@@ -6,7 +6,7 @@ ARG SYSTEMD="false"

 ARG GO_VERSION=1.13.15

 ARG DEBIAN_FRONTEND=noninteractive

 ARG VPNKIT_VERSION=0.4.0

-ARG DOCKER_BUILDTAGS="apparmor seccomp selinux"

+ARG DOCKER_BUILDTAGS="apparmor seccomp"

 ARG BASE_DEBIAN_DISTRO="buster"

 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

@@ -45,6 +45,7 @@ import (

 	lntypes "github.com/docker/libnetwork/types"

 	"github.com/moby/sys/mount"

 	specs "github.com/opencontainers/runtime-spec/specs-go"

+	"github.com/opencontainers/selinux/go-selinux"

 	"github.com/opencontainers/selinux/go-selinux/label"

 	"github.com/pkg/errors"

 	"github.com/sirupsen/logrus"

@@ -822,7 +823,7 @@ func overlaySupportsSelinux() (bool, error) {

 // configureKernelSecuritySupport configures and validates security support for the kernel

 func configureKernelSecuritySupport(config *config.Config, driverName string) error {

 	if config.EnableSelinuxSupport {

-		if !selinuxEnabled() {

+		if !selinux.GetEnabled() {

 			logrus.Warn("Docker could not enable SELinux on the host system")

 			return nil

 		}

@@ -840,7 +841,7 @@ func configureKernelSecuritySupport(config *config.Config, driverName string) er

 			}

 		}

 	} else {

-		selinuxSetDisabled()

+		selinux.SetDisabled()

 	}

 	return nil

 }

@@ -11,6 +11,7 @@ import (

 	"github.com/docker/docker/container"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/pkg/system"

+	"github.com/opencontainers/selinux/go-selinux"

 	"github.com/pkg/errors"

 	"github.com/sirupsen/logrus"

 )

@@ -134,7 +135,7 @@ func (daemon *Daemon) cleanupContainer(container *container.Container, forceRemo

 	}

 	linkNames := daemon.linkIndex.delete(container)

-	selinuxFreeLxcContexts(container.ProcessLabel)

+	selinux.ReleaseLabel(container.ProcessLabel)

 	daemon.idIndex.Delete(container.ID)

 	daemon.containers.Delete(container.ID)

 	daemon.containersReplica.Delete(container)

@@ -22,6 +22,7 @@ import (

 	"github.com/docker/docker/pkg/system"

 	"github.com/docker/docker/registry"

 	metrics "github.com/docker/go-metrics"

+	"github.com/opencontainers/selinux/go-selinux"

 	"github.com/sirupsen/logrus"

 )

@@ -188,7 +189,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf

 		}

 		securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))

 	}

-	if selinuxEnabled() {

+	if selinux.GetEnabled() {

 		securityOptions = append(securityOptions, "name=selinux")

 	}

 	if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 {

deleted file mode 100644

@@ -1,15 +0,0 @@

-package daemon // import "github.com/docker/docker/daemon"

-

-import selinux "github.com/opencontainers/selinux/go-selinux"

-

-func selinuxSetDisabled() {

-	selinux.SetDisabled()

-}

-

-func selinuxFreeLxcContexts(label string) {

-	selinux.ReleaseLabel(label)

-}

-

-func selinuxEnabled() bool {

-	return selinux.GetEnabled()

-}

deleted file mode 100644

@@ -1,13 +0,0 @@

-// +build !linux

-

-package daemon // import "github.com/docker/docker/daemon"

-

-func selinuxSetDisabled() {

-}

-

-func selinuxFreeLxcContexts(label string) {

-}

-

-func selinuxEnabled() bool {

-	return false

-}

@@ -157,12 +157,6 @@ export DOCKER_BUILDTAGS='apparmor'

 ```

 If you're building a binary that may need to be used on platforms that include

-SELinux, you will need to use the `selinux` build tag:

-```bash

-export DOCKER_BUILDTAGS='selinux'

-```

-

-If you're building a binary that may need to be used on platforms that include

 seccomp, you will need to use the `seccomp` build tag:

 ```bash

 export DOCKER_BUILDTAGS='seccomp'

@@ -188,7 +182,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs'

 NOTE: if you need to set more than one build tag, space separate them:

 ```bash

-export DOCKER_BUILDTAGS='apparmor selinux exclude_graphdriver_aufs'

+export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs'

 ```

 ### LCOW (Linux Containers On Windows)

@@ -176,7 +176,7 @@ github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9

 # metrics

 github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1

-github.com/opencontainers/selinux                   63ad55b76fd78d4c76c2f5491f68516e60c9d523 # v1.7.0

+github.com/opencontainers/selinux                   2f45b3796d18f1ab4c9fc0c888a98d0a0fd6e429 # v1.8.0

 github.com/willf/bitset                             559910e8471e48d76d9e5a1ba15842dee77ad45d # v1.1.11

@@ -6,7 +6,8 @@ Common SELinux package used across the container ecosystem.

 ## Usage

-When compiling consumers of this project, the `selinux` build tag must be used to enable selinux functionality.

+Prior to v1.8.0, the `selinux` build tag had to be used to enable selinux functionality for compiling consumers of this project.

+Starting with v1.8.0, the `selinux` build tag is no longer needed.

 For complete documentation, see [godoc](https://godoc.org/github.com/opencontainers/selinux).

@@ -5,9 +5,6 @@ This package uses a selinux build tag to enable the selinux functionality. This

 allows non-linux and linux users who do not have selinux support to still use

 tools that rely on this library.

-To compile with full selinux support use the -tags=selinux option in your build

-and test commands.

-

 Usage:

 	import "github.com/opencontainers/selinux/go-selinux"

new file mode 100644

@@ -0,0 +1,190 @@

+package label

+

+import (

+	"os"

+	"os/user"

+	"strings"

+

+	"github.com/opencontainers/selinux/go-selinux"

+	"github.com/pkg/errors"

+)

+

+// Valid Label Options

+var validOptions = map[string]bool{

+	"disable":  true,

+	"type":     true,

+	"filetype": true,

+	"user":     true,

+	"role":     true,

+	"level":    true,

+}

+

+var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")

+

+// InitLabels returns the process label and file labels to be used within

+// the container.  A list of options can be passed into this function to alter

+// the labels.  The labels returned will include a random MCS String, that is

+// guaranteed to be unique.

+func InitLabels(options []string) (plabel string, mlabel string, retErr error) {

+	if !selinux.GetEnabled() {

+		return "", "", nil

+	}

+	processLabel, mountLabel := selinux.ContainerLabels()

+	if processLabel != "" {

+		defer func() {

+			if retErr != nil {

+				selinux.ReleaseLabel(mountLabel)

+			}

+		}()

+		pcon, err := selinux.NewContext(processLabel)

+		if err != nil {

+			return "", "", err

+		}

+		mcsLevel := pcon["level"]

+		mcon, err := selinux.NewContext(mountLabel)

+		if err != nil {

+			return "", "", err

+		}

+		for _, opt := range options {

+			if opt == "disable" {

+				return "", mountLabel, nil

+			}

+			if i := strings.Index(opt, ":"); i == -1 {

+				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

+			}

+			con := strings.SplitN(opt, ":", 2)

+			if !validOptions[con[0]] {

+				return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])

+			}

+			if con[0] == "filetype" {

+				mcon["type"] = con[1]

+				continue

+			}

+			pcon[con[0]] = con[1]

+			if con[0] == "level" || con[0] == "user" {

+				mcon[con[0]] = con[1]

+			}

+		}

+		if pcon.Get() != processLabel {

+			if pcon["level"] != mcsLevel {

+				selinux.ReleaseLabel(processLabel)

+			}

+			processLabel = pcon.Get()

+			selinux.ReserveLabel(processLabel)

+		}

+		mountLabel = mcon.Get()

+	}

+	return processLabel, mountLabel, nil

+}

+

+// Deprecated: The GenLabels function is only to be used during the transition

+// to the official API. Use InitLabels(strings.Fields(options)) instead.

