From 1c0af18c6c341636ac55644103f922900c616bec Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 14 Dec 2020 11:46:58 +0100 Subject: vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs full diff: https://github.com/opencontainers/selinux/compare/v1.7.0...v1.8.0 Remove "selinux" build tag Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- daemon/daemon_unix.go | 5 +- daemon/delete.go | 3 +- daemon/info.go | 3 +- daemon/selinux_linux.go | 15 -- daemon/selinux_unsupported.go | 13 -- project/PACKAGERS.md | 8 +- vendor.conf | 2 +- vendor/github.com/opencontainers/selinux/README.md | 3 +- .../opencontainers/selinux/go-selinux/doc.go | 3 - .../selinux/go-selinux/label/label_linux.go | 190 ++++++++++++++++++++ .../selinux/go-selinux/label/label_selinux.go | 192 --------------------- .../selinux/go-selinux/label/label_stub.go | 2 +- .../selinux/go-selinux/selinux_linux.go | 2 - .../selinux/go-selinux/selinux_stub.go | 2 +- .../opencontainers/selinux/go-selinux/xattrs.go | 40 ----- .../selinux/go-selinux/xattrs_linux.go | 38 ++++ 17 files changed, 242 insertions(+), 281 deletions(-) delete mode 100644 daemon/selinux_linux.go delete mode 100644 daemon/selinux_unsupported.go create mode 100644 vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go delete mode 100644 vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go delete mode 100644 vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go create mode 100644 vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go diff --git a/Dockerfile b/Dockerfile index c748a07492..a75fc2578d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ ARG SYSTEMD="false" ARG GO_VERSION=1.13.15 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.4.0 -ARG DOCKER_BUILDTAGS="apparmor seccomp selinux" +ARG DOCKER_BUILDTAGS="apparmor seccomp" ARG BASE_DEBIAN_DISTRO="buster" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 69514753fc..5fa688dff4 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -45,6 +45,7 @@ import ( lntypes "github.com/docker/libnetwork/types" "github.com/moby/sys/mount" specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -822,7 +823,7 @@ func overlaySupportsSelinux() (bool, error) { // configureKernelSecuritySupport configures and validates security support for the kernel func configureKernelSecuritySupport(config *config.Config, driverName string) error { if config.EnableSelinuxSupport { - if !selinuxEnabled() { + if !selinux.GetEnabled() { logrus.Warn("Docker could not enable SELinux on the host system") return nil } @@ -840,7 +841,7 @@ func configureKernelSecuritySupport(config *config.Config, driverName string) er } } } else { - selinuxSetDisabled() + selinux.SetDisabled() } return nil } diff --git a/daemon/delete.go b/daemon/delete.go index 482e7d1270..668f232d1c 100644 --- a/daemon/delete.go +++ b/daemon/delete.go @@ -11,6 +11,7 @@ import ( "github.com/docker/docker/container" "github.com/docker/docker/errdefs" "github.com/docker/docker/pkg/system" + "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -134,7 +135,7 @@ func (daemon *Daemon) cleanupContainer(container *container.Container, forceRemo } linkNames := daemon.linkIndex.delete(container) - selinuxFreeLxcContexts(container.ProcessLabel) + selinux.ReleaseLabel(container.ProcessLabel) daemon.idIndex.Delete(container.ID) daemon.containers.Delete(container.ID) daemon.containersReplica.Delete(container) diff --git a/daemon/info.go b/daemon/info.go index 610d7fe2ec..2d4151a991 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -22,6 +22,7 @@ import ( "github.com/docker/docker/pkg/system" "github.com/docker/docker/registry" metrics "github.com/docker/go-metrics" + "github.com/opencontainers/selinux/go-selinux" "github.com/sirupsen/logrus" ) @@ -188,7 +189,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf } securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile)) } - if selinuxEnabled() { + if selinux.GetEnabled() { securityOptions = append(securityOptions, "name=selinux") } if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 { diff --git a/daemon/selinux_linux.go b/daemon/selinux_linux.go