jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add selinux label for runc exec 

Signed-off-by: lifubang <lifubang@acmcoder.com>
This commit is contained in:
lifubang 2019-04-03 12:08:06 +08:00
parent da2021132b
commit 3e6688f5c9
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
exec.go
View File

@ -224,5 +224,5 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
} }
p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid)) p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
} }
return p, nil return p, validateProcessSpec(p)
} }

4
utils_linux.go
View File

@ -17,6 +17,7 @@ import (
"github.com/opencontainers/runc/libcontainer/specconv" "github.com/opencontainers/runc/libcontainer/specconv"
"github.com/opencontainers/runc/libcontainer/utils" "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
selinux "github.com/opencontainers/selinux/go-selinux"
"github.com/coreos/go-systemd/activation" "github.com/coreos/go-systemd/activation"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -387,6 +388,9 @@ func validateProcessSpec(spec *specs.Process) error {
if len(spec.Args) == 0 { if len(spec.Args) == 0 {
return fmt.Errorf("args must not be empty") return fmt.Errorf("args must not be empty")
} }
if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported")
}
return nil return nil
} }