diff options
Diffstat (limited to 'vendor/github.com')
19 files changed, 268 insertions, 50 deletions
diff --git a/vendor/github.com/containers/storage/containers.go b/vendor/github.com/containers/storage/containers.go index f87ea15be..0a125331d 100644 --- a/vendor/github.com/containers/storage/containers.go +++ b/vendor/github.com/containers/storage/containers.go @@ -133,6 +133,20 @@ func copyContainer(c *Container) *Container { } } +func (c *Container) MountLabel() string { + if label, ok := c.Flags["MountLabel"].(string); ok { + return label + } + return "" +} + +func (c *Container) ProcessLabel() string { + if label, ok := c.Flags["ProcessLabel"].(string); ok { + return label + } + return "" +} + func (r *containerStore) Containers() ([]Container, error) { containers := make([]Container, len(r.containers)) for i := range r.containers { @@ -297,7 +311,7 @@ func (r *containerStore) Create(id string, names []string, image, layer, metadat BigDataSizes: make(map[string]int64), BigDataDigests: make(map[string]digest.Digest), Created: time.Now().UTC(), - Flags: make(map[string]interface{}), + Flags: copyStringInterfaceMap(options.Flags), UIDMap: copyIDMap(options.UIDMap), GIDMap: copyIDMap(options.GIDMap), } diff --git a/vendor/github.com/containers/storage/drivers/aufs/aufs.go b/vendor/github.com/containers/storage/drivers/aufs/aufs.go index bee4a598e..f14ba24b9 100644 --- a/vendor/github.com/containers/storage/drivers/aufs/aufs.go +++ b/vendor/github.com/containers/storage/drivers/aufs/aufs.go @@ -416,7 +416,7 @@ func atomicRemove(source string) error { // Get returns the rootfs path for the id. // This will mount the dir at its given path -func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (a *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { a.locker.Lock(id) defer a.locker.Unlock(id) parents, err := a.getParentLayerPaths(id) @@ -441,7 +441,7 @@ func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s // If a dir does not have a parent ( no layers )do not try to mount // just return the diff path to the data if len(parents) > 0 { - if err := a.mount(id, m, mountLabel, parents); err != nil { + if err := a.mount(id, m, options.MountLabel, parents); err != nil { return "", err } } diff --git a/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go b/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go index 2dd81b0c0..adc34d209 100644 --- a/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go +++ b/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go @@ -634,7 +634,7 @@ func (d *Driver) Remove(id string) error { } // Get the requested filesystem id. -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { dir := d.subvolumesDirID(id) st, err := os.Stat(dir) if err != nil { diff --git a/vendor/github.com/containers/storage/drivers/chown.go b/vendor/github.com/containers/storage/drivers/chown.go index 168bb7e34..4d4011ee0 100644 --- a/vendor/github.com/containers/storage/drivers/chown.go +++ b/vendor/github.com/containers/storage/drivers/chown.go @@ -114,7 +114,10 @@ func NewNaiveLayerIDMapUpdater(driver ProtoDriver) LayerIDMapUpdater { // same "container" IDs. func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error { driver := n.ProtoDriver - layerFs, err := driver.Get(id, mountLabel, nil, nil) + options := MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := driver.Get(id, options) if err != nil { return err } diff --git a/vendor/github.com/containers/storage/drivers/devmapper/driver.go b/vendor/github.com/containers/storage/drivers/devmapper/driver.go index 4aaca6508..9fc082d7d 100644 --- a/vendor/github.com/containers/storage/drivers/devmapper/driver.go +++ b/vendor/github.com/containers/storage/drivers/devmapper/driver.go @@ -163,7 +163,7 @@ func (d *Driver) Remove(id string) error { } // Get mounts a device with given id into the root filesystem -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { d.locker.Lock(id) defer d.locker.Unlock(id) mp := path.Join(d.home, "mnt", id) @@ -189,7 +189,7 @@ func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s } // Mount the device - if err := d.DeviceSet.MountDevice(id, mp, mountLabel); err != nil { + if err := d.DeviceSet.MountDevice(id, mp, options.MountLabel); err != nil { d.ctr.Decrement(mp) return "", err } diff --git a/vendor/github.com/containers/storage/drivers/driver.go b/vendor/github.com/containers/storage/drivers/driver.go index 