deleted file mode 100644 index 1f7843ed1e..0000000000 --- a/daemon/selinux_linux.go +++ /dev/null @@ -1,15 +0,0 @@ -package daemon // import "github.com/docker/docker/daemon" - -import selinux "github.com/opencontainers/selinux/go-selinux" - -func selinuxSetDisabled() { - selinux.SetDisabled() -} - -func selinuxFreeLxcContexts(label string) { - selinux.ReleaseLabel(label) -} - -func selinuxEnabled() bool { - return selinux.GetEnabled() -} diff --git a/daemon/selinux_unsupported.go b/daemon/selinux_unsupported.go deleted file mode 100644 index 49d0d13bce..0000000000 --- a/daemon/selinux_unsupported.go +++ /dev/null @@ -1,13 +0,0 @@ -// +build !linux - -package daemon // import "github.com/docker/docker/daemon" - -func selinuxSetDisabled() { -} - -func selinuxFreeLxcContexts(label string) { -} - -func selinuxEnabled() bool { - return false -} diff --git a/project/PACKAGERS.md b/project/PACKAGERS.md index 716aa81813..90447fe289 100644 --- a/project/PACKAGERS.md +++ b/project/PACKAGERS.md @@ -156,12 +156,6 @@ AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows: export DOCKER_BUILDTAGS='apparmor' ``` -If you're building a binary that may need to be used on platforms that include -SELinux, you will need to use the `selinux` build tag: -```bash -export DOCKER_BUILDTAGS='selinux' -``` - If you're building a binary that may need to be used on platforms that include seccomp, you will need to use the `seccomp` build tag: ```bash @@ -188,7 +182,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs' NOTE: if you need to set more than one build tag, space separate them: ```bash -export DOCKER_BUILDTAGS='apparmor selinux exclude_graphdriver_aufs' +export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs' ``` ### LCOW (Linux Containers On Windows) diff --git a/vendor.conf b/vendor.conf index 0c74186e3e..5802153463 100644 --- a/vendor.conf +++ b/vendor.conf @@ -176,7 +176,7 @@ github.com/morikuni/aec 39771216ff4c63d11f5e604076f9 # metrics github.com/docker/go-metrics b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1 -github.com/opencontainers/selinux 63ad55b76fd78d4c76c2f5491f68516e60c9d523 # v1.7.0 +github.com/opencontainers/selinux 2f45b3796d18f1ab4c9fc0c888a98d0a0fd6e429 # v1.8.0 github.com/willf/bitset 559910e8471e48d76d9e5a1ba15842dee77ad45d # v1.1.11 diff --git a/vendor/github.com/opencontainers/selinux/README.md b/vendor/github.com/opencontainers/selinux/README.md index 41f4df718a..cd6a60f805 100644 --- a/vendor/github.com/opencontainers/selinux/README.md +++ b/vendor/github.com/opencontainers/selinux/README.md @@ -6,7 +6,8 @@ Common SELinux package used across the container ecosystem. ## Usage -When compiling consumers of this project, the `selinux` build tag must be used to enable selinux functionality. +Prior to v1.8.0, the `selinux` build tag had to be used to enable selinux functionality for compiling consumers of this project. +Starting with v1.8.0, the `selinux` build tag is no longer needed. For complete documentation, see [godoc](https://godoc.org/github.com/opencontainers/selinux). diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go index 79a8e6446d..9c9cbd120a 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go @@ -5,9 +5,6 @@ This package uses a selinux build tag to enable the selinux functionality. This allows non-linux and linux users who do not have selinux support to still use tools that rely on this library. -To compile with full selinux support use the -tags=selinux option in your build -and test commands. - Usage: import "github.com/opencontainers/selinux/go-selinux" diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go new file mode 100644 index 0000000000..4394555117 --- /dev/null +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go @@ -0,0 +1,190 @@ +package label + +import ( + "os" + "os/user" + "strings" + + "github.com/opencontainers/selinux/go-selinux" + "github.com/pkg/errors" +) + +// Valid Label Options +var validOptions = map[string]bool{ + "disable": true, + "type": true, + "filetype": true, + "user": true, + "role": true, + "level": true, +} + +var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together") + +// InitLabels