aboutsummaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/common/libimage/platform.go16
-rw-r--r--vendor/github.com/containers/common/pkg/util/util_supported.go6
-rw-r--r--vendor/github.com/containers/storage/VERSION2
-rw-r--r--vendor/github.com/containers/storage/drivers/driver_linux.go8
-rw-r--r--vendor/github.com/containers/storage/layers.go4
-rw-r--r--vendor/github.com/containers/storage/pkg/archive/archive.go3
-rw-r--r--vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go23
-rw-r--r--vendor/github.com/containers/storage/pkg/archive/archive_unix.go13
-rw-r--r--vendor/github.com/containers/storage/pkg/archive/archive_windows.go5
-rw-r--r--vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go3
-rw-r--r--vendor/github.com/containers/storage/pkg/system/mknod.go5
-rw-r--r--vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go5
-rw-r--r--vendor/github.com/containers/storage/pkg/system/rm.go3
-rw-r--r--vendor/github.com/containers/storage/pkg/system/rm_common.go10
-rw-r--r--vendor/github.com/containers/storage/pkg/system/rm_freebsd.go32
-rw-r--r--vendor/github.com/containers/storage/types/options.go55
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/doc.go1
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go46
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go1
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go12
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go1
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go80
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go1
-rw-r--r--vendor/modules.txt6
24 files changed, 234 insertions, 107 deletions
diff --git a/vendor/github.com/containers/common/libimage/platform.go b/vendor/github.com/containers/common/libimage/platform.go
index 274b2aa06..4d5dde310 100644
--- a/vendor/github.com/containers/common/libimage/platform.go
+++ b/vendor/github.com/containers/common/libimage/platform.go
@@ -6,6 +6,7 @@ import (
"runtime"
"github.com/containerd/containerd/platforms"
+ v1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/sirupsen/logrus"
)
@@ -20,9 +21,18 @@ const (
)
// NormalizePlatform normalizes (according to the OCI spec) the specified os,
-// arch and variant. If left empty, the individual item will not be normalized.
+// arch and variant. If left empty, the individual item will be normalized.
func NormalizePlatform(rawOS, rawArch, rawVariant string) (os, arch, variant string) {
- rawPlatform := toPlatformString(rawOS, rawArch, rawVariant)
+ platformSpec := v1.Platform{
+ OS: rawOS,
+ Architecture: rawArch,
+ Variant: rawVariant,
+ }
+ normalizedSpec := platforms.Normalize(platformSpec)
+ if normalizedSpec.Variant == "" && rawVariant != "" {
+ normalizedSpec.Variant = rawVariant
+ }
+ rawPlatform := toPlatformString(normalizedSpec.OS, normalizedSpec.Architecture, normalizedSpec.Variant)
normalizedPlatform, err := platforms.Parse(rawPlatform)
if err != nil {
logrus.Debugf("Error normalizing platform: %v", err)
@@ -38,7 +48,7 @@ func NormalizePlatform(rawOS, rawArch, rawVariant string) (os, arch, variant str
arch = normalizedPlatform.Architecture
}
variant = rawVariant
- if rawVariant != "" {
+ if rawVariant != "" || (rawVariant == "" && normalizedPlatform.Variant != "") {
variant = normalizedPlatform.Variant
}
return os, arch, variant
diff --git a/vendor/github.com/containers/common/pkg/util/util_supported.go b/vendor/github.com/containers/common/pkg/util/util_supported.go
index 6d7060af4..0cd53af53 100644
--- a/vendor/github.com/containers/common/pkg/util/util_supported.go
+++ b/vendor/github.com/containers/common/pkg/util/util_supported.go
@@ -11,6 +11,7 @@ import (
"sync"
"syscall"
+ "github.com/containers/storage/pkg/homedir"
"github.com/containers/storage/pkg/unshare"
"github.com/sirupsen/logrus"
)
@@ -31,7 +32,10 @@ func GetRuntimeDir() (string, error) {
var rootlessRuntimeDirError error
rootlessRuntimeDirOnce.Do(func() {
- runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+ runtimeDir, err := homedir.GetRuntimeDir()
+ if err != nil {
+ logrus.Debug(err)
+ }
if runtimeDir != "" {
st, err := os.Stat(runtimeDir)
if err != nil {
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
index 6d41d503d..b978278f0 100644
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@@ -1 +1 @@
-1.42.1-dev
+1.43.0
diff --git a/vendor/github.com/containers/storage/drivers/driver_linux.go b/vendor/github.com/containers/storage/drivers/driver_linux.go
index 7c527d279..b9e57a60d 100644
--- a/vendor/github.com/containers/storage/drivers/driver_linux.go
+++ b/vendor/github.com/containers/storage/drivers/driver_linux.go
@@ -7,6 +7,7 @@ import (
"path/filepath"
"github.com/containers/storage/pkg/mount"
+ "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -127,9 +128,14 @@ var (
// GetFSMagic returns the filesystem id given the path.
func GetFSMagic(rootpath string) (FsMagic, error) {
var buf unix.Statfs_t
- if err := unix.Statfs(filepath.Dir(rootpath), &buf); err != nil {
+ path := filepath.Dir(rootpath)
+ if err := unix.Statfs(path, &buf); err != nil {
return 0, err
}
+
+ if _, ok := FsNames[FsMagic(buf.Type)]; !ok {
+ logrus.Debugf("Unknown filesystem type %#x reported for %s", buf.Type, path)
+ }
return FsMagic(buf.Type), nil
}
diff --git a/vendor/github.com/containers/storage/layers.go b/vendor/github.com/containers/storage/layers.go
index 18f3630e9..c23f0b26b 100644
--- a/vendor/github.com/containers/storage/layers.go
+++ b/vendor/github.com/containers/storage/layers.go
@@ -563,6 +563,8 @@ func (s *store) newLayerStore(rundir string, layerdir string, driver drivers.Dri
uidMap: copyIDMap(s.uidMap),
gidMap: copyIDMap(s.gidMap),
}
+ rlstore.Lock()
+ defer rlstore.Unlock()
if err := rlstore.Load(); err != nil {
return nil, err
}
@@ -584,6 +586,8 @@ func newROLayerStore(rundir string, layerdir string, driver drivers.Driver) (ROL
bymount: make(map[string]*Layer),
byname: make(map[string]*Layer),
}
+ rlstore.RLock()
+ defer rlstore.Unlock()
if err := rlstore.Load(); err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/storage/pkg/archive/archive.go b/vendor/github.com/containers/storage/pkg/archive/archive.go
index 1d7bbfa98..82c0adeb7 100644
--- a/vendor/github.com/containers/storage/pkg/archive/archive.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive.go
@@ -75,6 +75,7 @@ const (
solaris = "solaris"
windows = "windows"
darwin = "darwin"
+ freebsd = "freebsd"
)
var xattrsToIgnore = map[string]interface{}{
@@ -671,7 +672,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
if !strings.HasPrefix(targetPath, extractDir) {
return breakoutError(fmt.Errorf("invalid hardlink %q -> %q", targetPath, hdr.Linkname))
}
- if err := os.Link(targetPath, path); err != nil {
+ if err := handleLLink(targetPath, path); err != nil {
return err
}
diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go b/vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go
index fe22eb433..36017c3bf 100644
--- a/vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go
@@ -9,6 +9,7 @@ import (
"os"
"path/filepath"
"syscall"
+ "unsafe"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/system"
@@ -111,16 +112,18 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *
if forceMask != nil {
permissionsMask = *forceMask
}
- if hdr.Typeflag == tar.TypeLink {
- if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
- if err := os.Chmod(path, permissionsMask); err != nil {
- return err
- }
- }
- } else if hdr.Typeflag != tar.TypeSymlink {
- if err := os.Chmod(path, permissionsMask); err != nil {
- return err
- }
+ p, err := unix.BytePtrFromString(path)
+ if err != nil {
+ return err
+ }
+ _, _, e1 := unix.Syscall(unix.SYS_LCHMOD, uintptr(unsafe.Pointer(p)), uintptr(permissionsMask), 0)
+ if e1 != 0 {
+ return e1
}
return nil
}
+
+// Hardlink without following symlinks
+func handleLLink(targetPath string, path string) error {
+ return unix.Linkat(unix.AT_FDCWD, targetPath, unix.AT_FDCWD, path, 0)
+}
diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_unix.go b/vendor/github.com/containers/storage/pkg/archive/archive_unix.go
index 7c3e442da..d0fb33066 100644
--- a/vendor/github.com/containers/storage/pkg/archive/archive_unix.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive_unix.go
@@ -1,3 +1,4 @@
+//go:build !windows && !freebsd
// +build !windows,!freebsd
package archive
@@ -97,7 +98,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
mode |= unix.S_IFIFO
}
- return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
+ return system.Mknod(path, mode, system.Mkdev(hdr.Devmajor, hdr.Devminor))
}
func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *os.FileMode) error {
@@ -118,3 +119,13 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *
}
return nil
}
+
+// Hardlink without symlinks
+func handleLLink(targetPath, path string) error {
+ // Note: on Linux, the link syscall will not follow symlinks.