40b911ab7..4569c7b59 100644 --- a/vendor/github.com/containers/storage/drivers/driver.go +++ b/vendor/github.com/containers/storage/drivers/driver.go @@ -42,6 +42,15 @@ type CreateOpts struct { StorageOpt map[string]string } +// MountOpts contains optional arguments for LayerStope.Mount() methods. +type MountOpts struct { + // Mount label is the MAC Labels to assign to mount point (SELINUX) + MountLabel string + // UidMaps & GidMaps are the User Namespace mappings to be assigned to content in the mount point + UidMaps []idtools.IDMap + GidMaps []idtools.IDMap +} + // InitFunc initializes the storage driver. type InitFunc func(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (Driver, error) @@ -68,7 +77,7 @@ type ProtoDriver interface { // to by this id. You can optionally specify a mountLabel or "". // Optionally it gets the mappings used to create the layer. // Returns the absolute path to the mounted layered filesystem. - Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (dir string, err error) + Get(id string, options MountOpts) (dir string, err error) // Put releases the system resources for the specified id, // e.g, unmounting layered filesystem. Put(id string) error diff --git a/vendor/github.com/containers/storage/drivers/fsdiff.go b/vendor/github.com/containers/storage/drivers/fsdiff.go index 64541e269..19da7d101 100644 --- a/vendor/github.com/containers/storage/drivers/fsdiff.go +++ b/vendor/github.com/containers/storage/drivers/fsdiff.go @@ -51,7 +51,10 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare parentMappings = &idtools.IDMappings{} } - layerFs, err := driver.Get(id, mountLabel, nil, nil) + options := MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := driver.Get(id, options) if err != nil { return nil, err } @@ -78,7 +81,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare }), nil } - parentFs, err := driver.Get(parent, mountLabel, nil, nil) + parentFs, err := driver.Get(parent, options) if err != nil { return nil, err } @@ -119,7 +122,10 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p parentMappings = &idtools.IDMappings{} } - layerFs, err := driver.Get(id, mountLabel, nil, nil) + options := MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := driver.Get(id, options) if err != nil { return nil, err } @@ -128,7 +134,10 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p parentFs := "" if parent != "" { - parentFs, err = driver.Get(parent, mountLabel, nil, nil) + options := MountOpts{ + MountLabel: mountLabel, + } + parentFs, err = driver.Get(parent, options) if err != nil { return nil, err } @@ -149,7 +158,10 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id string, applyMappings *idtools.IDMappin } // Mount the root filesystem so we can apply the diff/layer. - layerFs, err := driver.Get(id, mountLabel, nil, nil) + mountOpts := MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := driver.Get(id, mountOpts) if err != nil { return } @@ -189,7 +201,10 @@ func (gdw *NaiveDiffDriver) DiffSize(id string, idMappings *idtools.IDMappings, return } - layerFs, err := driver.Get(id, mountLabel, nil, nil) + options := MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := driver.Get(id, options) if err != nil { return } diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index 323d7c274..66ccc6a63 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -642,11 +642,11 @@ func (d *Driver) Remove(id string) error { } // Get creates and mounts the required file system for the given id and returns the mount path. -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) { - return d.get(id, mountLabel, false, uidMaps, gidMaps) +func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) { + return d.get(id, false, options) } -func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) { +func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountOpts) (_ string, retErr error) { d.locker.Lock(id) defer d.locker.Unlock(id) dir := d.dir(id) @@ -740,7 +740,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa if d.options.mountOptions != "" { opts = fmt.Sprintf("%s,%s", d.options.mountOptions, opts) } - mountData := label.FormatMountLabel(opts, mountLabel) + mountData := label.FormatMountLabel(opts, options.MountLabel) mountFunc := unix.Mount mountTarget := mergedDir @@ -753,7 +753,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa if d.options.mountProgram != "" { mountFunc = func(source string, target string, mType string, flags uintptr, label string) error { if !disableShifting { - label = d.optsAppendMappings(label, uidMaps, gidMaps) + label = d.optsAppendMappings(label, options.UidMaps, options.GidMaps) } mountProgram := exec.Command(d.options.mountProgram, "-o", label, target) @@ -763,7 +763,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa } else if len(mountData) > pageSize { //FIXME: We need to figure out to get this to work with additional stores opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work")) - mountData = label.FormatMountLabel(opts, mountLabel) + mountData = label.FormatMountLabel(opts, options.MountLabel) if len(mountData) > pageSize { return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData)) } @@ -952,7 +952,10 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp } // Mount the new layer and handle ownership changes and possible copy_ups in it. - layerFs, err := d.get(id, mountLabel, true, nil, nil) + options := graphdriver.MountOpts{ + MountLabel: mountLabel, + } + layerFs, err := d.get(id, true, options) if err != nil { return err } diff --git a/vendor/github.com/containers/storage/drivers/vfs/driver.go b/vendor/github.com/containers/storage/drivers/vfs/driver.go index 115afb814..d10fb2607 100644 --- a/vendor/github.com/containers/storage/drivers/vfs/driver.go +++ b/vendor/github.com/containers/storage/drivers/vfs/driver.go @@ -137,7 +137,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, ro bool label.SetFileLabel(dir, mountLabel) } if parent != "" { - parentDir, err := d.Get(parent, "", nil, nil) + parentDir, err := d.Get(parent, graphdriver.MountOpts{}) if err != nil { return fmt.Errorf("%s: %s", parent, err) } @@ -179,7 +179,7 @@ func (d *Driver) Remove(id string) error { } // Get returns the directory for the given id. -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) { dir := d.dir(id) if st, err := os.Stat(dir); err != nil { return "", err diff --git a/vendor/github.com/containers/storage/drivers/windows/windows.go b/vendor/github.com/containers/storage/drivers/windows/windows.go index 9d9aac701..4ccf657dc 100644 --- a/vendor/github.com/containers/storage/drivers/windows/windows.go +++ b/vendor/github.com/containers/storage/drivers/windows/windows.go @@ -362,9 +362,9 @@ func (d *Driver) Remove(id string) error { } // Get returns the rootfs path for the id. This will mount the dir at its given path. -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { panicIfUsedByLcow() - logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel) + logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, options.MountLabel) var dir string rID, err := d.resolveID(id) @@ -620,7 +620,7 @@ func (d *Driver) DiffSize(id string, idMappings *idtools.IDMappings, parent stri return } - layerFs, err := d.Get(id, "", nil, nil) + layerFs, err := d.Get(id, graphdriver.MountOpts{}) if err != nil { return } diff --git a/vendor/github.com/containers/storage/drivers/zfs/zfs.go b/vendor/github.com/containers/storage/drivers/zfs/zfs.go index b8ae59a61..cb4424f2d 100644 --- a/vendor/github.com/containers/storage/drivers/zfs/zfs.go +++ b/vendor/github.com/containers/storage/drivers/zfs/zfs.go @@ -360,15 +360,15 @@ func (d *Driver) Remove(id string) error { } // Get returns the mountpoint for the given id after creating the target directories if necessary. -func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { mountpoint := d.mountPath(id) if count := d.ctr.Increment(mountpoint); count > 1 { return mountpoint, nil } filesystem := d.zfsPath(id) - options := label.FormatMountLabel(d.options.mountOptions, mountLabel) - logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, options) + opts := label.FormatMountLabel(d.options.mountOptions, options.MountLabel) + logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, opts) rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps) if err != nil { @@ -381,7 +381,7 @@ func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s return "", err } - if err := mount.Mount(filesystem, mountpoint, "zfs", options); err != nil { + if err := mount.Mount(filesystem, mountpoint, "zfs", opts); err != nil { d.ctr.Decrement(mountpoint) return "", fmt.Errorf("error creating zfs mount of %s to %s: %v", filesystem, mountpoint, err) } diff --git a/vendor/github.com/containers/storage/layers.go b/vendor/github.com/containers/storage/layers.go index fe263ba63..1275ab47c 100644 --- a/vendor/github.com/containers/storage/layers.go +++ b/vendor/github.com/containers/storage/layers.go @@ -21,6 +21,7 @@ import ( "github.com/containers/storage/pkg/system" "github.com/containers/storage/pkg/truncindex" digest "github.com/opencontainers/go-digest" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/vbatts/tar-split/tar/asm" "github.com/vbatts/tar-split/tar/storage" @@ -210,7 +211,7 @@ type LayerStore interface { // layers, it should not be written to. An SELinux label to be applied to the // mount can be specified to override the one configured for the layer. // The mappings used by the container can be specified. - Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) + Mount(id string, options drivers.MountOpts) (string, error) // Unmount unmounts a layer when it is no longer in use. Unmount(id string, force bool) (bool, error) @@ -294,6 +295,9 @@ func (r *layerStore) Load() error { mounts := make(map[string]*Layer) compressedsums := make(map[digest.Digest][]string) uncompressedsums := make(map[digest.Digest][]string) + if r.lockfile.IsReadWrite() { + label.ClearLabels() + } if err = json.Unmarshal(data, &layers); len(data) == 0 || err == nil { idlist = make([]string, 0, len(layers)) for n, layer := range layers { @@ -312,6 +316,9 @@ func (r *layerStore) Load() error { if layer.UncompressedDigest != "" { uncompressedsums[layer.UncompressedDigest] = append(uncompressedsums[layer.UncompressedDigest], layer.ID) } + if layer.MountLabel != "" { + label.ReserveLabel(layer.MountLabel) + } } } if shouldSave && !r.IsReadWrite() { @@ -552,6 +559,9 @@ func (r *layerStore) Put(id string, parentLayer *Layer, names []string, mountLab } else { parentMappings = &idtools.IDMappings{} } + if mountLabel != "" { + label.ReserveLabel(mountLabel) + } idMappings := idtools.NewIDMappingsFromMaps(moreOptions.UIDMap, moreOptions.GIDMap) opts := drivers.CreateOpts{ MountLabel: mountLabel, @@ -649,7 +659,7 @@ func (r *layerStore) Mounted(id string) (int, error) { return layer.MountCount, nil } -func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) { +func (r *layerStore) Mount(id string, options drivers.MountOpts) (string, error) { if !r.IsReadWrite() { return "", errors.Wrapf(ErrStoreIsReadOnly, "not allowed to update mount locations for layers at %q", r.mountspath()) } @@ -661,16 +671,16 @@ func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDM layer.MountCount++ return layer.MountPoint, r.Save() } - if mountLabel == "" { - mountLabel = layer.MountLabel + if options.MountLabel == "" { + options.MountLabel = layer.MountLabel } - if (uidMaps != nil || gidMaps != nil) && !r.driver.SupportsShifting() { - if !reflect.DeepEqual(uidMaps, layer.UIDMap) || !reflect.DeepEqual(gidMaps, layer.GIDMap) { + if (options.UidMaps != nil || options.GidMaps != nil) && !r.driver.SupportsShifting() { + if !reflect.DeepEqual(options.UidMaps, layer.UIDMap) || !reflect.DeepEqual(options.GidMaps, layer.GIDMap) { return "", fmt.Errorf("cannot mount layer %v: shifting not enabled", layer.ID) } } - mountpoint, err := r.driver.Get(id, mountLabel, uidMaps, gidMaps) + mountpoint, err := r.driver.Get(id, options) if mountpoint != "" && err == nil { if layer.MountPoint != "" { delete(r.bymount, layer.MountPoint) @@ -839,6 +849,7 @@ func (r *layerStore) Delete(id string) error { os.Remove(r.tspath(id)) delete(r.byid, id) r.idindex.Delete(id) + mountLabel := layer.MountLabel if layer.MountPoint != "" { delete(r.bymount, layer.MountPoint) } @@ -857,6 +868,18 @@ func (r *layerStore) Delete(id string) error { r.layers = append(r.layers[:toDeleteIndex], r.layers[toDeleteIndex+1:]...) } } + if mountLabel != "" { + var found bool + for _, candidate := range r.layers { + if candidate.MountLabel == mountLabel { + found = true + break + } + } + if !found { + label.ReleaseLabel(mountLabel) + } + } if err = r.Save(); err != nil { return err } @@ -957,7 +980,7 @@ func (r *layerStore) newFileGetter(id string) (drivers.FileGetCloser, error) { if getter, ok := r.driver.