Merge pull request #5448 from crosbymichael/selinux-defaults
Add selinux label support for processes and mount
This commit is contained in:
Guillaume J. Charmes
commit
b6344f992e
6 changed files with 53 additions and 18 deletions
|
|
@ -24,3 +24,7 @@ func GetPidCon(pid int) (string, error) {
|
|||
|
||||
func Init() {
|
||||
}
|
||||
|
||||
func ReserveLabel(label string) error {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,8 +4,9 @@ package label
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/dotcloud/docker/pkg/selinux"
|
||||
"strings"
|
||||
|
||||
"github.com/dotcloud/docker/pkg/selinux"
|
||||
)
|
||||
|
||||
func GenLabels(options string) (string, string, error) {
|
||||
|
|
@ -32,13 +33,13 @@ func GenLabels(options string) (string, string, error) {
|
|||
return processLabel, mountLabel, err
|
||||
}
|
||||
|
||||
func FormatMountLabel(src string, mountLabel string) string {
|
||||
if selinux.SelinuxEnabled() && mountLabel != "" {
|
||||
func FormatMountLabel(src, mountLabel string) string {
|
||||
if mountLabel != "" {
|
||||
switch src {
|
||||
case "":
|
||||
src = fmt.Sprintf("%s,context=%s", src, mountLabel)
|
||||
src = fmt.Sprintf("context=%q", mountLabel)
|
||||
default:
|
||||
src = fmt.Sprintf("context=%s", mountLabel)
|
||||
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
|
||||
}
|
||||
}
|
||||
return src
|
||||
|
|
@ -75,3 +76,8 @@ func GetPidCon(pid int) (string, error) {
|
|||
func Init() {
|
||||
selinux.SelinuxEnabled()
|
||||
}
|
||||
|
||||
func ReserveLabel(label string) error {
|
||||
selinux.ReserveLabel(label)
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,14 +4,15 @@ package mount
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"syscall"
|
||||
|
||||
"github.com/dotcloud/docker/pkg/label"
|
||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||
"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"
|
||||
"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"
|
||||
"github.com/dotcloud/docker/pkg/system"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
// default mount point flags
|
||||
|
|
@ -130,11 +131,12 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo
|
|||
}
|
||||
|
||||
if len(mounts.OfType("devtmpfs")) == 1 {
|
||||
systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})
|
||||
systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)})
|
||||
}
|
||||
systemMounts = append(systemMounts,
|
||||
mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
|
||||
mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)})
|
||||
mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
|
||||
)
|
||||
|
||||
if len(mounts.OfType("sysfs")) == 1 {
|
||||
systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})
|
||||
|
|
|
|||
|
|
@ -75,8 +75,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
|||
}
|
||||
}
|
||||
runtime.LockOSThread()
|
||||
|
||||
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
||||
return fmt.Errorf("SetProcessLabel label %s", err)
|
||||
return fmt.Errorf("set process label %s", err)
|
||||
}
|
||||
ns.logger.Printf("execing %s\n", args[0])
|
||||
return system.Execv(args[0], args[0:], container.Env)
|
||||
|
|
|
|||
|
|
@ -146,15 +146,15 @@ func Setfilecon(path string, scon string) error {
|
|||
}
|
||||
|
||||
func Setfscreatecon(scon string) error {
|
||||
return writeCon("/proc/self/attr/fscreate", scon)
|
||||
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", system.Gettid()), scon)
|
||||
}
|
||||
|
||||
func Getfscreatecon() (string, error) {
|
||||
return readCon("/proc/self/attr/fscreate")
|
||||
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", system.Gettid()))
|
||||
}
|
||||
|
||||
func getcon() (string, error) {
|
||||
return readCon("/proc/self/attr/current")
|
||||
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/current", system.Gettid()))
|
||||
}
|
||||
|
||||
func Getpidcon(pid int) (string, error) {
|
||||
|
|
@ -204,6 +204,13 @@ func NewContext(scon string) SELinuxContext {
|
|||
return c
|
||||
}
|
||||
|
||||
func ReserveLabel(scon string) {
|
||||
if len(scon) != 0 {
|
||||
con := strings.SplitN(scon, ":", 4)
|
||||
mcsAdd(con[3])
|
||||
}
|
||||
}
|
||||
|
||||
func SelinuxGetEnforce() int {
|
||||
var enforce int
|
||||
|
||||
|
|
@ -229,8 +236,12 @@ func SelinuxGetEnforceMode() int {
|
|||
return Disabled
|
||||
}
|
||||
|
||||
func mcsAdd(mcs string) {
|
||||
func mcsAdd(mcs string) error {
|
||||
if mcsList[mcs] {
|
||||
return fmt.Errorf("MCS Label already exists")
|
||||
}
|
||||
mcsList[mcs] = true
|
||||
return nil
|
||||
}
|
||||
|
||||
func mcsDelete(mcs string) {
|
||||
|
|
@ -283,15 +294,21 @@ func uniqMcs(catRange uint32) string {
|
|||
}
|
||||
}
|
||||
mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
|
||||
if mcsExists(mcs) {
|
||||
if err := mcsAdd(mcs); err != nil {
|
||||
continue
|
||||
}
|
||||
mcsAdd(mcs)
|
||||
break
|
||||
}
|
||||
return mcs
|
||||
}
|
||||
|
||||
func FreeLxcContexts(scon string) {
|
||||
if len(scon) != 0 {
|
||||
con := strings.SplitN(scon, ":", 4)
|
||||
mcsDelete(con[3])
|
||||
}
|
||||
}
|
||||
|
||||
func GetLxcContexts() (processLabel string, fileLabel string) {
|
||||
var (
|
||||
val, key string
|
||||
|
|
@ -344,7 +361,8 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
|
|||
}
|
||||
|
||||
exit:
|
||||
mcs := IntToMcs(os.Getpid(), 1024)
|
||||
// mcs := IntToMcs(os.Getpid(), 1024)
|
||||
mcs := uniqMcs(1024)
|
||||
scon := NewContext(processLabel)
|
||||
scon["level"] = mcs
|
||||
processLabel = scon.Get()
|
||||
|
|
@ -373,6 +391,8 @@ func CopyLevel(src, dest string) (string, error) {
|
|||
}
|
||||
scon := NewContext(src)
|
||||
tcon := NewContext(dest)
|
||||
mcsDelete(tcon["level"])
|
||||
mcsAdd(scon["level"])
|
||||
tcon["level"] = scon["level"]
|
||||
return tcon.Get(), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,9 +31,11 @@ func TestSELinux(t *testing.T) {
|
|||
plabel, flabel = selinux.GetLxcContexts()
|
||||
t.Log(plabel)
|
||||
t.Log(flabel)
|
||||
selinux.FreeLxcContexts(plabel)
|
||||
plabel, flabel = selinux.GetLxcContexts()
|
||||
t.Log(plabel)
|
||||
t.Log(flabel)
|
||||
selinux.FreeLxcContexts(plabel)
|
||||
t.Log("getenforce ", selinux.SelinuxGetEnforce())
|
||||
t.Log("getenforcemode ", selinux.SelinuxGetEnforceMode())
|
||||
pid := os.Getpid()
|
||||
|
|
|
|||
Loading…
Reference in a new issue