+ // This behavior is implementation-dependent since
+ // POSIX.1-2008 so to make it clear that we need non-symlink
+ // following here we use the linkat syscall which has a flags
+ // field to select symlink following or not.
+ return unix.Linkat(unix.AT_FDCWD, targetPath, unix.AT_FDCWD, path, 0)
+}
diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_windows.go b/vendor/github.com/containers/storage/pkg/archive/archive_windows.go
index 8e7a2fd02..e44011775 100644
--- a/vendor/github.com/containers/storage/pkg/archive/archive_windows.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive_windows.go
@@ -78,3 +78,8 @@ func getFileUIDGID(stat interface{}) (idtools.IDPair, error) {
// no notion of file ownership mapping yet on Windows
return idtools.IDPair{0, 0}, nil
}
+
+// Hardlink without following symlinks
+func handleLLink(targetPath string, path string) error {
+ return os.Link(targetPath, path)
+}
diff --git a/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go b/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go
index 33177bdf3..37dc9159f 100644
--- a/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go
+++ b/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go
@@ -1,3 +1,4 @@
+//go:build !windows
// +build !windows
package homedir
@@ -46,7 +47,7 @@ func GetShortcutString() string {
// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
func GetRuntimeDir() (string, error) {
if xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR"); xdgRuntimeDir != "" {
- return xdgRuntimeDir, nil
+ return filepath.EvalSymlinks(xdgRuntimeDir)
}
return "", errors.New("could not get XDG_RUNTIME_DIR")
}
diff --git a/vendor/github.com/containers/storage/pkg/system/mknod.go b/vendor/github.com/containers/storage/pkg/system/mknod.go
index c276ce8e8..d3d0ed8a1 100644
--- a/vendor/github.com/containers/storage/pkg/system/mknod.go
+++ b/vendor/github.com/containers/storage/pkg/system/mknod.go
@@ -1,3 +1,4 @@
+//go:build !windows && !freebsd
// +build !windows,!freebsd
package system
@@ -8,8 +9,8 @@ import (
// Mknod creates a filesystem node (file, device special file or named pipe) named path
// with attributes specified by mode and dev.
-func Mknod(path string, mode uint32, dev int) error {
- return unix.Mknod(path, mode, dev)
+func Mknod(path string, mode uint32, dev uint32) error {
+ return unix.Mknod(path, mode, int(dev))
}
// Mkdev is used to build the value of linux devices (in /dev/) which specifies major
diff --git a/vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go b/vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go
index d09005589..53c3f2837 100644
--- a/vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go
+++ b/vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go
@@ -1,3 +1,4 @@
+//go:build freebsd
// +build freebsd
package system
@@ -17,6 +18,6 @@ func Mknod(path string, mode uint32, dev uint64) error {
// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
// then the top 12 bits of the minor.
