summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers/selinux')
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go4
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux.go2
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go68
-rw-r--r--vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go12
-rw-r--r--vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go13
5 files changed, 63 insertions, 36 deletions
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index 14e1e38c2..12de0ae5d 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -103,9 +103,11 @@ func SetFileCreateLabel(fileLabel string) error {
return selinux.SetFSCreateLabel(fileLabel)
}
-// Relabel changes the label of path to the filelabel string.
+// Relabel changes the label of path and all the entries beneath the path.
// It changes the MCS label to s0 if shared is true.
// This will allow all containers to share the content.
+//
+// The path itself is guaranteed to be relabeled last.
func Relabel(path string, fileLabel string, shared bool) error {
if !selinux.GetEnabled() || fileLabel == "" {
return nil
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index 0eedcaa78..cad467507 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -255,6 +255,8 @@ func CopyLevel(src, dest string) (string, error) {
// Chcon changes the fpath file object to the SELinux label label.
// If fpath is a directory and recurse is true, then Chcon walks the
// directory tree setting the label.
+//
+// The fpath itself is guaranteed to be relabeled last.
func Chcon(fpath string, label string, recurse bool) error {
return chcon(fpath, label, recurse)
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index 295b2bc4e..b045843ad 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -9,6 +9,7 @@ import (
"fmt"
"io"
"io/ioutil"
+ "math/big"
"os"
"path"
"path/filepath"
@@ -16,7 +17,6 @@ import (
"strings"
"sync"
- "github.com/bits-and-blooms/bitset"
"golang.org/x/sys/unix"
)
@@ -44,7 +44,7 @@ type selinuxState struct {
type level struct {
sens uint
- cats *bitset.BitSet
+ cats *big.Int
}
type mlsRange struct {
@@ -455,8 +455,8 @@ func computeCreateContext(source string, target string, class string) (string, e
}
// catsToBitset stores categories in a bitset.
-func catsToBitset(cats string) (*bitset.BitSet, error) {
- bitset := &bitset.BitSet{}
+func catsToBitset(cats string) (*big.Int, error) {
+ bitset := new(big.Int)
catlist := strings.Split(cats, ",")
for _, r := range catlist {
@@ -471,14 +471,14 @@ func catsToBitset(cats string) (*bitset.BitSet, error) {
return nil, err
}
for i := catstart; i <= catend; i++ {
- bitset.Set(i)
+ bitset.SetBit(bitset, int(i), 1)
}
} else {
cat, err := parseLevelItem(ranges[0], category)
if err != nil {
return nil, err
}
- bitset.Set(cat)
+ bitset.SetBit(bitset, int(cat), 1)
}
}
@@ -548,37 +548,30 @@ func rangeStrToMLSRange(rangeStr string) (*mlsRange, error) {
// bitsetToStr takes a category bitset and returns it in the
// canonical selinux syntax
-func bitsetToStr(c *bitset.BitSet) string {
+func bitsetToStr(c *big.Int) string {
var str string
- i, e := c.NextSet(0)
- len := 0
- for e {
- if len == 0 {
+
+ length := 0
+ for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ {
+ if c.Bit(i) == 0 {
+ continue
+ }
+ if length == 0 {
if str != "" {
str += ","
}
- str += "c" + strconv.Itoa(int(i))
- }
-
- next, e := c.NextSet(i + 1)
- if e {
- // consecutive cats
- if next == i+1 {
- len++
- i = next
- continue
- }
+ str += "c" + strconv.Itoa(i)
}
- if len == 1 {
- str += ",c" + strconv.Itoa(int(i))
- } else if len > 1 {
- str += ".c" + strconv.Itoa(int(i))
+ if c.Bit(i+1) == 1 {
+ length++
+ continue
}
- if !e {
- break
+ if length == 1 {
+ str += ",c" + strconv.Itoa(i)
+ } else if length > 1 {
+ str += ".c" + strconv.Itoa(i)
}
- len = 0
- i = next
+ length = 0
}
return str
@@ -591,13 +584,16 @@ func (l1 *level) equal(l2 *level) bool {
if l1.sens != l2.sens {
return false
}
- return l1.cats.Equal(l2.cats)
+ if l2.cats == nil || l1.cats == nil {
+ return l2.cats == l1.cats
+ }
+ return l1.cats.Cmp(l2.cats) == 0
}
// String returns an mlsRange as a string.
