zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-10-05 23:46:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Need to setup labeling of kernel keyrings.

Browse Source 
Work is ongoing in the kernel to support different kernel
keyrings per user namespace.  We want to allow SELinux to manage
kernel keyrings inside of the container.

Currently when runc creates the kernel keyring it gets the label which runc is
running with ususally `container_runtime_t`, with this change the kernel keyring
will be labeled with the container process label container_t:s0:C1,c2.

Container running as container_t:s0:c1,c2 can manage keyrings with the same label.

This change required a revendoring or the SELinux go bindings.

github.com/opencontainers/selinux.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2019-03-12 16:54:48 -04:00
parent 2b18fe1d88
commit cd96170c10
9 changed files with 629 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
vendor/github.com/opencontainers/selinux/go-selinux/label/label.go generated vendored
View File

@@ -9,7 +9,7 @@ func InitLabels(options []string) (string, string, error) {
return "", "", nil
}
func GetROMountLabel() string {
func ROMountLabel() string {
return ""
}
@@ -25,7 +25,27 @@ func SetProcessLabel(processLabel string) error {
return nil
}
func GetFileLabel(path string) (string, error) {
func ProcessLabel() (string, error) {
return "", nil
}
func SetSocketLabel(processLabel string) error {
return nil
}
func SocketLabel() (string, error) {
return "", nil
}
func SetKeyLabel(processLabel string) error {
return nil
}
func KeyLabel() (string, error) {
return "", nil
}
func FileLabel(path string) (string, error) {
return "", nil
}
@@ -41,13 +61,18 @@ func Relabel(path string, fileLabel string, shared bool) error {
return nil
}
func GetPidLabel(pid int) (string, error) {
func PidLabel(pid int) (string, error) {
return "", nil
}
func Init() {
}
// ClearLabels clears all reserved labels
func ClearLabels() {
return
}
func ReserveLabel(label string) error {
return nil
}
@@ -58,8 +83,8 @@ func ReleaseLabel(label string) error {
// DupSecOpt takes a process label and returns security options that
// can be used to set duplicate labels on future container processes
func DupSecOpt(src string) []string {
return nil
func DupSecOpt(src string) ([]string, error) {
return nil, nil
}
// DisableSecOpt returns a security opt that can disable labeling