-func Mkdev(major int64, minor int64) uint32 {
- return uint32(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
+func Mkdev(major int64, minor int64) uint64 {
+ return uint64(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
}
diff --git a/vendor/github.com/containers/storage/pkg/system/rm.go b/vendor/github.com/containers/storage/pkg/system/rm.go
index b65121f1d..5d63dc741 100644
--- a/vendor/github.com/containers/storage/pkg/system/rm.go
+++ b/vendor/github.com/containers/storage/pkg/system/rm.go
@@ -35,6 +35,9 @@ func EnsureRemoveAll(dir string) error {
}
for {
+ if err := resetFileFlags(dir); err != nil {
+ return fmt.Errorf("resetting file flags: %w", err)
+ }
err := os.RemoveAll(dir)
if err == nil {
return nil
diff --git a/vendor/github.com/containers/storage/pkg/system/rm_common.go b/vendor/github.com/containers/storage/pkg/system/rm_common.go
new file mode 100644
index 000000000..117eb1d6d
--- /dev/null
+++ b/vendor/github.com/containers/storage/pkg/system/rm_common.go
@@ -0,0 +1,10 @@
+//go:build !freebsd
+// +build !freebsd
+
+package system
+
+// Reset file flags in a directory tree. This allows EnsureRemoveAll
+// to delete trees which have the immutable flag set.
+func resetFileFlags(dir string) error {
+ return nil
+}
diff --git a/vendor/github.com/containers/storage/pkg/system/rm_freebsd.go b/vendor/github.com/containers/storage/pkg/system/rm_freebsd.go
new file mode 100644
index 000000000..35896c11d
--- /dev/null
+++ b/vendor/github.com/containers/storage/pkg/system/rm_freebsd.go
@@ -0,0 +1,32 @@
+package system
+
+import (
+ "io/fs"
+ "path/filepath"
+ "unsafe"
+
+ "golang.org/x/sys/unix"
+)
+
+func lchflags(path string, flags int) (err error) {
+ p, err := unix.BytePtrFromString(path)
+ if err != nil {
+ return err
+ }
+ _, _, e1 := unix.Syscall(unix.SYS_LCHFLAGS, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
+ if e1 != 0 {
+ return e1
+ }
+ return nil
+}
+
+// Reset file flags in a directory tree. This allows EnsureRemoveAll
+// to delete trees which have the immutable flag set.
+func resetFileFlags(dir string) error {
+ return filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+ if err := lchflags(path, 0); err != nil {
+ return err
+ }
+ return nil
+ })
+}
diff --git a/vendor/github.com/containers/storage/types/options.go b/vendor/github.com/containers/storage/types/options.go
index 5421c02da..4c873b45f 100644
--- a/vendor/github.com/containers/storage/types/options.go
+++ b/vendor/github.com/containers/storage/types/options.go
@@ -38,17 +38,44 @@ var (
)
func loadDefaultStoreOptions() {
- defaultStoreOptions.RunRoot = defaultRunRoot
- defaultStoreOptions.GraphRoot = defaultGraphRoot
defaultStoreOptions.GraphDriverName = ""
+ setDefaults := func() {
+ // reload could set values to empty for run and graph root if config does not contains anything
+ if defaultStoreOptions.RunRoot == "" {
+ defaultStoreOptions.RunRoot = defaultRunRoot
+ }
+ if defaultStoreOptions.GraphRoot == "" {
+ defaultStoreOptions.GraphRoot = defaultGraphRoot
+ }
+ }
+ setDefaults()
+
if path, ok := os.LookupEnv(storageConfEnv); ok {
defaultOverrideConfigFile = path
if err := ReloadConfigurationFileIfNeeded(path, &defaultStoreOptions); err != nil {
loadDefaultStoreOptionsErr = err
return
}
- } else if _, err := os.Stat(defaultOverrideConfigFile); err == nil {
+ setDefaults()
+ return
+ }
+
+ if path, ok := os.LookupEnv("XDG_CONFIG_HOME"); ok {
+ homeConfigFile := filepath.Join(path, "containers", "storage.conf")
+ if _, err := os.Stat(homeConfigFile); err == nil {
+ // user storage.conf in XDG_CONFIG_HOME if it exists
+ defaultOverrideConfigFile = homeConfigFile
+ } else {
+ if !os.IsNotExist(err) {
+ loadDefaultStoreOptionsErr = err
+ return
+ }
+ }
+ }
+
+ _, err := os.Stat(defaultOverrideConfigFile)
+ if err == nil {
// The DefaultConfigFile(rootless) function returns the path
// of the used storage.conf file, by returning defaultConfigFile
// If override exists containers/storage uses it by default.