+func GenLabels(options string) (string, string, error) {

+	return InitLabels(strings.Fields(options))

+}

+

+// SetFileLabel modifies the "path" label to the specified file label

+func SetFileLabel(path string, fileLabel string) error {

+	if !selinux.GetEnabled() || fileLabel == "" {

+		return nil

+	}

+	return selinux.SetFileLabel(path, fileLabel)

+}

+

+// SetFileCreateLabel tells the kernel the label for all files to be created

+func SetFileCreateLabel(fileLabel string) error {

+	if !selinux.GetEnabled() {

+		return nil

+	}

+	return selinux.SetFSCreateLabel(fileLabel)

+}

+

+// Relabel changes the label of path to the filelabel string.

+// It changes the MCS label to s0 if shared is true.

+// This will allow all containers to share the content.

+func Relabel(path string, fileLabel string, shared bool) error {

+	if !selinux.GetEnabled() || fileLabel == "" {

+		return nil

+	}

+

+	exclude_paths := map[string]bool{

+		"/":           true,

+		"/bin":        true,

+		"/boot":       true,

+		"/dev":        true,

+		"/etc":        true,

+		"/etc/passwd": true,

+		"/etc/pki":    true,

+		"/etc/shadow": true,

+		"/home":       true,

+		"/lib":        true,

+		"/lib64":      true,

+		"/media":      true,

+		"/opt":        true,

+		"/proc":       true,

+		"/root":       true,

+		"/run":        true,

+		"/sbin":       true,

+		"/srv":        true,

+		"/sys":        true,

+		"/tmp":        true,

+		"/usr":        true,

+		"/var":        true,

+		"/var/lib":    true,

+		"/var/log":    true,

+	}

+

+	if home := os.Getenv("HOME"); home != "" {

+		exclude_paths[home] = true

+	}

+

+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {

+		if usr, err := user.Lookup(sudoUser); err == nil {

+			exclude_paths[usr.HomeDir] = true

+		}

+	}

+

+	if path != "/" {

+		path = strings.TrimSuffix(path, "/")

+	}

+	if exclude_paths[path] {

+		return errors.Errorf("SELinux relabeling of %s is not allowed", path)

+	}

+

+	if shared {

+		c, err := selinux.NewContext(fileLabel)

+		if err != nil {

+			return err

+		}

+

+		c["level"] = "s0"

+		fileLabel = c.Get()

+	}

+	if err := selinux.Chcon(path, fileLabel, true); err != nil {

+		return err

+	}

+	return nil

+}

+

+// DisableSecOpt returns a security opt that can disable labeling

+// support for future container processes

+// Deprecated: use selinux.DisableSecOpt

+var DisableSecOpt = selinux.DisableSecOpt

+

+// Validate checks that the label does not include unexpected options

+func Validate(label string) error {

+	if strings.Contains(label, "z") && strings.Contains(label, "Z") {

+		return ErrIncompatibleLabel

+	}

+	return nil

+}

+

+// RelabelNeeded checks whether the user requested a relabel

+func RelabelNeeded(label string) bool {

+	return strings.Contains(label, "z") || strings.Contains(label, "Z")

+}

+

+// IsShared checks that the label includes a "shared" mark

+func IsShared(label string) bool {

+	return strings.Contains(label, "z")

+}

deleted file mode 100644

@@ -1,192 +0,0 @@

-// +build selinux,linux

-

-package label

-

-import (

-	"os"

-	"os/user"

-	"strings"

-

-	"github.com/opencontainers/selinux/go-selinux"

-	"github.com/pkg/errors"

-)

-

-// Valid Label Options

-var validOptions = map[string]bool{

-	"disable":  true,

-	"type":     true,

-	"filetype": true,

-	"user":     true,

-	"role":     true,

-	"level":    true,

-}

-

-var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")

-

-// InitLabels returns the process label and file labels to be used within

-// the container.  A list of options can be passed into this function to alter

-// the labels.  The labels returned will include a random MCS String, that is

-// guaranteed to be unique.

