mirror of
https://github.com/opencontainers/runc.git
synced 2025-10-05 15:37:02 +08:00
cd96170c10
Work is ongoing in the kernel to support different kernel keyrings per user namespace. We want to allow SELinux to manage kernel keyrings inside of the container. Currently when runc creates the kernel keyring it gets the label which runc is running with ususally `container_runtime_t`, with this change the kernel keyring will be labeled with the container process label container_t:s0:C1,c2. Container running as container_t:s0:c1,c2 can manage keyrings with the same label. This change required a revendoring or the SELinux go bindings. github.com/opencontainers/selinux. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
110 lines
2.1 KiB
Go
110 lines
2.1 KiB
Go
// +build !selinux !linux
|
|
|
|
package label
|
|
|
|
// InitLabels returns the process label and file labels to be used within
|
|
// the container. A list of options can be passed into this function to alter
|
|
// the labels.
|
|
func InitLabels(options []string) (string, string, error) {
|
|
return "", "", nil
|
|
}
|
|
|
|
func ROMountLabel() string {
|
|
return ""
|
|
}
|
|
|
|
func GenLabels(options string) (string, string, error) {
|
|
return "", "", nil
|
|
}
|
|
|
|
func FormatMountLabel(src string, mountLabel string) string {
|
|
return src
|
|
}
|
|
|
|
func SetProcessLabel(processLabel string) error {
|
|
return nil
|
|
}
|
|
|
|
func ProcessLabel() (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func SetSocketLabel(processLabel string) error {
|
|
return nil
|
|
}
|
|
|
|
func SocketLabel() (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func SetKeyLabel(processLabel string) error {
|
|
return nil
|
|
}
|
|
|
|
func KeyLabel() (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func FileLabel(path string) (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func SetFileLabel(path string, fileLabel string) error {
|
|
return nil
|
|
}
|
|
|
|
func SetFileCreateLabel(fileLabel string) error {
|
|
return nil
|
|
}
|
|
|
|
func Relabel(path string, fileLabel string, shared bool) error {
|
|
return nil
|
|
}
|
|
|
|
func PidLabel(pid int) (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func Init() {
|
|
}
|
|
|
|
// ClearLabels clears all reserved labels
|
|
func ClearLabels() {
|
|
return
|
|
}
|
|
|
|
func ReserveLabel(label string) error {
|
|
return nil
|
|
}
|
|
|
|
func ReleaseLabel(label string) error {
|
|
return nil
|
|
}
|
|
|
|
// DupSecOpt takes a process label and returns security options that
|
|
// can be used to set duplicate labels on future container processes
|
|
func DupSecOpt(src string) ([]string, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
// DisableSecOpt returns a security opt that can disable labeling
|
|
// support for future container processes
|
|
func DisableSecOpt() []string {
|
|
return nil
|
|
}
|
|
|
|
// Validate checks that the label does not include unexpected options
|
|
func Validate(label string) error {
|
|
return nil
|
|
}
|
|
|
|
// RelabelNeeded checks whether the user requested a relabel
|
|
func RelabelNeeded(label string) bool {
|
|
return false
|
|
}
|
|
|
|
// IsShared checks that the label includes a "shared" mark
|
|
func IsShared(label string) bool {
|
|
return false
|
|
}
|