Browse code
Ensure that selinux is disabled by default
This also includes some portability changes so that the package can be
imported with the top level runtime.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Michael Crosby authored on 2014/04/08 06:43:50Showing 6 changed files
- daemonconfig/config.go
- pkg/selinux/selinux.go
- pkg/selinux/selinux_test.go
- pkg/system/calls_linux.go
- pkg/system/unsupported.go
- runtime/runtime.go
| ... | ... |
@@ -28,6 +28,7 @@ type Config struct {
|
| 28 | 28 |
ExecDriver string |
| 29 | 29 |
Mtu int |
| 30 | 30 |
DisableNetwork bool |
| 31 |
+ EnableSelinuxSupport bool |
|
| 31 | 32 |
} |
| 32 | 33 |
|
| 33 | 34 |
// ConfigFromJob creates and returns a new DaemonConfig object |
| ... | ... |
@@ -45,6 +46,7 @@ func ConfigFromJob(job *engine.Job) *Config {
|
| 45 | 45 |
InterContainerCommunication: job.GetenvBool("InterContainerCommunication"),
|
| 46 | 46 |
GraphDriver: job.Getenv("GraphDriver"),
|
| 47 | 47 |
ExecDriver: job.Getenv("ExecDriver"),
|
| 48 |
+ EnableSelinuxSupport: false, // FIXME: hardcoded default to disable selinux for .10 release |
|
| 48 | 49 |
} |
| 49 | 50 |
if dns := job.GetenvList("Dns"); dns != nil {
|
| 50 | 51 |
config.Dns = dns |
| ... | ... |
@@ -39,6 +39,11 @@ var ( |
| 39 | 39 |
|
| 40 | 40 |
type SELinuxContext map[string]string |
| 41 | 41 |
|
| 42 |
+// SetDisabled disables selinux support for the package |
|
| 43 |
+func SetDisabled() {
|
|
| 44 |
+ selinuxEnabled, selinuxEnabledChecked = false, true |
|
| 45 |
+} |
|
| 46 |
+ |
|
| 42 | 47 |
func GetSelinuxMountPoint() string {
|
| 43 | 48 |
if selinuxfs != "unknown" {
|
| 44 | 49 |
return selinuxfs |
| ... | ... |
@@ -140,15 +145,6 @@ func Setfilecon(path string, scon string) error {
|
| 140 | 140 |
return system.Lsetxattr(path, xattrNameSelinux, []byte(scon), 0) |
| 141 | 141 |
} |
| 142 | 142 |
|
| 143 |
-func Getfilecon(path string) (string, error) {
|
|
| 144 |
- var scon []byte |
|
| 145 |
- |
|
| 146 |
- cnt, err := syscall.Getxattr(path, xattrNameSelinux, scon) |
|
| 147 |
- scon = make([]byte, cnt) |
|
| 148 |
- cnt, err = syscall.Getxattr(path, xattrNameSelinux, scon) |
|
| 149 |
- return string(scon), err |
|
| 150 |
-} |
|
| 151 |
- |
|
| 152 | 143 |
func Setfscreatecon(scon string) error {
|
| 153 | 144 |
return writeCon("/proc/self/attr/fscreate", scon)
|
| 154 | 145 |
} |
| ... | ... |
@@ -188,7 +184,7 @@ func writeCon(name string, val string) error {
|
| 188 | 188 |
} |
| 189 | 189 |
|
| 190 | 190 |
func Setexeccon(scon string) error {
|
| 191 |
- return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), scon)
|
|
| 191 |
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", system.Gettid()), scon)
|
|
| 192 | 192 |
} |
| 193 | 193 |
|
| 194 | 194 |
func (c SELinuxContext) Get() string {
|
| ... | ... |
@@ -12,9 +12,7 @@ func testSetfilecon(t *testing.T) {
|
| 12 | 12 |
out, _ := os.OpenFile(tmp, os.O_WRONLY, 0) |
| 13 | 13 |
out.Close() |
| 14 | 14 |
err := selinux.Setfilecon(tmp, "system_u:object_r:bin_t:s0") |
| 15 |
- if err == nil {
|
|
| 16 |
- t.Log(selinux.Getfilecon(tmp)) |
|
| 17 |
- } else {
|
|
| 15 |
+ if err != nil {
|
|
| 18 | 16 |
t.Log("Setfilecon failed")
|
| 19 | 17 |
t.Fatal(err) |
| 20 | 18 |
} |
| ... | ... |
@@ -41,7 +39,6 @@ func TestSELinux(t *testing.T) {
|
| 41 | 41 |
pid := os.Getpid() |
| 42 | 42 |
t.Log("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023))
|
| 43 | 43 |
t.Log(selinux.Getcon()) |
| 44 |
- t.Log(selinux.Getfilecon("/etc/passwd"))
|
|
| 45 | 44 |
err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
|
| 46 | 45 |
if err == nil {
|
| 47 | 46 |
t.Log(selinux.Getfscreatecon()) |
| ... | ... |
@@ -11,6 +11,7 @@ import ( |
| 11 | 11 |
"github.com/dotcloud/docker/image" |
| 12 | 12 |
"github.com/dotcloud/docker/pkg/graphdb" |
| 13 | 13 |
"github.com/dotcloud/docker/pkg/mount" |
| 14 |
+ "github.com/dotcloud/docker/pkg/selinux" |
|
| 14 | 15 |
"github.com/dotcloud/docker/pkg/sysinfo" |
| 15 | 16 |
"github.com/dotcloud/docker/runconfig" |
| 16 | 17 |
"github.com/dotcloud/docker/runtime/execdriver" |
| ... | ... |
@@ -723,6 +724,9 @@ func NewRuntime(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, erro |
| 723 | 723 |
} |
| 724 | 724 |
|
| 725 | 725 |
func NewRuntimeFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, error) {
|
| 726 |
+ if !config.EnableSelinuxSupport {
|
|
| 727 |
+ selinux.SetDisabled() |
|
| 728 |
+ } |
|
| 726 | 729 |
|
| 727 | 730 |
// Set the default driver |
| 728 | 731 |
graphdriver.DefaultDriver = config.GraphDriver |