(drivers.DiffGetterDriver); ok { return getter.DiffGetter(id) } - path, err := r.Mount(id, "", nil, nil) + path, err := r.Mount(id, drivers.MountOpts{}) if err != nil { return nil, err } diff --git a/vendor/github.com/containers/storage/pkg/archive/example_changes.go b/vendor/github.com/containers/storage/pkg/archive/example_changes.go new file mode 100644 index 000000000..70f9c5564 --- /dev/null +++ b/vendor/github.com/containers/storage/pkg/archive/example_changes.go @@ -0,0 +1,97 @@ +// +build ignore + +// Simple tool to create an archive stream from an old and new directory +// +// By default it will stream the comparison of two temporary directories with junk files +package main + +import ( + "flag" + "fmt" + "io" + "io/ioutil" + "os" + "path" + + "github.com/containers/storage/pkg/archive" + "github.com/sirupsen/logrus" +) + +var ( + flDebug = flag.Bool("D", false, "debugging output") + flNewDir = flag.String("newdir", "", "") + flOldDir = flag.String("olddir", "", "") + log = logrus.New() +) + +func main() { + flag.Usage = func() { + fmt.Println("Produce a tar from comparing two directory paths. By default a demo tar is created of around 200 files (including hardlinks)") + fmt.Printf("%s [OPTIONS]\n", os.Args[0]) + flag.PrintDefaults() + } + flag.Parse() + log.Out = os.Stderr + if (len(os.Getenv("DEBUG")) > 0) || *flDebug { + logrus.SetLevel(logrus.DebugLevel) + } + var newDir, oldDir string + + if len(*flNewDir) == 0 { + var err error + newDir, err = ioutil.TempDir("", "storage-test-newDir") + if err != nil { + log.Fatal(err) + } + defer os.RemoveAll(newDir) + if _, err := prepareUntarSourceDirectory(100, newDir, true); err != nil { + log.Fatal(err) + } + } else { + newDir = *flNewDir + } + + if len(*flOldDir) == 0 { + oldDir, err := ioutil.TempDir("", "storage-test-oldDir") + if err != nil { + log.Fatal(err) + } + defer os.RemoveAll(oldDir) + } else { + oldDir = *flOldDir + } + + changes, err := archive.ChangesDirs(newDir, oldDir) + if err != nil { + log.Fatal(err) + } + + a, err := archive.ExportChanges(newDir, changes) + if err != nil { + log.Fatal(err) + } + defer a.Close() + + i, err := io.Copy(os.Stdout, a) + if err != nil && err != io.EOF { + log.Fatal(err) + } + fmt.Fprintf(os.Stderr, "wrote archive of %d bytes", i) +} + +func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) { + fileData := []byte("fooo") + for n := 0; n < numberOfFiles; n++ { + fileName := fmt.Sprintf("file-%d", n) + if err := ioutil.WriteFile(path.Join(targetPath, fileName), fileData, 0700); err != nil { + return 0, err + } + if makeLinks { + if err := os.Link(path.Join(targetPath, fileName), path.Join(targetPath, fileName+"-link")); err != nil { + return 0, err + } + } + } + totalSize := numberOfFiles * len(fileData) + return totalSize, nil +} diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index 94cf1f0a7..7eaa82910 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -25,6 +25,7 @@ import ( "github.com/containers/storage/pkg/stringid" "github.com/containers/storage/pkg/stringutils" digest "github.com/opencontainers/go-digest" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" ) @@ -251,6 +252,8 @@ type Store interface { // Mount attempts to mount a layer, image, or container for access, and // returns the pathname if it succeeds. + // Note if the mountLabel == "", the default label for the container + // will be used. // // Note that we do some of this work in a child process. The calling // process's main() function needs to import our pkg/reexec package and @@ -497,6 +500,8 @@ type ContainerOptions struct { // container's layer will inherit settings from the image's top layer // or, if it is not being created based on an image, the Store object. IDMappingOptions + LabelOpts []string + Flags map[string]interface{} } type store struct { @@ -1175,7 +1180,26 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat }, } } - clayer, err := rlstore.Create(layer, imageTopLayer, nil, "", nil, layerOptions, true) + if options.Flags == nil { + options.Flags = make(map[string]interface{}) + } + plabel, _ := options.Flags["ProcessLabel"].(string) + mlabel, _ := options.Flags["MountLabel"].(string) + if (plabel == "" && mlabel != "") || + (plabel != "" && mlabel == "") { + return nil, errors.Errorf("ProcessLabel and Mountlabel must either not be specified or both specified") + } + + if plabel == "" { + processLabel, mountLabel, err := label.InitLabels(options.LabelOpts) + if err != nil { + return nil, err + } + options.Flags["ProcessLabel"] = processLabel + options.Flags["MountLabel"] = mountLabel + } + + clayer, err := rlstore.Create(layer, imageTopLayer, nil, options.Flags["MountLabel"].