From 73c82386148fe14a47cc515c622bd23b9b7d99b9 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 31 Oct 2017 15:53:11 +0100 Subject: [PATCH] bump opencontainers/selinux to b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd This vendoring fixes two issues. 1. When a user specifies an SELinux MCS Label (level) to override moby picking an unigue MCS label, the code currently picks a label then overrides with the user selected. This works fine, except the unique MCS Label is leaked and will not be used until the daemon is restarted. 2. The override label, is not reserved. This could potentially cause an issue where the daemon could pick the same MCS Label again for a different container. (~ 1/500,000 Chance). The updated selinux go bindings, now release the overriden unigue label, and reserve the one specified by the user. Signed-off-by: Sebastiaan van Stijn --- vendor.conf | 2 +- .../opencontainers/selinux/go-selinux/label/label_selinux.go | 2 ++ .../github.com/opencontainers/selinux/go-selinux/selinux.go | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/vendor.conf b/vendor.conf index c3c551eb00..f5a6002d56 100644 --- a/vendor.conf +++ b/vendor.conf @@ -143,7 +143,7 @@ github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github. # metrics github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18 -github.com/opencontainers/selinux v1.0.0-rc1 +github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd # archive/tar # mkdir -p ./vendor/archive diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 569dcf0841..c008a387bf 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -49,8 +49,10 @@ func InitLabels(options []string) (string, string, error) { mcon[con[0]] = con[1] } } + _ = ReleaseLabel(processLabel) processLabel = pcon.Get() mountLabel = mcon.Get() + _ = ReserveLabel(processLabel) } return processLabel, mountLabel, nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go index 4cf2c45de7..de9316c2e2 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go @@ -213,7 +213,7 @@ func SetFileLabel(path string, label string) error { return lsetxattr(path, xattrNameSelinux, []byte(label), 0) } -// Filecon returns the SELinux label for this path or returns an error. +// FileLabel returns the SELinux label for this path or returns an error. func FileLabel(path string) (string, error) { label, err := lgetxattr(path, xattrNameSelinux) if err != nil { @@ -331,7 +331,7 @@ func EnforceMode() int { } /* -SetEnforce sets the current SELinux mode Enforcing, Permissive. +SetEnforceMode sets the current SELinux mode Enforcing, Permissive. Disabled is not valid, since this needs to be set at boot time. */ func SetEnforceMode(mode int) error {