Merge pull request #1814 from rhatdan/selinux
SELinux labels are tied to the thread
This commit is contained in:
commit
b1068fb925
|
@ -5,6 +5,7 @@ package libcontainer
|
|||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"runtime"
|
||||
|
||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
"github.com/opencontainers/runc/libcontainer/keys"
|
||||
|
@ -29,6 +30,9 @@ func (l *linuxSetnsInit) getSessionRingName() string {
|
|||
}
|
||||
|
||||
func (l *linuxSetnsInit) Init() error {
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
if !l.config.Config.NoNewKeyring {
|
||||
// Do not inherit the parent's session keyring.
|
||||
if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil {
|
||||
|
@ -54,6 +58,10 @@ func (l *linuxSetnsInit) Init() error {
|
|||
return err
|
||||
}
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
defer label.SetProcessLabel("")
|
||||
// Without NoNewPrivileges seccomp is a privileged operation, so we need to
|
||||
// do this before dropping capabilities; otherwise do it as late as possible
|
||||
// just before execve so as few syscalls take place after it as possible.
|
||||
|
@ -68,9 +76,6 @@ func (l *linuxSetnsInit) Init() error {
|
|||
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
// Set seccomp as close to execve as possible, so as few syscalls take
|
||||
// place afterward (reducing the amount of syscalls that users need to
|
||||
// enable in their seccomp profiles).
|
||||
|
|
|
@ -6,6 +6,7 @@ import (
|
|||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"syscall" //only for Exec
|
||||
|
||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
|
@ -44,6 +45,8 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
|
|||
}
|
||||
|
||||
func (l *linuxStandardInit) Init() error {
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
if !l.config.Config.NoNewKeyring {
|
||||
ringname, keepperms, newperms := l.getSessionRingParams()
|
||||
|
||||
|
@ -108,9 +111,6 @@ func (l *linuxStandardInit) Init() error {
|
|||
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
|
||||
return errors.Wrap(err, "apply apparmor profile")
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return errors.Wrap(err, "set process label")
|
||||
}
|
||||
|
||||
for key, value := range l.config.Config.Sysctl {
|
||||
if err := writeSystemProperty(key, value); err != nil {
|
||||
|
@ -142,6 +142,10 @@ func (l *linuxStandardInit) Init() error {
|
|||
if err := syncParentReady(l.pipe); err != nil {
|
||||
return errors.Wrap(err, "sync ready")
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return errors.Wrap(err, "set process label")
|
||||
}
|
||||
defer label.SetProcessLabel("")
|
||||
// Without NoNewPrivileges seccomp is a privileged operation, so we need to
|
||||
// do this before dropping capabilities; otherwise do it as late as possible
|
||||
// just before execve so as few syscalls take place after it as possible.
|
||||
|
|
Loading…
Reference in New Issue