diff options
| author | Michael Crosby <michael@crosbymichael.com> | 2014-04-07 14:43:50 -0700 |
|---|---|---|
| committer | Michael Crosby <michael@crosbymichael.com> | 2014-04-07 14:44:53 -0700 |
| commit | 82f37b874ea17c5e0040f3e41dc761c88d576e33 (patch) | |
| tree | bec019e38ab8b68ca8a06dea6b1b1f37595ff98f | |
| parent | aaf018017c88a707b35115a9411e4069d9356748 (diff) | |
| download | docker-82f37b874ea17c5e0040f3e41dc761c88d576e33.tar.gz | |
Ensure that selinux is disabled by default
This also includes some portability changes so that the package can be
imported with the top level runtime.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
| -rw-r--r-- | daemonconfig/config.go | 2 | ||||
| -rw-r--r-- | pkg/selinux/selinux.go | 16 | ||||
| -rw-r--r-- | pkg/selinux/selinux_test.go | 5 | ||||
| -rw-r--r-- | pkg/system/calls_linux.go | 4 | ||||
| -rw-r--r-- | pkg/system/unsupported.go | 4 | ||||
| -rw-r--r-- | runtime/runtime.go | 4 |
6 files changed, 21 insertions, 14 deletions
diff --git a/daemonconfig/config.go b/daemonconfig/config.go index 1abb6f8b89..146916d79a 100644 --- a/daemonconfig/config.go +++ b/daemonconfig/config.go @@ -28,6 +28,7 @@ type Config struct { ExecDriver string Mtu int DisableNetwork bool + EnableSelinuxSupport bool } // ConfigFromJob creates and returns a new DaemonConfig object @@ -45,6 +46,7 @@ func ConfigFromJob(job *engine.Job) *Config { InterContainerCommunication: job.GetenvBool("InterContainerCommunication"), GraphDriver: job.Getenv("GraphDriver"), ExecDriver: job.Getenv("ExecDriver"), + EnableSelinuxSupport: false, // FIXME: hardcoded default to disable selinux for .10 release } if dns := job.GetenvList("Dns"); dns != nil { config.Dns = dns diff --git a/pkg/selinux/selinux.go b/pkg/selinux/selinux.go index 5362308617..d2d90b1b37 100644 --- a/pkg/selinux/selinux.go +++ b/pkg/selinux/selinux.go @@ -39,6 +39,11 @@ var ( type SELinuxContext map[string]string +// SetDisabled disables selinux support for the package +func SetDisabled() { + selinuxEnabled, selinuxEnabledChecked = false, true +} + func GetSelinuxMountPoint() string { if selinuxfs != "unknown" { return selinuxfs @@ -140,15 +145,6 @@ func Setfilecon(path string, scon string) error { return system.Lsetxattr(path, xattrNameSelinux, []byte(scon), 0) } -func Getfilecon(path string) (string, error) { - var scon []byte - - cnt, err := syscall.Getxattr(path, xattrNameSelinux, scon) - scon = make([]byte, cnt) - cnt, err = syscall.Getxattr(path, xattrNameSelinux, scon) - return string(scon), err -} - func Setfscreatecon(scon string) error { return writeCon("/proc/self/attr/fscreate", scon) } @@ -188,7 +184,7 @@ func writeCon(name string, val string) error { } func Setexeccon(scon string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), scon) + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", system.Gettid()), scon) } func (c SELinuxContext) Get() string { diff --git a/pkg/selinux/selinux_test.go b/pkg/selinux/selinux_test.go index 6b59c1db11..181452ae75 100644 --- a/pkg/selinux/selinux_test.go +++ b/pkg/selinux/selinux_test.go @@ -12,9 +12,7 @@ func testSetfilecon(t *testing.T) { out, _ := os.OpenFile(tmp, os.O_WRONLY, 0) out.Close() err := selinux.Setfilecon(tmp, "system_u:object_r:bin_t:s0") - if err == nil { - t.Log(selinux.Getfilecon(tmp)) - } else { + if err != nil { t.Log("Setfilecon failed") t.Fatal(err) } @@ -41,7 +39,6 @@ func TestSELinux(t *testing.T) { pid := os.Getpid() t.Log("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023)) t.Log(selinux.Getcon()) - t.Log(selinux.Getfilecon("/etc/passwd")) err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0") if err == nil { t.Log(selinux.Getfscreatecon()) diff --git a/pkg/system/calls_linux.go b/pkg/system/calls_linux.go index 43c00ed554..cc4727aaa2 100644 --- a/pkg/system/calls_linux.go +++ b/pkg/system/calls_linux.go @@ -143,3 +143,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) { } cmd.SysProcAttr.Cloneflags = flag } + +func Gettid() int { + return syscall.Gettid() +} diff --git a/pkg/system/unsupported.go b/pkg/system/unsupported.go index eb3ec7ee92..c52a1e5d00 100644 --- a/pkg/system/unsupported.go +++ b/pkg/system/unsupported.go @@ -13,3 +13,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) { func UsetCloseOnExec(fd uintptr) error { return ErrNotSupportedPlatform } + +func Gettid() int { + return 0 +} diff --git a/runtime/runtime.go b/runtime/runtime.go index d35e2d653a..864874c8e4 100644 --- a/runtime/runtime.go +++ b/runtime/runtime.go @@ -11,6 +11,7 @@ import ( "github.com/dotcloud/docker/image" "github.com/dotcloud/docker/pkg/graphdb" "github.com/dotcloud/docker/pkg/mount" + "github.com/dotcloud/docker/pkg/selinux" "github.com/dotcloud/docker/pkg/sysinfo" "github.com/dotcloud/docker/runconfig" "github.com/dotcloud/docker/runtime/execdriver" @@ -723,6 +724,9 @@ func NewRuntime(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, erro } func NewRuntimeFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, error) { + if !config.EnableSelinuxSupport { + selinux.SetDisabled() + } // Set the default driver graphdriver.DefaultDriver = config.GraphDriver |