@@ -57,22 +84,18 @@ func loadDefaultStoreOptions() {
loadDefaultStoreOptionsErr = err
return
}
- } else {
- if !os.IsNotExist(err) {
- logrus.Warningf("Attempting to use %s, %v", defaultConfigFile, err)
- }
- if err := ReloadConfigurationFileIfNeeded(defaultConfigFile, &defaultStoreOptions); err != nil && !errors.Is(err, os.ErrNotExist) {
- loadDefaultStoreOptionsErr = err
- return
- }
+ setDefaults()
+ return
}
- // reload could set values to empty for run and graph root if config does not contains anything
- if defaultStoreOptions.RunRoot == "" {
- defaultStoreOptions.RunRoot = defaultRunRoot
+
+ if !os.IsNotExist(err) {
+ logrus.Warningf("Attempting to use %s, %v", defaultConfigFile, err)
}
- if defaultStoreOptions.GraphRoot == "" {
- defaultStoreOptions.GraphRoot = defaultGraphRoot
+ if err := ReloadConfigurationFileIfNeeded(defaultConfigFile, &defaultStoreOptions); err != nil && !errors.Is(err, os.ErrNotExist) {
+ loadDefaultStoreOptionsErr = err
+ return
}
+ setDefaults()
}
// defaultStoreOptionsIsolated is an internal implementation detail of DefaultStoreOptions to allow testing.
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
index 0ac7d819e..57a15c9a1 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
@@ -9,6 +9,5 @@ Usage:
if selinux.EnforceMode() != selinux.Enforcing {
selinux.SetEnforceMode(selinux.Enforcing)
}
-
*/
package selinux
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index 12de0ae5d..f61a56015 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -3,8 +3,6 @@ package label
import (
"errors"
"fmt"
- "os"
- "os/user"
"strings"
"github.com/opencontainers/selinux/go-selinux"
@@ -113,50 +111,6 @@ func Relabel(path string, fileLabel string, shared bool) error {
return nil
}
- exclude_paths := map[string]bool{
- "/": true,
- "/bin": true,
- "/boot": true,
- "/dev": true,
- "/etc": true,
- "/etc/passwd": true,
- "/etc/pki": true,
- "/etc/shadow": true,
- "/home": true,
- "/lib": true,
- "/lib64": true,
- "/media": true,
- "/opt": true,
- "/proc": true,
- "/root": true,
- "/run": true,
- "/sbin": true,
- "/srv": true,
- "/sys": true,
- "/tmp": true,
- "/usr": true,
- "/var": true,
- "/var/lib": true,
- "/var/log": true,
- }
-
- if home := os.Getenv("HOME"); home != "" {
- exclude_paths[home] = true
- }
-
- if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
- if usr, err := user.Lookup(sudoUser); err == nil {
- exclude_paths[usr.HomeDir] = true
- }
- }
-
- if path != "/" {
- path = strings.TrimSuffix(path, "/")
- }
- if exclude_paths[path] {
- return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
- }
-
if shared {
c, err := selinux.NewContext(fileLabel)
if err != nil {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
index 02d206239..f21c80c5a 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
@@ -1,3 +1,4 @@
+//go:build !linux
// +build !linux
package label
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
index feb739d32..8bff29355 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
@@ -1,3 +1,4 @@
+//go:build linux && go1.16
// +build linux,go1.16
package selinux
@@ -11,7 +12,18 @@ import (
)
func rchcon(fpath, label string) error {
+ fastMode := false
+ // If the current label matches the new label, assume
+ // other labels are correct.
