Merge pull request #5448 from crosbymichael/selinux-defaults
Add selinux label support for processes and mount
This commit is contained in:
Guillaume J. Charmes
commit
b6344f992e
6 changed files with 53 additions and 18 deletions
|
|
@ -24,3 +24,7 @@ func GetPidCon(pid int) (string, error) {
|
||||||
|
|
||||||
func Init() {
|
func Init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ReserveLabel(label string) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,8 +4,9 @@ package label
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/dotcloud/docker/pkg/selinux"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/dotcloud/docker/pkg/selinux"
|
||||||
)
|
)
|
||||||
|
|
||||||
func GenLabels(options string) (string, string, error) {
|
func GenLabels(options string) (string, string, error) {
|
||||||
|
|
@ -32,13 +33,13 @@ func GenLabels(options string) (string, string, error) {
|
||||||
return processLabel, mountLabel, err
|
return processLabel, mountLabel, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func FormatMountLabel(src string, mountLabel string) string {
|
func FormatMountLabel(src, mountLabel string) string {
|
||||||
if selinux.SelinuxEnabled() && mountLabel != "" {
|
if mountLabel != "" {
|
||||||
switch src {
|
switch src {
|
||||||
case "":
|
case "":
|
||||||
src = fmt.Sprintf("%s,context=%s", src, mountLabel)
|
src = fmt.Sprintf("context=%q", mountLabel)
|
||||||
default:
|
default:
|
||||||
src = fmt.Sprintf("context=%s", mountLabel)
|
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return src
|
return src
|
||||||
|
|
@ -75,3 +76,8 @@ func GetPidCon(pid int) (string, error) {
|
||||||
func Init() {
|
func Init() {
|
||||||
selinux.SelinuxEnabled()
|
selinux.SelinuxEnabled()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ReserveLabel(label string) error {
|
||||||
|
selinux.ReserveLabel(label)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,15 @@ package mount
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
"github.com/dotcloud/docker/pkg/label"
|
"github.com/dotcloud/docker/pkg/label"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"
|
"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"
|
"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"syscall"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// default mount point flags
|
// default mount point flags
|
||||||
|
|
@ -130,11 +131,12 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(mounts.OfType("devtmpfs")) == 1 {
|
if len(mounts.OfType("devtmpfs")) == 1 {
|
||||||
systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})
|
systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)})
|
||||||
}
|
}
|
||||||
systemMounts = append(systemMounts,
|
systemMounts = append(systemMounts,
|
||||||
mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
|
mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
|
||||||
mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)})
|
mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
|
||||||
|
)
|
||||||
|
|
||||||
if len(mounts.OfType("sysfs")) == 1 {
|
if len(mounts.OfType("sysfs")) == 1 {
|
||||||
systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})
|
systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})
|
||||||
|
|
|
||||||
|
|
@ -75,8 +75,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
runtime.LockOSThread()
|
runtime.LockOSThread()
|
||||||
|
|
||||||
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
||||||
return fmt.Errorf("SetProcessLabel label %s", err)
|
return fmt.Errorf("set process label %s", err)
|
||||||
}
|
}
|
||||||
ns.logger.Printf("execing %s\n", args[0])
|
ns.logger.Printf("execing %s\n", args[0])
|
||||||
return system.Execv(args[0], args[0:], container.Env)
|
return system.Execv(args[0], args[0:], container.Env)
|
||||||
|
|
|
||||||
|
|
@ -146,15 +146,15 @@ func Setfilecon(path string, scon string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func Setfscreatecon(scon string) error {
|
func Setfscreatecon(scon string) error {
|
||||||
return writeCon("/proc/self/attr/fscreate", scon)
|
