jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #222 from rhatdan/exec 

Do not check if SELinux is enabled on lowlevel calls to set processlabel
This commit is contained in:
Michael Crosby 2014-10-13 12:52:01 -07:00
parent f4254672e6 7f60c92d65
commit 4f409628d8
2 changed files with 6 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
label/label_selinux.go
View File

@ -67,20 +67,17 @@ func FormatMountLabel(src, mountLabel string) string {
// SetProcessLabel takes a process label and tells the kernel to assign the // SetProcessLabel takes a process label and tells the kernel to assign the
// label to the next program executed by the current process. // label to the next program executed by the current process.
func SetProcessLabel(processLabel string) error { func SetProcessLabel(processLabel string) error {
if selinux.SelinuxEnabled() { if processLabel == "" {
return selinux.Setexeccon(processLabel) return nil
} }
return nil return selinux.Setexeccon(processLabel)
} }
// GetProcessLabel returns the process label that the kernel will assign // GetProcessLabel returns the process label that the kernel will assign
// to the next program executed by the current process. If "" is returned // to the next program executed by the current process. If "" is returned
// this indicates that the default labeling will happen for the process. // this indicates that the default labeling will happen for the process.
func GetProcessLabel() (string, error) { func GetProcessLabel() (string, error) {
if selinux.SelinuxEnabled() { return selinux.Getexeccon()
return selinux.Getexeccon()
}
return "", nil
} }
// SetFileLabel modifies the "path" label to the specified file label // SetFileLabel modifies the "path" label to the specified file label
@ -110,9 +107,6 @@ func Relabel(path string, fileLabel string, relabel string) error {
// GetPidLabel will return the label of the process running with the specified pid // GetPidLabel will return the label of the process running with the specified pid
func GetPidLabel(pid int) (string, error) { func GetPidLabel(pid int) (string, error) {
if !selinux.SelinuxEnabled() {
return "", nil
}
return selinux.Getpidcon(pid) return selinux.Getpidcon(pid)
} }

10
selinux/selinux.go
View File

@ -173,13 +173,10 @@ func Getpidcon(pid int) (string, error) {
} }
func Getexeccon() (string, error) { func Getexeccon() (string, error) {
return readCon("/proc/self/attr/exec") return readCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()))
} }
func writeCon(name string, val string) error { func writeCon(name string, val string) error {
if !SelinuxEnabled() {
return nil
}
out, err := os.OpenFile(name, os.O_WRONLY, 0) out, err := os.OpenFile(name, os.O_WRONLY, 0)
if err != nil { if err != nil {
return err return err
@ -388,9 +385,6 @@ func SecurityCheckContext(val string) error {
} }
func CopyLevel(src, dest string) (string, error) { func CopyLevel(src, dest string) (string, error) {
if !SelinuxEnabled() {
return "", nil
}
if src == "" { if src == "" {
return "", nil return "", nil
} }
@ -424,7 +418,7 @@ func badPrefix(fpath string) error {
// If the fpath is a directory and recurse is true Chcon will walk the // If the fpath is a directory and recurse is true Chcon will walk the
// directory tree setting the label // directory tree setting the label
func Chcon(fpath string, scon string, recurse bool) error { func Chcon(fpath string, scon string, recurse bool) error {
if !SelinuxEnabled() { if scon == "" {
return nil return nil
} }
if err := badPrefix(fpath); err != nil { if err := badPrefix(fpath); err != nil {