returns the process label and file labels to be used within +// the container. A list of options can be passed into this function to alter +// the labels. The labels returned will include a random MCS String, that is +// guaranteed to be unique. +func InitLabels(options []string) (plabel string, mlabel string, retErr error) { + if !selinux.GetEnabled() { + return "", "", nil + } + processLabel, mountLabel := selinux.ContainerLabels() + if processLabel != "" { + defer func() { + if retErr != nil { + selinux.ReleaseLabel(mountLabel) + } + }() + pcon, err := selinux.NewContext(processLabel) + if err != nil { + return "", "", err + } + mcsLevel := pcon["level"] + mcon, err := selinux.NewContext(mountLabel) + if err != nil { + return "", "", err + } + for _, opt := range options { + if opt == "disable" { + return "", mountLabel, nil + } + if i := strings.Index(opt, ":"); i == -1 { + return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) + } + con := strings.SplitN(opt, ":", 2) + if !validOptions[con[0]] { + return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0]) + } + if con[0] == "filetype" { + mcon["type"] = con[1] + continue + } + pcon[con[0]] = con[1] + if con[0] == "level" || con[0] == "user" { + mcon[con[0]] = con[1] + } + } + if pcon.Get() != processLabel { + if pcon["level"] != mcsLevel { + selinux.ReleaseLabel(processLabel) + } + processLabel = pcon.Get() + selinux.ReserveLabel(processLabel) + } + mountLabel = mcon.Get() + } + return processLabel, mountLabel, nil +} + +// Deprecated: The GenLabels function is only to be used during the transition +// to the official API. Use InitLabels(strings.Fields(options)) instead. +func GenLabels(options string) (string, string, error) { + return InitLabels(strings.Fields(options)) +} + +// SetFileLabel modifies the "path" label to the specified file label +func SetFileLabel(path string, fileLabel string) error { + if !selinux.GetEnabled() || fileLabel == "" { + return nil + } + return selinux.SetFileLabel(path, fileLabel) +} + +// SetFileCreateLabel tells the kernel the label for all files to be created +func SetFileCreateLabel(fileLabel string) error { + if !selinux.GetEnabled() { + return nil + } + return selinux.SetFSCreateLabel(fileLabel) +} + +// Relabel changes the label of path to the filelabel string. +// It changes the MCS label to s0 if shared is true. +// This will allow all containers to share the content. +func Relabel(path string, fileLabel string, shared bool) error { + if !selinux.GetEnabled() || fileLabel == "" { + return nil + } + + exclude_paths := map[string]bool{ + "/": true, + "/bin": true, + "/boot": true, + "/dev": true, + "/etc": true, + "/etc/passwd": true, + "/etc/pki": true, + "/etc/shadow": true, + "/home": true, + "/lib": true, + "/lib64": true, + "/media": true, + "/opt": true, + "/proc": true, + "/root": true, + "/run": true, + "/sbin": true, + "/srv": true, + "/sys": true, + "/tmp": true, + "/usr": true, + "/var": true, + "/var/lib": true, + "/var/log": true, + } + + if home := os.Getenv("HOME"); home != "" { + exclude_paths[home] = true + } + + if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { + if usr, err := user.Lookup(sudoUser); err == nil { + exclude_paths[usr.HomeDir] = true + } + } + + if path != "/" { + path = strings.TrimSuffix(path, "/") + } + if exclude_paths[path] { + return errors.Errorf("SELinux relabeling of %s is not allowed", path) + } + + if shared { + c, err := selinux.NewContext(fileLabel) + if err != nil { + return err + } + + c["level"] = "s0" + fileLabel = c.Get() + } + if err := selinux.Chcon(path, fileLabel, true); err != nil { + return err + } + return nil +} + +// DisableSecOpt returns a security opt that can disable labeling +// support for future container processes +// Deprecated: use selinux.DisableSecOpt +var DisableSecOpt = selinux.DisableSecOpt + +// Validate checks that the label does not include unexpected options +func Validate(label string) error { + if strings.Contains(label, "z") && strings.Contains(label, "Z") { + return