Need to setup labeling of kernel keyrings.

mirror of https://github.com/opencontainers/runc.git synced 2025-10-05 23:46:57 +08:00

Work is ongoing in the kernel to support different kernel
keyrings per user namespace.  We want to allow SELinux to manage
kernel keyrings inside of the container.

Currently when runc creates the kernel keyring it gets the label which runc is
running with ususally `container_runtime_t`, with this change the kernel keyring
will be labeled with the container process label container_t:s0:C1,c2.

Container running as container_t:s0:c1,c2 can manage keyrings with the same label.

This change required a revendoring or the SELinux go bindings.

github.com/opencontainers/selinux.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

This commit is contained in:

Daniel J Walsh

2019-03-12 16:54:48 -04:00

parent 2b18fe1d88

commit cd96170c10

9 changed files with 629 additions and 110 deletions

									
										2

vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go
									
										generated
									
										vendored
									
												View File
												
				@@ -1,4 +1,4 @@

				// +build linux

				// +build selinux,linux

				package selinux

Need to setup labeling of kernel keyrings.

2 vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go generated vendored Unescape Escape View File

2

vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go generated vendored

View File