Merge pull request #2031 from lifubang/selinux
Add selinux validate in runc exec
This commit is contained in:
commit
029124da7a
2
exec.go
2
exec.go
|
@ -224,5 +224,5 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
|
|||
}
|
||||
p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
|
||||
}
|
||||
return p, nil
|
||||
return p, validateProcessSpec(p)
|
||||
}
|
||||
|
|
|
@ -17,6 +17,7 @@ import (
|
|||
"github.com/opencontainers/runc/libcontainer/specconv"
|
||||
"github.com/opencontainers/runc/libcontainer/utils"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
selinux "github.com/opencontainers/selinux/go-selinux"
|
||||
|
||||
"github.com/coreos/go-systemd/activation"
|
||||
"github.com/pkg/errors"
|
||||
|
@ -387,6 +388,9 @@ func validateProcessSpec(spec *specs.Process) error {
|
|||
if len(spec.Args) == 0 {
|
||||
return fmt.Errorf("args must not be empty")
|
||||
}
|
||||
if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
|
||||
return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue