1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Merge pull request #42478 from thaJeztah/bump_selinux

vendor: github.com/opencontainers/selinux v1.8.2
This commit is contained in:
Justin Cormack 2021-06-10 10:52:02 +01:00 committed by GitHub
commit f45ca809a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 55 additions and 25 deletions

View file

@ -179,8 +179,8 @@ github.com/morikuni/aec 39771216ff4c63d11f5e604076f9
# metrics
github.com/docker/go-metrics b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1
github.com/opencontainers/selinux 2f45b3796d18f1ab4c9fc0c888a98d0a0fd6e429 # v1.8.0
github.com/willf/bitset 559910e8471e48d76d9e5a1ba15842dee77ad45d # v1.1.11
github.com/opencontainers/selinux 76bc82e11d854d3e40c08889d13c98abcea72ea2 # v1.8.2
github.com/bits-and-blooms/bitset 59de210119f50cedaa42d175dc88b6335fcf63f6 # v1.2.0
# archive/tar

View file

@ -2,10 +2,9 @@
*Go language library to map between non-negative integers and boolean values*
[![Test](https://github.com/willf/bitset/workflows/Test/badge.svg)](https://github.com/willf/bitset/actions?query=workflow%3ATest)
[![Master Coverage Status](https://coveralls.io/repos/willf/bitset/badge.svg?branch=master&service=github)](https://coveralls.io/github/willf/bitset?branch=master)
[![Test](https://github.com/bits-and-blooms/bitset/workflows/Test/badge.svg)](https://github.com/willf/bitset/actions?query=workflow%3ATest)
[![Go Report Card](https://goreportcard.com/badge/github.com/willf/bitset)](https://goreportcard.com/report/github.com/willf/bitset)
[![PkgGoDev](https://pkg.go.dev/badge/github.com/willf/bitset?tab=doc)](https://pkg.go.dev/github.com/willf/bitset?tab=doc)
[![PkgGoDev](https://pkg.go.dev/badge/github.com/bits-and-blooms/bitset?tab=doc)](https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc)
## Description
@ -30,7 +29,7 @@ import (
"fmt"
"math/rand"
"github.com/willf/bitset"
"github.com/bits-and-blooms/bitset"
)
func main() {
@ -63,7 +62,7 @@ func main() {
As an alternative to BitSets, one should check out the 'big' package, which provides a (less set-theoretical) view of bitsets.
Package documentation is at: https://pkg.go.dev/github.com/willf/bitset?tab=doc
Package documentation is at: https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc
## Memory Usage
@ -78,7 +77,7 @@ It is possible that a later version will match the `math/bits` return signature
## Installation
```bash
go get github.com/willf/bitset
go get github.com/bits-and-blooms/bitset
```
## Contributing

View file

@ -209,6 +209,27 @@ func (b *BitSet) Flip(i uint) *BitSet {
return b
}
// FlipRange bit in [start, end).
// If end>= Cap(), this function will panic.
// Warning: using a very large value for 'end'
// may lead to a memory shortage and a panic: the caller is responsible
// for providing sensible parameters in line with their memory capacity.
func (b *BitSet) FlipRange(start, end uint) *BitSet {
if start >= end {
return b
}
b.extendSetMaybe(end - 1)
var startWord uint = start >> log2WordSize
var endWord uint = end >> log2WordSize
b.set[startWord] ^= ^(^uint64(0) << (start & (wordSize - 1)))
for i := startWord; i < endWord; i++ {
b.set[i] = ^b.set[i]
}
b.set[endWord] ^= ^uint64(0) >> (-end & (wordSize - 1))
return b
}
// Shrink shrinks BitSet so that the provided value is the last possible
// set value. It clears all bits > the provided index and reduces the size
// and length of the set.
@ -519,7 +540,7 @@ func (b *BitSet) Copy(c *BitSet) (count uint) {
}
// Count (number of set bits).
// Also known as "popcount" or "popularity count".
// Also known as "popcount" or "population count".
func (b *BitSet) Count() uint {
if b != nil && b.set != nil {
return uint(popcntSlice(b.set))

3
vendor/github.com/bits-and-blooms/bitset/go.mod generated vendored Normal file
View file

@ -0,0 +1,3 @@
module github.com/bits-and-blooms/bitset
go 1.14

View file

@ -1,10 +1,6 @@
/*
Package selinux provides a high-level interface for interacting with selinux.
This package uses a selinux build tag to enable the selinux functionality. This
allows non-linux and linux users who do not have selinux support to still use
tools that rely on this library.
Usage:
import "github.com/opencontainers/selinux/go-selinux"

View file

@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
// to the container_file label with the maximum category. This label is not usable by any confined label.
func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
if !selinux.GetEnabled() {
return "", "", nil
@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
}
for _, opt := range options {
if opt == "disable" {
return "", mountLabel, nil
selinux.ReleaseLabel(mountLabel)
return "", selinux.PrivContainerMountLabel(), nil
}
if i := strings.Index(opt, ":"); i == -1 {
return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

View file

@ -11,9 +11,10 @@ const (
Permissive = 0
// Disabled constant to indicate SELinux is disabled
Disabled = -1
// maxCategory is the maximum number of categories used within containers
maxCategory = 1024
// DefaultCategoryRange is the upper bound on the category range
DefaultCategoryRange = uint32(1024)
DefaultCategoryRange = uint32(maxCategory)
)
var (
@ -276,3 +277,8 @@ func DisableSecOpt() []string {
func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
return getDefaultContextWithLevel(user, level, scon)
}
// PrivContainerMountLabel returns mount label for privileged containers
func PrivContainerMountLabel() string {
return privContainerMountLabel
}

View file

@ -16,9 +16,9 @@ import (
"strings"
"sync"
"github.com/bits-and-blooms/bitset"
"github.com/opencontainers/selinux/pkg/pwalk"
"github.com/pkg/errors"
"github.com/willf/bitset"
"golang.org/x/sys/unix"
)
@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
return os.Open(lxcPath)
}
var labels = loadLabels()
var labels, privContainerMountLabel = loadLabels()
func loadLabels() map[string]string {
func loadLabels() (map[string]string, string) {
labels := make(map[string]string)
in, err := openContextFile()
if err != nil {
return labels
return labels, ""
}
defer in.Close()
@ -920,7 +920,10 @@ func loadLabels() map[string]string {
}
}
return labels
con, _ := NewContext(labels["file"])
con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
reserveLabel(con.get())
return labels, con.get()
}
// kvmContainerLabels returns the default processLabel and mountLabel to be used

View file

@ -2,6 +2,8 @@
package selinux
const privContainerMountLabel = ""
func setDisabled() {
}

View file

@ -3,7 +3,7 @@ module github.com/opencontainers/selinux
go 1.13
require (
github.com/bits-and-blooms/bitset v1.2.0
github.com/pkg/errors v0.9.1
github.com/willf/bitset v1.1.11
golang.org/x/sys v0.0.0-20191115151921-52ab43148777
)

View file

@ -1,3 +0,0 @@
module github.com/willf/bitset
go 1.14