summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux/go-selinux
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers/selinux/go-selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go9
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go2
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go54
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go4
4 files changed, 37 insertions, 32 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index b3d142d8c..14e1e38c2 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -1,12 +1,13 @@
package label
import (
+ "errors"
+ "fmt"
"os"
"os/user"
"strings"
"github.com/opencontainers/selinux/go-selinux"
- "github.com/pkg/errors"
)
// Valid Label Options
@@ -53,11 +54,11 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
return "", selinux.PrivContainerMountLabel(), nil
}
if i := strings.Index(opt, ":"); i == -1 {
- return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
- return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
}
if con[0] == "filetype" {
mcon["type"] = con[1]
@@ -151,7 +152,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
path = strings.TrimSuffix(path, "/")
}
if exclude_paths[path] {
- return errors.Errorf("SELinux relabeling of %s is not allowed", path)
+ return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
}
if shared {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index b336ebad3..9ffd77afa 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -1,7 +1,7 @@
package selinux
import (
- "github.com/pkg/errors"
+ "errors"
)
const (
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index a91a116f8..62df82a34 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -5,6 +5,7 @@ import (
"bytes"
"crypto/rand"
"encoding/binary"
+ "errors"
"fmt"
"io"
"io/ioutil"
@@ -18,7 +19,6 @@ import (
"github.com/bits-and-blooms/bitset"
"github.com/opencontainers/selinux/pkg/pwalk"
- "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -120,7 +120,7 @@ func verifySELinuxfsMount(mnt string) bool {
if err == nil {
break
}
- if err == unix.EAGAIN || err == unix.EINTR {
+ if err == unix.EAGAIN || err == unix.EINTR { //nolint:errorlint // unix errors are bare
continue
}
return false
@@ -250,12 +250,12 @@ func isProcHandle(fh *os.File) error {
if err == nil {
break
}
- if err != unix.EINTR {
- return errors.Wrapf(err, "statfs(%q) failed", fh.Name())
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return &os.PathError{Op: "fstatfs", Path: fh.Name(), Err: err}
}
}
if buf.Type != unix.PROC_SUPER_MAGIC {
- return errors.Errorf("file %q is not on procfs", fh.Name())
+ return fmt.Errorf("file %q is not on procfs", fh.Name())
}
return nil
@@ -311,8 +311,8 @@ func setFileLabel(fpath string, label string) error {
if err == nil {
break
}
- if err != unix.EINTR {
- return errors.Wrapf(err, "failed to set file label on %s", fpath)
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return &os.PathError{Op: "lsetxattr", Path: fpath, Err: err}
}
}
@@ -327,7 +327,7 @@ func fileLabel(fpath string) (string, error) {
label, err := lgetxattr(fpath, xattrNameSelinux)
if err != nil {
- return "", err
+ return "", &os.PathError{Op: "lgetxattr", Path: fpath, Err: err}
}
// Trim the NUL byte at the end of the byte buffer, if present.
if len(label) > 0 && label[len(label)-1] == '\x00' {
@@ -390,7 +390,7 @@ func writeCon(fpath, val string) error {
_, err = out.Write(nil)
}
if err != nil {
- return errors.Wrapf(err, "failed to set %s on procfs", fpath)
+ return &os.PathError{Op: "write", Path: fpath, Err: err}
}
return nil
}
@@ -489,13 +489,13 @@ func (l *level) parseLevel(levelStr string) error {
lvl := strings.SplitN(levelStr, ":", 2)
sens, err := parseLevelItem(lvl[0], sensitivity)
if err != nil {
- return errors.Wrap(err, "failed to parse sensitivity")
+ return fmt.Errorf("failed to parse sensitivity: %w", err)
}
l.sens = sens
if len(lvl) > 1 {
cats, err := catsToBitset(lvl[1])
if err != nil {
- return errors.Wrap(err, "failed to parse categories")
+ return fmt.Errorf("failed to parse categories: %w", err)
}
l.cats = cats
}
@@ -513,14 +513,14 @@ func rangeStrToMLSRange(rangeStr string) (*mlsRange, error) {
case 2:
mlsRange.high = &level{}
if err := mlsRange.high.parseLevel(levelSlice[1]); err != nil {
- return nil, errors.Wrapf(err, "failed to parse high level %q", levelSlice[1])
+ return nil, fmt.Errorf("failed to parse high level %q: %w", levelSlice[1], err)
}
fallthrough
// rangeStr that is single level, e.g. s6:c0,c3,c5,c30.c1023
case 1:
mlsRange.low = &level{}
if err := mlsRange.low.parseLevel(levelSlice[0]); err != nil {
- return nil, errors.Wrapf(err, "failed to parse low level %q", levelSlice[0])
+ return nil, fmt.Errorf("failed to parse low level %q: %w", levelSlice[0], err)
}
}
@@ -697,17 +697,21 @@ func socketLabel() (string, error) {
// peerLabel retrieves the label of the client on the other side of a socket
func peerLabel(fd uintptr) (string, error) {
- return unix.GetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_PEERSEC)
+ label, err := unix.GetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_PEERSEC)
+ if err != nil {
+ return "", &os.PathError{Op: "getsockopt", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
+ }
+ return label, nil
}
// setKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func setKeyLabel(label string) error {
err := writeCon("/proc/self/attr/keycreate", label)
- if os.IsNotExist(errors.Cause(err)) {
+ if errors.Is(err, os.ErrNotExist) {
return nil
}
- if label == "" && os.IsPermission(errors.Cause(err)) {
+ if label == "" && errors.Is(err, os.ErrPermission) {
return nil
}
return err
@@ -784,7 +788,7 @@ func enforceMode() int {
// setEnforceMode sets the current SELinux mode Enforcing, Permissive.