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", system.Gettid()), scon)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Getfscreatecon() (string, error) {
|
func Getfscreatecon() (string, error) {
|
||||||
return readCon("/proc/self/attr/fscreate")
|
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", system.Gettid()))
|
||||||
}
|
}
|
||||||
|
|
||||||
func getcon() (string, error) {
|
func getcon() (string, error) {
|
||||||
return readCon("/proc/self/attr/current")
|
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/current", system.Gettid()))
|
||||||
}
|
}
|
||||||
|
|
||||||
func Getpidcon(pid int) (string, error) {
|
func Getpidcon(pid int) (string, error) {
|
||||||
|
|
@ -204,6 +204,13 @@ func NewContext(scon string) SELinuxContext {
|
||||||
return c
|
return c
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ReserveLabel(scon string) {
|
||||||
|
if len(scon) != 0 {
|
||||||
|
con := strings.SplitN(scon, ":", 4)
|
||||||
|
mcsAdd(con[3])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func SelinuxGetEnforce() int {
|
func SelinuxGetEnforce() int {
|
||||||
var enforce int
|
var enforce int
|
||||||
|
|
||||||
|
|
@ -229,8 +236,12 @@ func SelinuxGetEnforceMode() int {
|
||||||
return Disabled
|
return Disabled
|
||||||
}
|
}
|
||||||
|
|
||||||
func mcsAdd(mcs string) {
|
func mcsAdd(mcs string) error {
|
||||||
|
if mcsList[mcs] {
|
||||||
|
return fmt.Errorf("MCS Label already exists")
|
||||||
|
}
|
||||||
mcsList[mcs] = true
|
mcsList[mcs] = true
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func mcsDelete(mcs string) {
|
func mcsDelete(mcs string) {
|
||||||
|
|
@ -283,15 +294,21 @@ func uniqMcs(catRange uint32) string {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
|
mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
|
||||||
if mcsExists(mcs) {
|
if err := mcsAdd(mcs); err != nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
mcsAdd(mcs)
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
return mcs
|
return mcs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func FreeLxcContexts(scon string) {
|
||||||
|
if len(scon) != 0 {
|
||||||
|
con := strings.SplitN(scon, ":", 4)
|
||||||
|
mcsDelete(con[3])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func GetLxcContexts() (processLabel string, fileLabel string) {
|
func GetLxcContexts() (processLabel string, fileLabel string) {
|
||||||
var (
|
var (
|
||||||
val, key string
|
val, key string
|
||||||
|
|
@ -344,7 +361,8 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
mcs := IntToMcs(os.Getpid(), 1024)
|
// mcs := IntToMcs(os.Getpid(), 1024)
|
||||||
|
mcs := uniqMcs(1024)
|
||||||
scon := NewContext(processLabel)
|
scon := NewContext(processLabel)
|
||||||
scon["level"] = mcs
|
scon["level"] = mcs
|
||||||
processLabel = scon.Get()
|
processLabel = scon.Get()
|
||||||
|
|
@ -373,6 +391,8 @@ func CopyLevel(src, dest string) (string, error) {
|
||||||
}
|
}
|
||||||
scon := NewContext(src)
|
scon := NewContext(src)
|
||||||
tcon := NewContext(dest)
|
tcon := NewContext(dest)
|
||||||
|
mcsDelete(tcon["level"])
|
||||||
|
mcsAdd(scon["level"])
|
||||||
tcon["level"] = scon["level"]
|
tcon["level"] = scon["level"]
|
||||||
return tcon.Get(), nil
|
return tcon.Get(), nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,9 +31,11 @@ func TestSELinux(t *testing.T) {
|
||||||
plabel, flabel = selinux.GetLxcContexts()
|
plabel, flabel = selinux.GetLxcContexts()
|
||||||
t.Log(plabel)
|
t.Log(plabel)
|
||||||
t.Log(flabel)
|
t.Log(flabel)
|
||||||
|
selinux.FreeLxcContexts(plabel)
|
||||||
plabel, flabel = selinux.GetLxcContexts()
|
plabel, flabel = selinux.GetLxcContexts()
|
||||||
t.Log(plabel)
|
t.Log(plabel)
|
||||||
t.Log(flabel)
|
t.Log(flabel)
|
||||||
|
selinux.FreeLxcContexts(plabel)
|
||||||
t.Log("getenforce ", selinux.SelinuxGetEnforce())
|
t.Log("getenforce ", selinux.SelinuxGetEnforce())
|
||||||
t.Log("getenforcemode ", selinux.SelinuxGetEnforceMode())
|
t.Log("getenforcemode ", selinux.SelinuxGetEnforceMode())
|
||||||
pid := os.Getpid()
|
pid := os.Getpid()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue