summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers/selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go4
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go111
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go6
3 files changed, 72 insertions, 49 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index 9ffd77afa..0eedcaa78 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -38,6 +38,8 @@ var (
// CategoryRange allows the upper bound on the category range to be adjusted
CategoryRange = DefaultCategoryRange
+
+ privContainerMountLabel string
)
// Context is a representation of the SELinux label broken into 4 parts
@@ -280,5 +282,7 @@ func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
// PrivContainerMountLabel returns mount label for privileged containers
func PrivContainerMountLabel() string {
+ // Make sure label is initialized.
+ _ = label("")
return privContainerMountLabel
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index a804473e4..295b2bc4e 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -12,7 +12,6 @@ import (
"os"
"path"
"path/filepath"
- "regexp"
"strconv"
"strings"
"sync"
@@ -34,8 +33,6 @@ const (
xattrNameSelinux = "security.selinux"
)
-var policyRoot = filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
-
type selinuxState struct {
enabledSet bool
enabled bool
@@ -70,7 +67,6 @@ const (
)
var (
- assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
readOnlyFileLabel string
state = selinuxState{
mcsList: make(map[string]bool),
@@ -79,8 +75,24 @@ var (
// for attrPath()
attrPathOnce sync.Once
haveThreadSelf bool
+
+ // for policyRoot()
+ policyRootOnce sync.Once
+ policyRootVal string
+
+ // for label()
+ loadLabelsOnce sync.Once
+ labels map[string]string
)
+func policyRoot() string {
+ policyRootOnce.Do(func() {
+ policyRootVal = filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
+ })
+
+ return policyRootVal
+}
+
func (s *selinuxState) setEnable(enabled bool) bool {
s.Lock()
defer s.Unlock()
@@ -222,7 +234,7 @@ func readConfig(target string) string {
scanner := bufio.NewScanner(in)
for scanner.Scan() {
- line := strings.TrimSpace(scanner.Text())
+ line := bytes.TrimSpace(scanner.Bytes())
if len(line) == 0 {
// Skip blank lines
continue
@@ -231,11 +243,12 @@ func readConfig(target string) string {
// Skip comments
continue
}
- if groups := assignRegex.FindStringSubmatch(line); groups != nil {
- key, val := strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
- if key == target {
- return strings.Trim(val, "\"")
- }
+ fields := bytes.SplitN(line, []byte{'='}, 2)
+ if len(fields) != 2 {
+ continue
+ }
+ if bytes.Equal(fields[0], []byte(target)) {
+ return string(bytes.Trim(fields[1], `"`))
}
}
return ""
@@ -274,12 +287,15 @@ func readCon(fpath string) (string, error) {
if err := isProcHandle(in); err != nil {
return "", err
}
+ return readConFd(in)
+}
- var retval string
- if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
+func readConFd(in *os.File) (string, error) {
+ data, err := ioutil.ReadAll(in)
+ if err != nil {
return "", err
}
- return strings.Trim(retval, "\x00"), nil
+ return string(bytes.TrimSuffix(data, []byte{0})), nil
}
// classIndex returns the int index for an object class in the loaded policy,
@@ -389,7 +405,7 @@ func writeCon(fpath, val string) error {
_, err = out.Write(nil)
}
if err != nil {
- return &os.PathError{Op: "write", Path: fpath, Err: err}
+ return err
}
return nil
}
@@ -664,11 +680,7 @@ func readWriteCon(fpath string, val string) (string, error) {
return "", err
}
- var retval string
- if _, err := fmt.Fscanf(f, "%s", &retval); err != nil {
- return "", err
- }
- return strings.Trim(retval, "\x00"), nil
+ return readConFd(f)
}
// setExecLabel sets the SELinux label that the kernel will use for any programs
@@ -723,10 +735,10 @@ func keyLabel() (string, error) {
// get returns the Context as a string
func (c Context) get() string {
- if c["level"] != "" {
- return fmt.Sprintf("%s:%s:%s:%s", c["user"], c["role"], c["type"], c["level"])
+ if level := c["level"]; level != "" {
+ return c["user"] + ":" + c["role"] + ":" + c["type"] + ":" + level
