d0559e92af
Added --selinux-enable switch to daemon to enable SELinux labeling. The daemon will now generate a new unique random SELinux label when a container starts, and remove it when the container is removed. The MCS labels will be stored in the daemon memory. The labels of containers will be stored in the container.json file. When the daemon restarts on boot or if done by an admin, it will read all containers json files and reserve the MCS labels. A potential problem would be conflicts if you setup thousands of containers, current scheme would handle ~500,000 containers. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan) Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
81 lines
1.5 KiB
Go
81 lines
1.5 KiB
Go
// +build selinux,linux
|
|
|
|
package label
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/dotcloud/docker/pkg/selinux"
|
|
"strings"
|
|
)
|
|
|
|
func GenLabels(options string) (string, string, error) {
|
|
if !selinux.SelinuxEnabled() {
|
|
return "", "", nil
|
|
}
|
|
var err error
|
|
processLabel, mountLabel := selinux.GetLxcContexts()
|
|
if processLabel != "" {
|
|
var (
|
|
s = strings.Fields(options)
|
|
l = len(s)
|
|
)
|
|
if l > 0 {
|
|
pcon := selinux.NewContext(processLabel)
|
|
for i := 0; i < l; i++ {
|
|
o := strings.Split(s[i], "=")
|
|
pcon[o[0]] = o[1]
|
|
}
|
|
processLabel = pcon.Get()
|
|
mountLabel, err = selinux.CopyLevel(processLabel, mountLabel)
|
|
}
|
|
}
|
|
return processLabel, mountLabel, err
|
|
}
|
|
|
|
func FormatMountLabel(src, mountLabel string) string {
|
|
if mountLabel != "" {
|
|
switch src {
|
|
case "":
|
|
src = fmt.Sprintf("context=%q", mountLabel)
|
|
default:
|
|
src = fmt.Sprintf("%s,context=%q", src, mountLabel)
|
|
}
|
|
}
|
|
return src
|
|
}
|
|
|
|
func SetProcessLabel(processLabel string) error {
|
|
if selinux.SelinuxEnabled() {
|
|
return selinux.Setexeccon(processLabel)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func GetProcessLabel() (string, error) {
|
|
if selinux.SelinuxEnabled() {
|
|
return selinux.Getexeccon()
|
|
}
|
|
return "", nil
|
|
}
|
|
|
|
func SetFileLabel(path string, fileLabel string) error {
|
|
if selinux.SelinuxEnabled() && fileLabel != "" {
|
|
return selinux.Setfilecon(path, fileLabel)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func GetPidCon(pid int) (string, error) {
|
|
if !selinux.SelinuxEnabled() {
|
|
return "", nil
|
|
}
|
|
return selinux.Getpidcon(pid)
|
|
}
|
|
|
|
func Init() {
|
|
selinux.SelinuxEnabled()
|
|
}
|
|
|
|
func ReserveLabel(label string) {
|
|
selinux.ReserveLabel(label)
|
|
}
|