Browse code
bump opencontainers/selinux to b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
This vendoring fixes two issues.
1. When a user specifies an SELinux MCS Label (level) to override moby picking
an unigue MCS label, the code currently picks a label then overrides with the
user selected. This works fine, except the unique MCS Label is leaked and will
not be used until the daemon is restarted.
2. The override label, is not reserved. This could potentially cause an issue
where the daemon could pick the same MCS Label again for a different container.
(~ 1/500,000 Chance).
The updated selinux go bindings, now release the overriden unigue label, and reserve
the one specified by the user.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2017/10/31 23:53:11Showing 3 changed files
- vendor.conf
- vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
- vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
| ... | ... |
@@ -143,7 +143,7 @@ github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github. |
| 143 | 143 |
# metrics |
| 144 | 144 |
github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18 |
| 145 | 145 |
|
| 146 |
-github.com/opencontainers/selinux v1.0.0-rc1 |
|
| 146 |
+github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd |
|
| 147 | 147 |
|
| 148 | 148 |
# archive/tar |
| 149 | 149 |
# mkdir -p ./vendor/archive |
| ... | ... |
@@ -49,8 +49,10 @@ func InitLabels(options []string) (string, string, error) {
|
| 49 | 49 |
mcon[con[0]] = con[1] |
| 50 | 50 |
} |
| 51 | 51 |
} |
| 52 |
+ _ = ReleaseLabel(processLabel) |
|
| 52 | 53 |
processLabel = pcon.Get() |
| 53 | 54 |
mountLabel = mcon.Get() |
| 55 |
+ _ = ReserveLabel(processLabel) |
|
| 54 | 56 |
} |
| 55 | 57 |
return processLabel, mountLabel, nil |
| 56 | 58 |
} |
| ... | ... |
@@ -213,7 +213,7 @@ func SetFileLabel(path string, label string) error {
|
| 213 | 213 |
return lsetxattr(path, xattrNameSelinux, []byte(label), 0) |
| 214 | 214 |
} |
| 215 | 215 |
|
| 216 |
-// Filecon returns the SELinux label for this path or returns an error. |
|
| 216 |
+// FileLabel returns the SELinux label for this path or returns an error. |
|
| 217 | 217 |
func FileLabel(path string) (string, error) {
|
| 218 | 218 |
label, err := lgetxattr(path, xattrNameSelinux) |
| 219 | 219 |
if err != nil {
|
| ... | ... |
@@ -331,7 +331,7 @@ func EnforceMode() int {
|
| 331 | 331 |
} |
| 332 | 332 |
|
| 333 | 333 |
/* |
| 334 |
-SetEnforce sets the current SELinux mode Enforcing, Permissive. |
|
| 334 |
+SetEnforceMode sets the current SELinux mode Enforcing, Permissive. |
|
| 335 | 335 |
Disabled is not valid, since this needs to be set at boot time. |
| 336 | 336 |
*/ |
| 337 | 337 |
func SetEnforceMode(mode int) error {
|