func (m mlsRange) String() string {
low := "s" + strconv.Itoa(int(m.low.sens))
- if m.low.cats != nil && m.low.cats.Count() > 0 {
+ if m.low.cats != nil && m.low.cats.BitLen() > 0 {
low += ":" + bitsetToStr(m.low.cats)
}
@@ -606,7 +602,7 @@ func (m mlsRange) String() string {
}
high := "s" + strconv.Itoa(int(m.high.sens))
- if m.high.cats != nil && m.high.cats.Count() > 0 {
+ if m.high.cats != nil && m.high.cats.BitLen() > 0 {
high += ":" + bitsetToStr(m.high.cats)
}
@@ -656,10 +652,12 @@ func calculateGlbLub(sourceRange, targetRange string) (string, error) {
/* find the intersecting categories */
if s.low.cats != nil && t.low.cats != nil {
- outrange.low.cats = s.low.cats.Intersection(t.low.cats)
+ outrange.low.cats = new(big.Int)
+ outrange.low.cats.And(s.low.cats, t.low.cats)
}
if s.high.cats != nil && t.high.cats != nil {
- outrange.high.cats = s.high.cats.Intersection(t.high.cats)
+ outrange.high.cats = new(big.Int)
+ outrange.high.cats.And(s.high.cats, t.high.cats)
}
return outrange.String(), nil
diff --git a/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
index 011fe862a..202c80da5 100644
--- a/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
+++ b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go
@@ -51,6 +51,9 @@ func WalkN(root string, walkFn WalkFunc, num int) error {
var (
err error
wg sync.WaitGroup
+
+ rootLen = len(root)
+ rootEntry *walkArgs
)
wg.Add(1)
go func() {
@@ -59,6 +62,11 @@ func WalkN(root string, walkFn WalkFunc, num int) error {
close(files)
return err
}
+ if len(p) == rootLen {
+ // Root entry is processed separately below.
+ rootEntry = &walkArgs{path: p, info: &info}
+ return nil
+ }
// add a file to the queue unless a callback sent an error
select {
case e := <-errCh:
@@ -92,6 +100,10 @@ func WalkN(root string, walkFn WalkFunc, num int) error {
wg.Wait()
+ if err == nil {
+ err = walkFn(rootEntry.path, *rootEntry.info, nil)
+ }
+
return err
}
diff --git a/vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go b/vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go
index 222820750..a5796b2c4 100644
--- a/vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go
+++ b/vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go
@@ -1,3 +1,4 @@
+//go:build go1.16
// +build go1.16
package pwalkdir
@@ -51,6 +52,9 @@ func WalkN(root string, walkFn fs.WalkDirFunc, num int) error {
var (
err error
wg sync.WaitGroup
+
+ rootLen = len(root)
+ rootEntry *walkArgs
)
wg.Add(1)
go func() {
@@ -59,6 +63,11 @@ func WalkN(root string, walkFn fs.WalkDirFunc, num int) error {
close(files)
return err
}
+ if len(p) == rootLen {
+ // Root entry is processed separately below.
+ rootEntry = &walkArgs{path: p, entry: entry}
+ return nil
+ }
// Add a file to the queue unless a callback sent an error.
select {
case e := <-errCh:
@@ -92,6 +101,10 @@ func WalkN(root string, walkFn fs.WalkDirFunc, num int) error {
wg.Wait()
+ if err == nil {
+ err = walkFn(rootEntry.path, rootEntry.entry, nil)
+ }
+
return err
}