Merge pull request #144 from runcom/vendor-runc-label-selinux
vendor opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376
This commit is contained in:
commit
0898f1cb61
4 changed files with 18 additions and 30 deletions
|
@ -72,7 +72,7 @@ clone git github.com/golang/protobuf 3c84672111d91bb5ac31719e112f9f7126a0e26e
|
|||
clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
|
||||
clone git github.com/gorilla/mux v1.1
|
||||
clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
|
||||
clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28
|
||||
clone git github.com/opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376
|
||||
clone git github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
|
||||
clone git github.com/gogo/protobuf 43a2e0b1c32252bfbbdf81f7faa7a88fb3fa4028
|
||||
clone git github.com/gorilla/context v1.1
|
||||
|
|
|
@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) {
|
|||
pcon := selinux.NewContext(processLabel)
|
||||
mcon := selinux.NewContext(mountLabel)
|
||||
for _, opt := range options {
|
||||
if opt == "disable" {
|
||||
val := strings.SplitN(opt, "=", 2)
|
||||
if val[0] != "label" {
|
||||
continue
|
||||
}
|
||||
if len(val) < 2 {
|
||||
return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
|
||||
}
|
||||
if val[1] == "disable" {
|
||||
return "", "", nil
|
||||
}
|
||||
if i := strings.Index(opt, ":"); i == -1 {
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
|
||||
}
|
||||
con := strings.SplitN(opt, ":", 2)
|
||||
if !validOptions[con[0]] {
|
||||
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
|
||||
con := strings.SplitN(val[1], ":", 2)
|
||||
if len(con) < 2 || !validOptions[con[0]] {
|
||||
return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])
|
||||
|
||||
}
|
||||
pcon[con[0]] = con[1]
|
||||
|
@ -129,7 +133,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
|
|||
|
||||
exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}
|
||||
if exclude_paths[path] {
|
||||
return fmt.Errorf("Relabeling of %s is not allowed", path)
|
||||
return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
|
||||
}
|
||||
|
||||
if shared {
|
||||
|
@ -137,7 +141,10 @@ func Relabel(path string, fileLabel string, shared bool) error {
|
|||
c["level"] = "s0"
|
||||
fileLabel = c.Get()
|
||||
}
|
||||
return selinux.Chcon(path, fileLabel, true)
|
||||
if err := selinux.Chcon(path, fileLabel, true); err != nil {
|
||||
return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetPidLabel will return the label of the process running with the specified pid
|
||||
|
|
|
@ -8,7 +8,7 @@ import (
|
|||
|
||||
// Setuid sets the uid of the calling thread to the specified uid.
|
||||
func Setuid(uid int) (err error) {
|
||||
_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
|
||||
_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
|
|
|
@ -4,28 +4,9 @@ package system
|
|||
|
||||
/*
|
||||
#include <unistd.h>
|
||||
#include <limits.h>
|
||||
|
||||
int GetLongBit() {
|
||||
#ifdef _SC_LONG_BIT
|
||||
int longbits;
|
||||
|
||||
longbits = sysconf(_SC_LONG_BIT);
|
||||
if (longbits < 0) {
|
||||
longbits = (CHAR_BIT * sizeof(long));
|
||||
}
|
||||
return longbits;
|
||||
#else
|
||||
return (CHAR_BIT * sizeof(long));
|
||||
#endif
|
||||
}
|
||||
*/
|
||||
import "C"
|
||||
|
||||
func GetClockTicks() int {
|
||||
return int(C.sysconf(C._SC_CLK_TCK))
|
||||
}
|
||||
|
||||
func GetLongBit() int {
|
||||
return int(C.GetLongBit())
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue