Merge pull request #144 from runcom/vendor-runc-label-selinux

vendor opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376
This commit is contained in:
Mrunal Patel 2016-10-14 08:31:34 -07:00 committed by GitHub
commit 0898f1cb61
4 changed files with 18 additions and 30 deletions

View file

@ -72,7 +72,7 @@ clone git github.com/golang/protobuf 3c84672111d91bb5ac31719e112f9f7126a0e26e
clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
clone git github.com/gorilla/mux v1.1
clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28
clone git github.com/opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376
clone git github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
clone git github.com/gogo/protobuf 43a2e0b1c32252bfbbdf81f7faa7a88fb3fa4028
clone git github.com/gorilla/context v1.1

View file

@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) {
pcon := selinux.NewContext(processLabel)
mcon := selinux.NewContext(mountLabel)
for _, opt := range options {
if opt == "disable" {
val := strings.SplitN(opt, "=", 2)
if val[0] != "label" {
continue
}
if len(val) < 2 {
return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
}
if val[1] == "disable" {
return "", "", nil
}
if i := strings.Index(opt, ":"); i == -1 {
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
con := strings.SplitN(val[1], ":", 2)
if len(con) < 2 || !validOptions[con[0]] {
return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])
}
pcon[con[0]] = con[1]
@ -129,7 +133,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}
if exclude_paths[path] {
return fmt.Errorf("Relabeling of %s is not allowed", path)
return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
}
if shared {
@ -137,7 +141,10 @@ func Relabel(path string, fileLabel string, shared bool) error {
c["level"] = "s0"
fileLabel = c.Get()
}
return selinux.Chcon(path, fileLabel, true)
if err := selinux.Chcon(path, fileLabel, true); err != nil {
return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err)
}
return nil
}
// GetPidLabel will return the label of the process running with the specified pid

View file

@ -8,7 +8,7 @@ import (
// Setuid sets the uid of the calling thread to the specified uid.
func Setuid(uid int) (err error) {
_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0)
if e1 != 0 {
err = e1
}

View file

@ -4,28 +4,9 @@ package system
/*
#include <unistd.h>
#include <limits.h>
int GetLongBit() {
#ifdef _SC_LONG_BIT
int longbits;
longbits = sysconf(_SC_LONG_BIT);
if (longbits < 0) {
longbits = (CHAR_BIT * sizeof(long));
}
return longbits;
#else
return (CHAR_BIT * sizeof(long));
#endif
}
*/
import "C"
func GetClockTicks() int {
return int(C.sysconf(C._SC_CLK_TCK))
}
func GetLongBit() int {
return int(C.GetLongBit())
}