Merge pull request #42478 from thaJeztah/bump_selinux

vendor: github.com/opencontainers/selinux v1.8.2

vendor.conf

@@ -179,8 +179,8 @@ github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9
 # metrics
 github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1
 
-github.com/opencontainers/selinux                   2f45b3796d18f1ab4c9fc0c888a98d0a0fd6e429 # v1.8.0
-github.com/willf/bitset                             559910e8471e48d76d9e5a1ba15842dee77ad45d # v1.1.11
+github.com/opencontainers/selinux                   76bc82e11d854d3e40c08889d13c98abcea72ea2 # v1.8.2
+github.com/bits-and-blooms/bitset                   59de210119f50cedaa42d175dc88b6335fcf63f6 # v1.2.0
 
 
 # archive/tar

vendor/github.com/bits-and-blooms/bitset/README.md

@@ -2,10 +2,9 @@
 
 *Go language library to map between non-negative integers and boolean values*
 
-[![Test](https://github.com/willf/bitset/workflows/Test/badge.svg)](https://github.com/willf/bitset/actions?query=workflow%3ATest)
-[![Master Coverage Status](https://coveralls.io/repos/willf/bitset/badge.svg?branch=master&service=github)](https://coveralls.io/github/willf/bitset?branch=master)
+[![Test](https://github.com/bits-and-blooms/bitset/workflows/Test/badge.svg)](https://github.com/willf/bitset/actions?query=workflow%3ATest)
 [![Go Report Card](https://goreportcard.com/badge/github.com/willf/bitset)](https://goreportcard.com/report/github.com/willf/bitset)
-[![PkgGoDev](https://pkg.go.dev/badge/github.com/willf/bitset?tab=doc)](https://pkg.go.dev/github.com/willf/bitset?tab=doc)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/bits-and-blooms/bitset?tab=doc)](https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc)
 
 
 ## Description
@@ -30,7 +29,7 @@ import (
 	"fmt"
 	"math/rand"
 
-	"github.com/willf/bitset"
+	"github.com/bits-and-blooms/bitset"
 )
 
 func main() {
@@ -63,7 +62,7 @@ func main() {
 
 As an alternative to BitSets, one should check out the 'big' package, which provides a (less set-theoretical) view of bitsets.
 
-Package documentation is at: https://pkg.go.dev/github.com/willf/bitset?tab=doc
+Package documentation is at: https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc
 
 ## Memory Usage
 
@@ -78,7 +77,7 @@ It is possible that a later version will match the `math/bits` return signature
 ## Installation
 
 ```bash
-go get github.com/willf/bitset
+go get github.com/bits-and-blooms/bitset
 ```
 
 ## Contributing

vendor/github.com/bits-and-blooms/bitset/bitset.go

@@ -209,6 +209,27 @@ func (b *BitSet) Flip(i uint) *BitSet {
 	return b
 }
 
+// FlipRange bit in [start, end).
+// If end>= Cap(), this function will panic.
+// Warning: using a very large value for 'end'
+// may lead to a memory shortage and a panic: the caller is responsible
+// for providing sensible parameters in line with their memory capacity.
+func (b *BitSet) FlipRange(start, end uint) *BitSet {
+	if start >= end {
+		return b
+	}
+
+	b.extendSetMaybe(end - 1)
+	var startWord uint = start >> log2WordSize
+	var endWord uint = end >> log2WordSize
+	b.set[startWord] ^= ^(^uint64(0) << (start & (wordSize - 1)))
+	for i := startWord; i < endWord; i++ {
+		b.set[i] = ^b.set[i]
+	}
+	b.set[endWord] ^= ^uint64(0) >> (-end & (wordSize - 1))
+	return b
+}
+
 // Shrink shrinks BitSet so that the provided value is the last possible
 // set value. It clears all bits > the provided index and reduces the size
 // and length of the set.
@@ -519,7 +540,7 @@ func (b *BitSet) Copy(c *BitSet) (count uint) {
 }
 
 // Count (number of set bits).
-// Also known as "popcount" or "popularity count".
+// Also known as "popcount" or "population count".
 func (b *BitSet) Count() uint {
 	if b != nil && b.set != nil {
 		return uint(popcntSlice(b.set))

vendor/github.com/bits-and-blooms/bitset/go.mod

@@ -0,0 +1,3 @@
+module github.com/bits-and-blooms/bitset
+
+go 1.14

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

@@ -1,10 +1,6 @@
 /*
 Package selinux provides a high-level interface for interacting with selinux.
 
-This package uses a selinux build tag to enable the selinux functionality. This
-allows non-linux and linux users who do not have selinux support to still use
-tools that rely on this library.
-
 Usage:
 
 	import "github.com/opencontainers/selinux/go-selinux"

vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
+// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
+// to the container_file label with the maximum category. This label is not usable by any confined label.
 func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
@@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 		}
 		for _, opt := range options {
 			if opt == "disable" {
-				return "", mountLabel, nil
+				selinux.ReleaseLabel(mountLabel)
+				return "", selinux.PrivContainerMountLabel(), nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

vendor/github.com/opencontainers/selinux/go-selinux/selinux.go

@@ -11,9 +11,10 @@ const (
 	Permissive = 0
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
-
+	// maxCategory is the maximum number of categories used within containers
+	maxCategory = 1024
 	// DefaultCategoryRange is the upper bound on the category range
-	DefaultCategoryRange = uint32(1024)
+	DefaultCategoryRange = uint32(maxCategory)
 )
 
 var (
@@ -276,3 +277,8 @@ func DisableSecOpt() []string {
 func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
 	return getDefaultContextWithLevel(user, level, scon)
 }
+
+// PrivContainerMountLabel returns mount label for privileged containers
+func PrivContainerMountLabel() string {
+	return privContainerMountLabel
+}

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -16,9 +16,9 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/bits-and-blooms/bitset"
 	"github.com/opencontainers/selinux/pkg/pwalk"
 	"github.com/pkg/errors"
-	"github.com/willf/bitset"
 	"golang.org/x/sys/unix"
 )
 
@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
 	return os.Open(lxcPath)
 }
 
-var labels = loadLabels()
+var labels, privContainerMountLabel = loadLabels()
 
-func loadLabels() map[string]string {
+func loadLabels() (map[string]string, string) {
 	labels := make(map[string]string)
 	in, err := openContextFile()
 	if err != nil {
-		return labels
+		return labels, ""
 	}
 	defer in.Close()
 
@@ -920,7 +920,10 @@ func loadLabels() map[string]string {
 		}
 	}
 
-	return labels
+	con, _ := NewContext(labels["file"])
+	con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
+	reserveLabel(con.get())
+	return labels, con.get()
 }
 
 // kvmContainerLabels returns the default processLabel and mountLabel to be used

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -2,6 +2,8 @@
 
 package selinux
 
+const privContainerMountLabel = ""
+
 func setDisabled() {
 }
 

vendor/github.com/opencontainers/selinux/go.mod

@@ -3,7 +3,7 @@ module github.com/opencontainers/selinux
 go 1.13
 
 require (
+	github.com/bits-and-blooms/bitset v1.2.0
 	github.com/pkg/errors v0.9.1
-	github.com/willf/bitset v1.1.11
 	golang.org/x/sys v0.0.0-20191115151921-52ab43148777
 )

vendor/github.com/willf/bitset/go.mod

@@ -1,3 +0,0 @@
-module github.com/willf/bitset
-
-go 1.14