// Disabled is not valid, since this needs to be set at boot time.
func setEnforceMode(mode int) error {
- return ioutil.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0644)
+ return ioutil.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
}
// defaultEnforceMode returns the systems default SELinux mode Enforcing,
@@ -985,7 +989,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
// securityCheckContext validates that the SELinux label is understood by the kernel
func securityCheckContext(val string) error {
- return ioutil.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0644)
+ return ioutil.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
}
// copyLevel returns a label with the MLS/MCS level from src label replaced on
@@ -1023,7 +1027,7 @@ func badPrefix(fpath string) error {
badPrefixes := []string{"/usr"}
for _, prefix := range badPrefixes {
if strings.HasPrefix(fpath, prefix) {
- return errors.Errorf("relabeling content in %s is not allowed", prefix)
+ return fmt.Errorf("relabeling content in %s is not allowed", prefix)
}
}
return nil
@@ -1050,7 +1054,7 @@ func chcon(fpath string, label string, recurse bool) error {
return pwalk.Walk(fpath, func(p string, info os.FileInfo, err error) error {
e := SetFileLabel(p, label)
// Walk a file tree can race with removal, so ignore ENOENT
- if os.IsNotExist(errors.Cause(e)) {
+ if errors.Is(e, os.ErrNotExist) {
return nil
}
return e
@@ -1072,7 +1076,8 @@ func dupSecOpt(src string) ([]string, error) {
con["type"] == "" {
return nil, nil
}
- dup := []string{"user:" + con["user"],
+ dup := []string{
+ "user:" + con["user"],
"role:" + con["role"],
"type:" + con["type"],
}
@@ -1140,9 +1145,8 @@ func findUserInContext(context Context, r io.Reader, verifier func(string) error
return outConn, nil
}
}
-
if err := scanner.Err(); err != nil {
- return "", errors.Wrap(err, "failed to scan for context")
+ return "", fmt.Errorf("failed to scan for context: %w", err)
}
return "", nil
@@ -1155,7 +1159,7 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
context, err := newContext(c.scon)
if err != nil {
- return "", errors.Wrapf(err, "failed to create label for %s", c.scon)
+ return "", fmt.Errorf("failed to create label for %s: %w", c.scon, err)
}
// set so the verifier validates the matched context with the provided user and level.
@@ -1180,7 +1184,7 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
return conn, nil
}
- return "", errors.Wrapf(ErrContextMissing, "context not found: %q", c.scon)
+ return "", fmt.Errorf("context %q not found: %w", c.scon, ErrContextMissing)
}
func getDefaultContextWithLevel(user, level, scon string) (string, error) {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
index 117c255be..c6b0a7f26 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
@@ -10,7 +10,7 @@ func lgetxattr(path, attr string) ([]byte, error) {
// Start with a 128 length byte array
dest := make([]byte, 128)
sz, errno := doLgetxattr(path, attr, dest)
- for errno == unix.ERANGE {
+ for errno == unix.ERANGE { //nolint:errorlint // unix errors are bare
// Buffer too small, use zero-sized buffer to get the actual size
sz, errno = doLgetxattr(path, attr, []byte{})
if errno != nil {
@@ -31,7 +31,7 @@ func lgetxattr(path, attr string) ([]byte, error) {
func doLgetxattr(path, attr string, dest []byte) (int, error) {
for {
sz, err := unix.Lgetxattr(path, attr, dest)
- if err != unix.EINTR {
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
return sz, err
}
}