-func InitLabels(options []string) (plabel string, mlabel string, retErr error) {

-	if !selinux.GetEnabled() {

-		return "", "", nil

-	}

-	processLabel, mountLabel := selinux.ContainerLabels()

-	if processLabel != "" {

-		defer func() {

-			if retErr != nil {

-				selinux.ReleaseLabel(mountLabel)

-			}

-		}()

-		pcon, err := selinux.NewContext(processLabel)

-		if err != nil {

-			return "", "", err

-		}

-		mcsLevel := pcon["level"]

-		mcon, err := selinux.NewContext(mountLabel)

-		if err != nil {

-			return "", "", err

-		}

-		for _, opt := range options {

-			if opt == "disable" {

-				return "", mountLabel, nil

-			}

-			if i := strings.Index(opt, ":"); i == -1 {

-				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

-			}

-			con := strings.SplitN(opt, ":", 2)

-			if !validOptions[con[0]] {

-				return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])

-			}

-			if con[0] == "filetype" {

-				mcon["type"] = con[1]

-				continue

-			}

-			pcon[con[0]] = con[1]

-			if con[0] == "level" || con[0] == "user" {

-				mcon[con[0]] = con[1]

-			}

-		}

-		if pcon.Get() != processLabel {

-			if pcon["level"] != mcsLevel {

-				selinux.ReleaseLabel(processLabel)

-			}

-			processLabel = pcon.Get()

-			selinux.ReserveLabel(processLabel)

-		}

-		mountLabel = mcon.Get()

-	}

-	return processLabel, mountLabel, nil

-}

-

-// Deprecated: The GenLabels function is only to be used during the transition

-// to the official API. Use InitLabels(strings.Fields(options)) instead.

-func GenLabels(options string) (string, string, error) {

-	return InitLabels(strings.Fields(options))

-}

-

-// SetFileLabel modifies the "path" label to the specified file label

-func SetFileLabel(path string, fileLabel string) error {

-	if !selinux.GetEnabled() || fileLabel == "" {

-		return nil

-	}

-	return selinux.SetFileLabel(path, fileLabel)

-}

-

-// SetFileCreateLabel tells the kernel the label for all files to be created

-func SetFileCreateLabel(fileLabel string) error {

-	if !selinux.GetEnabled() {

-		return nil

-	}

-	return selinux.SetFSCreateLabel(fileLabel)

-}

-

-// Relabel changes the label of path to the filelabel string.

-// It changes the MCS label to s0 if shared is true.

-// This will allow all containers to share the content.

-func Relabel(path string, fileLabel string, shared bool) error {

-	if !selinux.GetEnabled() || fileLabel == "" {

-		return nil

-	}

-

-	exclude_paths := map[string]bool{

-		"/":           true,

-		"/bin":        true,

-		"/boot":       true,

-		"/dev":        true,

-		"/etc":        true,

-		"/etc/passwd": true,

-		"/etc/pki":    true,

-		"/etc/shadow": true,

-		"/home":       true,

-		"/lib":        true,

-		"/lib64":      true,

-		"/media":      true,

-		"/opt":        true,

-		"/proc":       true,

-		"/root":       true,

-		"/run":        true,

-		"/sbin":       true,

-		"/srv":        true,

-		"/sys":        true,

-		"/tmp":        true,

-		"/usr":        true,

-		"/var":        true,

-		"/var/lib":    true,

-		"/var/log":    true,

-	}

-

-	if home := os.Getenv("HOME"); home != "" {

-		exclude_paths[home] = true

-	}

-

-	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {

-		if usr, err := user.Lookup(sudoUser); err == nil {

-			exclude_paths[usr.HomeDir] = true

-		}

-	}

-

-	if path != "/" {

-		path = strings.TrimSuffix(path, "/")

-	}

-	if exclude_paths[path] {

-		return errors.Errorf("SELinux relabeling of %s is not allowed", path)

-	}

-

-	if shared {

-		c, err := selinux.NewContext(fileLabel)

-		if err != nil {

-			return err

-		}

-

-		c["level"] = "s0"

-		fileLabel = c.Get()

-	}

-	if err := selinux.Chcon(path, fileLabel, true); err != nil {

-		return err

-	}

-	return nil

-}

-

-// DisableSecOpt returns a security opt that can disable labeling

-// support for future container processes

-// Deprecated: use selinux.DisableSecOpt

-var DisableSecOpt = selinux.DisableSecOpt

-

-// Validate checks that the label does not include unexpected options

-func Validate(label string) error {

-	if strings.Contains(label, "z") && strings.Contains(label, "Z") {

-		return ErrIncompatibleLabel

-	}

-	return nil

-}

-

-// RelabelNeeded checks whether the user requested a relabel

-func RelabelNeeded(label string) bool {

-	return strings.Contains(label, "z") || strings.Contains(label, "Z")

-}

-

-// IsShared checks that the label includes a "shared" mark

-func IsShared(label string) bool {

-	return strings.Contains(label, "z")

-}

@@ -1,4 +1,4 @@

-// +build !selinux !linux

+// +build !linux

 package label

@@ -1,5 +1,3 @@

-// +build selinux,linux

-

 package selinux

 import (

@@ -1,4 +1,4 @@

-// +build !selinux !linux

+// +build !linux

 package selinux

deleted file mode 100644

@@ -1,40 +0,0 @@

-// +build selinux,linux

-

-package selinux

-

-import (

-	"golang.org/x/sys/unix"

-)

-

-// lgetxattr returns a []byte slice containing the value of

-// an extended attribute attr set for path.

-func lgetxattr(path, attr string) ([]byte, error) {

-	// Start with a 128 length byte array

-	dest := make([]byte, 128)

-	sz, errno := doLgetxattr(path, attr, dest)

-	for errno == unix.ERANGE {

-		// Buffer too small, use zero-sized buffer to get the actual size

-		sz, errno = doLgetxattr(path, attr, []byte{})

-		if errno != nil {

-			return nil, errno

-		}

-

-		dest = make([]byte, sz)

-		sz, errno = doLgetxattr(path, attr, dest)

-	}

-	if errno != nil {

-		return nil, errno

-	}

-

-	return dest[:sz], nil

-}

-

-// doLgetxattr is a wrapper that retries on EINTR

-func doLgetxattr(path, attr string, dest []byte) (int, error) {

-	for {

-		sz, err := unix.Lgetxattr(path, attr, dest)

-		if err != unix.EINTR {

-			return sz, err

-		}

-	}

-}

new file mode 100644

@@ -0,0 +1,38 @@

+package selinux

+

+import (

+	"golang.org/x/sys/unix"

+)

+

+// lgetxattr returns a []byte slice containing the value of

+// an extended attribute attr set for path.

+func lgetxattr(path, attr string) ([]byte, error) {

+	// Start with a 128 length byte array

+	dest := make([]byte, 128)

+	sz, errno := doLgetxattr(path, attr, dest)

+	for errno == unix.ERANGE {

+		// Buffer too small, use zero-sized buffer to get the actual size

+		sz, errno = doLgetxattr(path, attr, []byte{})

+		if errno != nil {

+			return nil, errno

+		}

+

+		dest = make([]byte, sz)

+		sz, errno = doLgetxattr(path, attr, dest)

+	}

+	if errno != nil {

+		return nil, errno

+	}

+

+	return dest[:sz], nil

+}

+

+// doLgetxattr is a wrapper that retries on EINTR

+func doLgetxattr(path, attr string, dest []byte) (int, error) {

+	for {

+		sz, err := unix.Lgetxattr(path, attr, dest)

+		if err != unix.EINTR {

+			return sz, err

+		}

+	}

+}