}
- return fmt.Sprintf("%s:%s:%s", c["user"], c["role"], c["type"])
+ return c["user"] + ":" + c["role"] + ":" + c["type"]
}
// newContext creates a new Context struct from the specified label
@@ -891,24 +903,21 @@ func openContextFile() (*os.File, error) {
if f, err := os.Open(contextFile); err == nil {
return f, nil
}
- lxcPath := filepath.Join(policyRoot, "/contexts/lxc_contexts")
- return os.Open(lxcPath)
+ return os.Open(filepath.Join(policyRoot(), "/contexts/lxc_contexts"))
}
-var labels, privContainerMountLabel = loadLabels()
-
-func loadLabels() (map[string]string, string) {
- labels := make(map[string]string)
+func loadLabels() {
+ labels = make(map[string]string)
in, err := openContextFile()
if err != nil {
- return labels, ""
+ return
}
defer in.Close()
scanner := bufio.NewScanner(in)
for scanner.Scan() {
- line := strings.TrimSpace(scanner.Text())
+ line := bytes.TrimSpace(scanner.Bytes())
if len(line) == 0 {
// Skip blank lines
continue
@@ -917,38 +926,47 @@ func loadLabels() (map[string]string, string) {
// Skip comments
continue
}
- if groups := assignRegex.FindStringSubmatch(line); groups != nil {
- key, val := strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
- labels[key] = strings.Trim(val, "\"")
+ fields := bytes.SplitN(line, []byte{'='}, 2)
+ if len(fields) != 2 {
+ continue
}
+ key, val := bytes.TrimSpace(fields[0]), bytes.TrimSpace(fields[1])
+ labels[string(key)] = string(bytes.Trim(val, `"`))
}
con, _ := NewContext(labels["file"])
con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
- reserveLabel(con.get())
- return labels, con.get()
+ privContainerMountLabel = con.get()
+ reserveLabel(privContainerMountLabel)
+}
+
+func label(key string) string {
+ loadLabelsOnce.Do(func() {
+ loadLabels()
+ })
+ return labels[key]
}
// kvmContainerLabels returns the default processLabel and mountLabel to be used
// for kvm containers by the calling process.
func kvmContainerLabels() (string, string) {
- processLabel := labels["kvm_process"]
+ processLabel := label("kvm_process")
if processLabel == "" {
- processLabel = labels["process"]
+ processLabel = label("process")
}
- return addMcs(processLabel, labels["file"])
+ return addMcs(processLabel, label("file"))
}
// initContainerLabels returns the default processLabel and file labels to be
// used for containers running an init system like systemd by the calling process.
func initContainerLabels() (string, string) {
- processLabel := labels["init_process"]
+ processLabel := label("init_process")
if processLabel == "" {
- processLabel = labels["process"]
+ processLabel = label("process")
}
- return addMcs(processLabel, labels["file"])
+ return addMcs(processLabel, label("file"))
}
// containerLabels returns an allocated processLabel and fileLabel to be used for
@@ -958,9 +976,9 @@ func containerLabels() (processLabel string, fileLabel string) {
return "", ""
}
- processLabel = labels["process"]
- fileLabel = labels["file"]
- readOnlyFileLabel = labels["ro_file"]
+ processLabel = label("process")
+ fileLabel = label("file")
+ readOnlyFileLabel = label("ro_file")
if processLabel == "" || fileLabel == "" {
return "", fileLabel
@@ -1180,15 +1198,14 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
}
func getDefaultContextWithLevel(user, level, scon string) (string, error) {
- userPath := filepath.Join(policyRoot, selinuxUsersDir, user)
- defaultPath := filepath.Join(policyRoot, defaultContexts)
-
+ userPath := filepath.Join(policyRoot(), selinuxUsersDir, user)
fu, err := os.Open(userPath)
if err != nil {
return "", err
}
defer fu.Close()
+ defaultPath := filepath.Join(policyRoot(), defaultContexts)
fd, err := os.Open(defaultPath)
if err != nil {
return "", err
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index b7218a0b6..42657759c 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -2,8 +2,6 @@
package selinux
-const privContainerMountLabel = ""
-
func setDisabled() {
}
@@ -152,3 +150,7 @@ func disableSecOpt() []string {
func getDefaultContextWithLevel(user, level, scon string) (string, error) {
return "", nil
}
+
+func label(_ string) string {
+ return ""
+}