aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux/go-selinux
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers/selinux/go-selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label.go5
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go14
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go7
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go5
4 files changed, 29 insertions, 2 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index 6cfc5fded..2a31cd3c5 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -48,6 +48,11 @@ func GetPidLabel(pid int) (string, error) {
func Init() {
}
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+ return
+}
+
func ReserveLabel(label string) error {
return nil
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index f0a055b87..63c4edd05 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -24,17 +24,22 @@ var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be use
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
-func InitLabels(options []string) (string, string, error) {
+func InitLabels(options []string) (plabel string, mlabel string, Err error) {
if !selinux.GetEnabled() {
return "", "", nil
}
processLabel, mountLabel := selinux.ContainerLabels()
if processLabel != "" {
+ defer func() {
+ if Err != nil {
+ ReleaseLabel(mountLabel)
+ }
+ }()
pcon := selinux.NewContext(processLabel)
mcon := selinux.NewContext(mountLabel)
for _, opt := range options {
if opt == "disable" {
- return "", "", nil
+ return "", mountLabel, nil
}
if i := strings.Index(opt, ":"); i == -1 {
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
@@ -156,6 +161,11 @@ func Init() {
selinux.GetEnabled()
}
+// ClearLabels will clear all reserved labels
+func ClearLabels() {
+ selinux.ClearLabels()
+}
+
// ReserveLabel will record the fact that the MCS label has already been used.
// This will prevent InitLabels from using the MCS label in a newly created
// container
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index 5dc09a51e..2cd54eac1 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -409,6 +409,13 @@ func NewContext(label string) Context {
return c
}
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+ state.Lock()
+ state.mcsList = make(map[string]bool)
+ state.Unlock()
+}
+
// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
if len(label) != 0 {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 4dbfd83ed..5abf8a362 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -107,6 +107,11 @@ func NewContext(label string) Context {
return c
}
+// ClearLabels clears all reserved MLS/MCS levels
+func ClearLabels() {
+ return
+}
+
// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
return