summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers/selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/doc.go4
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go5
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go10
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go11
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go2
5 files changed, 21 insertions, 11 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
index 9c9cbd120..0ac7d819e 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
@@ -1,10 +1,6 @@
/*
Package selinux provides a high-level interface for interacting with selinux.
-This package uses a selinux build tag to enable the selinux functionality. This
-allows non-linux and linux users who do not have selinux support to still use
-tools that rely on this library.
-
Usage:
import "github.com/opencontainers/selinux/go-selinux"
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index 439455511..b3d142d8c 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
+// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
+// to the container_file label with the maximum category. This label is not usable by any confined label.
func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
if !selinux.GetEnabled() {
return "", "", nil
@@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
}
for _, opt := range options {
if opt == "disable" {
- return "", mountLabel, nil
+ selinux.ReleaseLabel(mountLabel)
+ return "", selinux.PrivContainerMountLabel(), nil
}
if i := strings.Index(opt, ":"); i == -1 {
return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index d9119908b..b336ebad3 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -11,9 +11,10 @@ const (
Permissive = 0
// Disabled constant to indicate SELinux is disabled
Disabled = -1
-
+ // maxCategory is the maximum number of categories used within containers
+ maxCategory = 1024
// DefaultCategoryRange is the upper bound on the category range
- DefaultCategoryRange = uint32(1024)
+ DefaultCategoryRange = uint32(maxCategory)
)
var (
@@ -276,3 +277,8 @@ func DisableSecOpt() []string {
func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
return getDefaultContextWithLevel(user, level, scon)
}
+
+// PrivContainerMountLabel returns mount label for privileged containers
+func PrivContainerMountLabel() string {
+ return privContainerMountLabel
+}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index 5bfcc0490..54597398b 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
return os.Open(lxcPath)
}
-var labels = loadLabels()
+var labels, privContainerMountLabel = loadLabels()
-func loadLabels() map[string]string {
+func loadLabels() (map[string]string, string) {
labels := make(map[string]string)
in, err := openContextFile()
if err != nil {
- return labels
+ return labels, ""
}
defer in.Close()
@@ -920,7 +920,10 @@ func loadLabels() map[string]string {
}
}
- return labels
+ con, _ := NewContext(labels["file"])
+ con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
+ reserveLabel(con.get())
+ return labels, con.get()
}
// kvmContainerLabels returns the default processLabel and mountLabel to be used
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 70b7b7c85..b7218a0b6 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -2,6 +2,8 @@
package selinux
+const privContainerMountLabel = ""
+
func setDisabled() {
}