ErrIncompatibleLabel + } + return nil +} + +// RelabelNeeded checks whether the user requested a relabel +func RelabelNeeded(label string) bool { + return strings.Contains(label, "z") || strings.Contains(label, "Z") +} + +// IsShared checks that the label includes a "shared" mark +func IsShared(label string) bool { + return strings.Contains(label, "z") +} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go deleted file mode 100644 index 988adc8f40..0000000000 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ /dev/null @@ -1,192 +0,0 @@ -// +build selinux,linux - -package label - -import ( - "os" - "os/user" - "strings" - - "github.com/opencontainers/selinux/go-selinux" - "github.com/pkg/errors" -) - -// Valid Label Options -var validOptions = map[string]bool{ - "disable": true, - "type": true, - "filetype": true, - "user": true, - "role": true, - "level": true, -} - -var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together") - -// InitLabels returns the process label and file labels to be used within -// the container. A list of options can be passed into this function to alter -// the labels. The labels returned will include a random MCS String, that is -// guaranteed to be unique. -func InitLabels(options []string) (plabel string, mlabel string, retErr error) { - if !selinux.GetEnabled() { - return "", "", nil - } - processLabel, mountLabel := selinux.ContainerLabels() - if processLabel != "" { - defer func() { - if retErr != nil { - selinux.ReleaseLabel(mountLabel) - } - }() - pcon, err := selinux.NewContext(processLabel) - if err != nil { - return "", "", err - } - mcsLevel := pcon["level"] - mcon, err := selinux.NewContext(mountLabel) - if err != nil { - return "", "", err - } - for _, opt := range options { - if opt == "disable" { - return "", mountLabel, nil - } - if i := strings.Index(opt, ":"); i == -1 { - return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) - } - con := strings.SplitN(opt, ":", 2) - if !validOptions[con[0]] { - return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0]) - } - if con[0] == "filetype" { - mcon["type"] = con[1] - continue - } - pcon[con[0]] = con[1] - if con[0] == "level" || con[0] == "user" { - mcon[con[0]] = con[1] - } - } - if pcon.Get() != processLabel { - if pcon["level"] != mcsLevel { - selinux.ReleaseLabel(processLabel) - } - processLabel = pcon.Get() - selinux.ReserveLabel(processLabel) - } - mountLabel = mcon.Get() - } - return processLabel, mountLabel, nil -} - -// Deprecated: The GenLabels function is only to be used during the transition -// to the official API. Use InitLabels(strings.Fields(options)) instead. -func GenLabels(options string) (string, string, error) { - return InitLabels(strings.Fields(options)) -} - -// SetFileLabel modifies the "path" label to the specified file label -func SetFileLabel(path string, fileLabel string) error { - if !selinux.GetEnabled() || fileLabel == "" { - return nil - } - return selinux.SetFileLabel(path, fileLabel) -} - -// SetFileCreateLabel tells the kernel the label for all files to be created -func SetFileCreateLabel(fileLabel string) error { - if !selinux.GetEnabled() { - return nil - } - return selinux.SetFSCreateLabel(fileLabel) -} - -// Relabel changes the label of path to the filelabel string. -// It changes the MCS label to s0 if shared is true. -// This will allow all containers to share the content. -func Relabel(path string, fileLabel string, shared bool) error { - if !selinux.GetEnabled() || fileLabel == "" { - return nil - } - - exclude_paths := map[string]bool{ - "/": true, - "/bin": true, - "/boot": true, - "/dev": true, - "/etc": true, - "/etc/passwd": true, - "/etc/pki": true, - "/etc/shadow": true, - "/home": true, - "/lib": true, - "/lib64": true, - "/media": true, - "/opt": true, - "/proc": true, - "/root": true, - "/run": true, - "/sbin": true, - "/srv": true, - "/sys": true, - "/tmp": true, - "/usr": true, - "/var": true, - "/var/lib": true, - "/var/log": true, - } - - if home := os.Getenv("HOME"); home != "" { - exclude_paths[home] = true - } - - if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { - if usr, err := user.Lookup(sudoUser); err == nil { - exclude_paths[usr.HomeDir] = true - } - } - - if path != "/" { - path = strings.TrimSuffix(path, "/") - } - if exclude_paths[path] { - return errors.Errorf("SELinux relabeling of %s is not allowed", path) - } - - if shared { - c, err := selinux.NewContext(fileLabel) - if err != nil { - return err - } - - c["level"] = "s0" - fileLabel = c.Get() - } - if err := selinux.Chcon(path, fileLabel, true); err != nil { - return err - } - return nil -} - -// DisableSecOpt returns a security opt that can disable labeling -// support for future container processes -// Deprecated: use selinux.DisableSecOpt -var DisableSecOpt = selinux.DisableSecOpt - -// Validate checks that the label does not include unexpected options -func Validate(label string) error { - if strings.Contains(label, "z") && strings.Contains(label, "Z") { - return ErrIncompatibleLabel - } - return nil -} - -// RelabelNeeded checks whether the user requested a relabel -func RelabelNeeded(label string) bool { - return strings.Contains(label, "z") || strings.Contains(label, "Z") -} - -// IsShared checks that the label includes a "shared" mark -func IsShared(label string) bool { - return strings.Contains(label, "z") -} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go index a7d2d5e342..02d206239c 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go @@ -1,4 +1,4 @@ -// +build !selinux !linux +// +build !linux package label diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 904f5b04f4..5bfcc04902 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -1,5 +1,3 @@ -// +build selinux,linux - package selinux import ( diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index e4b65c9e2c..70b7b7c851 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -1,4 +1,4 @@ -// +build !selinux !linux +// +build !linux package selinux diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go deleted file mode 100644 index 2365b4bdac..0000000000 --- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go +++ /dev/null @@ -1,40 +0,0 @@ -// +build selinux,linux - -package selinux - -import ( - "golang.org/x/sys/unix" -) - -// lgetxattr returns a []byte slice containing the value of -// an extended attribute attr set for path. -func lgetxattr(path, attr string) ([]byte, error) { - // Start with a 128 length byte array - dest := make([]byte, 128) - sz, errno := doLgetxattr(path, attr, dest) - for errno == unix.ERANGE { - // Buffer too small, use zero-sized buffer to get the actual size - sz, errno = doLgetxattr(path, attr, []byte{}) - if errno != nil { - return nil, errno - } - - dest = make([]byte, sz) - sz, errno = doLgetxattr(path, attr, dest) - } - if errno != nil { - return nil, errno - } - - return dest[:sz], nil -} - -// doLgetxattr is a wrapper that retries on EINTR -func doLgetxattr(path, attr string, dest []byte) (int, error) { - for { - sz, err := unix.Lgetxattr(path, attr, dest) - if err != unix.EINTR { - return sz, err - } - } -} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go new file mode 100644 index 0000000000..117c255be2 --- /dev/null +++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go @@ -0,0 +1,38 @@ +package selinux + +import ( + "golang.org/x/sys/unix" +) + +// lgetxattr returns a []byte slice containing the value of +// an extended attribute attr set for path. +func lgetxattr(path, attr string) ([]byte, error) { + // Start with a 128 length byte array + dest := make([]byte, 128) + sz, errno := doLgetxattr(path, attr, dest) + for errno == unix.ERANGE { + // Buffer too small, use zero-sized buffer to get the actual size + sz, errno = doLgetxattr(path, attr, []byte{}) + if errno != nil { + return nil, errno + } + + dest = make([]byte, sz) + sz, errno = doLgetxattr(path, attr, dest) + } + if errno != nil { + return nil, errno + } + + return dest[:sz], nil +} + +// doLgetxattr is a wrapper that retries on EINTR +func doLgetxattr(path, attr string, dest []byte) (int, error) { + for { + sz, err := unix.Lgetxattr(path, attr, dest) + if err != unix.EINTR { + return sz, err + } + } +} -- cgit v1.2.1