return errors.Wrapf(err, "setting file label on %q", pipeFdName)
+ }
+ }
+ return nil
+}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-12-26 17:23:55 +0000