Merge pull request #247 from rhatdan/selinux

Add new interfaces for label/selinux
This commit is contained in:
Mrunal Patel 2014-10-29 13:48:49 -07:00
commit d3eb885553
4 changed files with 92 additions and 3 deletions

View File

@ -43,3 +43,15 @@ func ReserveLabel(label string) error {
func UnreserveLabel(label string) error { func UnreserveLabel(label string) error {
return nil return nil
} }
// DupSecOpt takes an process label and returns security options that
// can be used to set duplicate labels on future container processes
func DupSecOpt(src string) []string {
return nil
}
// DisableSecOpt returns a security opt that can disable labeling
// support for future container processes
func DisableSecOpt() []string {
return nil
}

View File

@ -17,7 +17,6 @@ func InitLabels(options []string) (string, string, error) {
if !selinux.SelinuxEnabled() { if !selinux.SelinuxEnabled() {
return "", "", nil return "", "", nil
} }
var err error
processLabel, mountLabel := selinux.GetLxcContexts() processLabel, mountLabel := selinux.GetLxcContexts()
if processLabel != "" { if processLabel != "" {
pcon := selinux.NewContext(processLabel) pcon := selinux.NewContext(processLabel)
@ -38,7 +37,7 @@ func InitLabels(options []string) (string, string, error) {
processLabel = pcon.Get() processLabel = pcon.Get()
mountLabel = mcon.Get() mountLabel = mcon.Get()
} }
return processLabel, mountLabel, err return processLabel, mountLabel, nil
} }
// DEPRECATED: The GenLabels function is only to be used during the transition to the official API. // DEPRECATED: The GenLabels function is only to be used during the transition to the official API.
@ -130,3 +129,15 @@ func UnreserveLabel(label string) error {
selinux.FreeLxcContexts(label) selinux.FreeLxcContexts(label)
return nil return nil
} }
// DupSecOpt takes an process label and returns security options that
// can be used to set duplicate labels on future container processes
func DupSecOpt(src string) []string {
return selinux.DupSecOpt(src)
}
// DisableSecOpt returns a security opt that can disable labeling
// support for future container processes
func DisableSecOpt() []string {
return selinux.DisableSecOpt()
}

View File

@ -3,6 +3,7 @@
package label package label
import ( import (
"strings"
"testing" "testing"
"github.com/docker/libcontainer/selinux" "github.com/docker/libcontainer/selinux"
@ -33,7 +34,7 @@ func TestInit(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
if plabel != "user_u:user_r:user_t:s0:c1,c15" || mlabel != "user_u:object_r:svirt_sandbox_file_t:s0:c1,c15" { if plabel != "user_u:user_r:user_t:s0:c1,c15" || mlabel != "user_u:object_r:svirt_sandbox_file_t:s0:c1,c15" {
t.Log("InitLabels User Failed") t.Log("InitLabels User Match Failed")
t.Log(plabel, mlabel) t.Log(plabel, mlabel)
t.Fatal(err) t.Fatal(err)
} }
@ -46,3 +47,43 @@ func TestInit(t *testing.T) {
} }
} }
} }
func TestDuplicateLabel(t *testing.T) {
secopt := DupSecOpt("system_u:system_r:svirt_lxc_net_t:s0:c1,c2")
t.Log(secopt)
for _, opt := range secopt {
con := strings.SplitN(opt, ":", 3)
if len(con) != 3 || con[0] != "label" {
t.Errorf("Invalid DupSecOpt return value")
continue
}
if con[1] == "user" {
if con[2] != "system_u" {
t.Errorf("DupSecOpt Failed user incorrect")
}
continue
}
if con[1] == "role" {
if con[2] != "system_r" {
t.Errorf("DupSecOpt Failed role incorrect")
}
continue
}
if con[1] == "type" {
if con[2] != "svirt_lxc_net_t" {
t.Errorf("DupSecOpt Failed type incorrect")
}
continue
}
if con[1] == "level" {
if con[2] != "s0:c1,c2" {
t.Errorf("DupSecOpt Failed level incorrect")
}
continue
}
t.Errorf("DupSecOpt Failed invalid field %q", con[1])
}
secopt = DisableSecOpt()
if secopt[0] != "label:disable" {
t.Errorf("DisableSecOpt Failed level incorrect")
}
}

View File

@ -434,3 +434,28 @@ func Chcon(fpath string, scon string, recurse bool) error {
return Setfilecon(fpath, scon) return Setfilecon(fpath, scon)
} }
// DupSecOpt takes an SELinux process label and returns security options that
// can will set the SELinux Type and Level for future container processes
func DupSecOpt(src string) []string {
if src == "" {
return nil
}
con := NewContext(src)
if con["user"] == "" ||
con["role"] == "" ||
con["type"] == "" ||
con["level"] == "" {
return nil
}
return []string{"label:user:" + con["user"],
"label:role:" + con["role"],
"label:type:" + con["type"],
"label:level:" + con["level"]}
}
// DisableSecOpt returns a security opt that can be used to disabling SELinux
// labeling support for future container processes
func DisableSecOpt() []string {
return []string{"label:disable"}
}