(string), nil, layerOptions, true) if err != nil { return nil, err } @@ -1189,13 +1213,11 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat if modified, err := rcstore.Modified(); modified || err != nil { rcstore.Load() } - options = &ContainerOptions{ - IDMappingOptions: IDMappingOptions{ - HostUIDMapping: len(options.UIDMap) == 0, - HostGIDMapping: len(options.GIDMap) == 0, - UIDMap: copyIDMap(options.UIDMap), - GIDMap: copyIDMap(options.GIDMap), - }, + options.IDMappingOptions = IDMappingOptions{ + HostUIDMapping: len(options.UIDMap) == 0, + HostGIDMapping: len(options.GIDMap) == 0, + UIDMap: copyIDMap(options.UIDMap), + GIDMap: copyIDMap(options.GIDMap), } container, err := rcstore.Create(id, names, imageID, layer, metadata, options) if err != nil || container == nil { @@ -2273,7 +2295,12 @@ func (s *store) Mount(id, mountLabel string) (string, error) { rlstore.Load() } if rlstore.Exists(id) { - return rlstore.Mount(id, mountLabel, uidMap, gidMap) + options := drivers.MountOpts{ + MountLabel: mountLabel, + UidMaps: uidMap, + GidMaps: gidMap, + } + return rlstore.Mount(id, options) } return "", ErrLayerUnknown } diff --git a/vendor/github.com/containers/storage/vendor.conf b/vendor/github.com/containers/storage/vendor.conf index c0498a02d..2276d5531 100644 --- a/vendor/github.com/containers/storage/vendor.conf +++ b/vendor/github.com/containers/storage/vendor.conf @@ -8,7 +8,7 @@ github.com/mattn/go-shellwords 753a2322a99f87c0eff284980e77f53041555bc6 github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062 github.com/opencontainers/go-digest master github.com/opencontainers/runc 6c22e77604689db8725fa866f0f2ec0b3e8c3a07 -github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d +github.com/opencontainers/selinux 36a9bc45a08c85f2c52bd9eb32e20267876773bd github.com/pborman/uuid 1b00554d822231195d1babd97ff4a781231955c9 github.com/pkg/errors master github.com/pmezard/go-difflib v1.0.0 diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go index 6cfc5fded..2a31cd3c5 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go @@ -48,6 +48,11 @@ func GetPidLabel(pid int) (string, error) { func Init() { } +// ClearLabels clears all reserved labels +func ClearLabels() { + return +} + func ReserveLabel(label string) error { return nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index f0a055b87..63c4edd05 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -24,17 +24,22 @@ var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be use // the container. A list of options can be passed into this function to alter // the labels. The labels returned will include a random MCS String, that is // guaranteed to be unique. -func InitLabels(options []string) (string, string, error) { +func InitLabels(options []string) (plabel string, mlabel string, Err error) { if !selinux.GetEnabled() { return "", "", nil } processLabel, mountLabel := selinux.ContainerLabels() if processLabel != "" { + defer func() { + if Err != nil { + ReleaseLabel(mountLabel) + } + }() pcon := selinux.NewContext(processLabel) mcon := selinux.NewContext(mountLabel) for _, opt := range options { if opt == "disable" { - return "", "", nil + return "", mountLabel, nil } if i := strings.Index(opt, ":"); i == -1 { return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) @@ -156,6 +161,11 @@ func Init() { selinux.GetEnabled() } +// ClearLabels will clear all reserved labels +func ClearLabels() { + selinux.ClearLabels() +} + // ReserveLabel will record the fact that the MCS label has already been used. // This will prevent InitLabels from using the MCS label in a newly created // container diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 5dc09a51e..2cd54eac1 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -409,6 +409,13 @@ func NewContext(label string) Context { return c } +// ClearLabels clears all reserved labels +func ClearLabels() { + state.Lock() + state.mcsList = make(map[string]bool) + state.Unlock() +} + // ReserveLabel reserves the MLS/MCS level component of the specified label func ReserveLabel(label string) { if len(label) != 0 { diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index 4dbfd83ed..5abf8a362 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -107,6 +107,11 @@ func NewContext(label string) Context { return c } +// ClearLabels clears all reserved MLS/MCS levels +func ClearLabels() { + return +} + // ReserveLabel reserves the MLS/MCS level component of the specified label func ReserveLabel(label string) { return |