+ if cLabel, err := lFileLabel(fpath); err == nil && cLabel == label {
+ fastMode = true
+ }
return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error {
+ if fastMode {
+ if cLabel, err := lFileLabel(fpath); err == nil && cLabel == label {
+ return nil
+ }
+ }
e := lSetFileLabel(p, label)
// Walk a file tree can race with removal, so ignore ENOENT.
if errors.Is(e, os.ErrNotExist) {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
index ecc7abfac..303cb1890 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
@@ -1,3 +1,4 @@
+//go:build linux && !go1.16
// +build linux,!go1.16
package selinux
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index ee602ab96..4582cc9e0 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -11,6 +11,7 @@ import (
"io/ioutil"
"math/big"
"os"
+ "os/user"
"path"
"path/filepath"
"strconv"
@@ -1072,21 +1073,6 @@ func copyLevel(src, dest string) (string, error) {
return tcon.Get(), nil
}
-// Prevent users from relabeling system files
-func badPrefix(fpath string) error {
- if fpath == "" {
- return ErrEmptyPath
- }
-
- badPrefixes := []string{"/usr"}
- for _, prefix := range badPrefixes {
- if strings.HasPrefix(fpath, prefix) {
- return fmt.Errorf("relabeling content in %s is not allowed", prefix)
- }
- }
- return nil
-}
-
// chcon changes the fpath file object to the SELinux label label.
// If fpath is a directory and recurse is true, then chcon walks the
// directory tree setting the label.
@@ -1097,12 +1083,70 @@ func chcon(fpath string, label string, recurse bool) error {
if label == "" {
return nil
}
- if err := badPrefix(fpath); err != nil {
- return err
+
+ exclude_paths := map[string]bool{
+ "/": true,
+ "/bin": true,
+ "/boot": true,
+ "/dev": true,
+ "/etc": true,
+ "/etc/passwd": true,
+ "/etc/pki": true,
+ "/etc/shadow": true,
+ "/home": true,
+ "/lib": true,
+ "/lib64": true,
+ "/media": true,
+ "/opt": true,
+ "/proc": true,
+ "/root": true,
+ "/run": true,
+ "/sbin": true,
+ "/srv": true,
+ "/sys": true,
+ "/tmp": true,
+ "/usr": true,
+ "/var": true,
+ "/var/lib": true,
+ "/var/log": true,
+ }
+
+ if home := os.Getenv("HOME"); home != "" {
+ exclude_paths[home] = true
+ }
+
+ if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+ if usr, err := user.Lookup(sudoUser); err == nil {
+ exclude_paths[usr.HomeDir] = true
+ }
+ }
+
+ if fpath != "/" {
+ fpath = strings.TrimSuffix(fpath, "/")
+ }
+ if exclude_paths[fpath] {
+ return fmt.Errorf("SELinux relabeling of %s is not allowed", fpath)
}
if !recurse {
- return setFileLabel(fpath, label)
+ err := lSetFileLabel(fpath, label)
+ if err != nil {
+ // Check if file doesn't exist, must have been removed
+ if errors.Is(err, os.ErrNotExist) {
+ return nil
+ }
+ // Check if current label is correct on disk
+ flabel, nerr := lFileLabel(fpath)
+ if nerr == nil && flabel == label {
+ return nil
+ }
+ // Check if file doesn't exist, must have been removed
+ if errors.Is(nerr, os.ErrNotExist) {
+ return nil
+ }
+ return err
+ }
+ return nil
}
return rchcon(fpath, label)
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 78743b020..20d888031 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -1,3 +1,4 @@
+//go:build !linux
// +build !linux
package selinux
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 222b70cd3..d22a6098c 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -120,7 +120,7 @@ github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/util
-# github.com/containers/common v0.49.2-0.20220926195839-590004b80685
+# github.com/containers/common v0.49.2-0.20220929111928-2d1b45ae2423
## explicit; go 1.17
github.com/containers/common/libimage
github.com/containers/common/libimage/define
@@ -266,7 +266,7 @@ github.com/containers/psgo/internal/dev
github.com/containers/psgo/internal/host
github.com/containers/psgo/internal/proc
github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.42.1-0.20220919112236-8a581aac3bdf
+# github.com/containers/storage v1.43.0
## explicit; go 1.16
github.com/containers/storage
github.com/containers/storage/drivers
@@ -638,7 +638,7 @@ github.com/opencontainers/runtime-tools/generate
github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/validate
-# github.com/opencontainers/selinux v1.10.1
+# github.com/opencontainers/selinux v1.10.2
## explicit; go 1.13
github.com/opencontainers/selinux/go-selinux
github.com/opencontainers/selinux/go-selinux/label