35e3b4
From 9aef50441511f0e9954d31d5ae84429040032e7c Mon Sep 17 00:00:00 2001
35e3b4
From: Aleksa Sarai <asarai@suse.de>
35e3b4
Date: Mon, 30 Sep 2019 00:35:33 +1000
35e3b4
Subject: [PATCH] vendor: update github.com/opencontainers/selinux
35e3b4
35e3b4
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.
35e3b4
35e3b4
Signed-off-by: Aleksa Sarai <asarai@suse.de>
35e3b4
---
35e3b4
 vendor.conf                                   |  2 +-
35e3b4
 .../selinux/go-selinux/label/label_selinux.go | 18 ++++++----
35e3b4
 .../selinux/go-selinux/selinux_linux.go       | 33 +++++++++++++++++++
35e3b4
 .../selinux/go-selinux/selinux_stub.go        | 13 ++++++++
35e3b4
 4 files changed, 58 insertions(+), 8 deletions(-)
35e3b4
35e3b4
diff --git a/vendor.conf b/vendor.conf
35e3b4
index e3f8e6d7e..a29764cd7 100644
35e3b4
--- a/vendor.conf
35e3b4
+++ b/vendor.conf
35e3b4
@@ -5,7 +5,7 @@
35e3b4
 # Core libcontainer functionality.
35e3b4
 github.com/checkpoint-restore/go-criu v3.11
35e3b4
 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
35e3b4
-github.com/opencontainers/selinux v1.2.2
35e3b4
+github.com/opencontainers/selinux       5215b1806f52b1fcc2070a8826c542c9d33cd3cf # v1.3.0 (+ CVE-2019-16884)
35e3b4
 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
35e3b4
 github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
35e3b4
 github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
35e3b4
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
35e3b4
index 1eb9a6bf2..2730fcf4a 100644
35e3b4
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
35e3b4
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
35e3b4
@@ -13,11 +13,12 @@ import (
35e3b4
 
35e3b4
 // Valid Label Options
35e3b4
 var validOptions = map[string]bool{
35e3b4
-	"disable": true,
35e3b4
-	"type":    true,
35e3b4
-	"user":    true,
35e3b4
-	"role":    true,
35e3b4
-	"level":   true,
35e3b4
+	"disable":  true,
35e3b4
+	"type":     true,
35e3b4
+	"filetype": true,
35e3b4
+	"user":     true,
35e3b4
+	"role":     true,
35e3b4
+	"level":    true,
35e3b4
 }
35e3b4
 
35e3b4
 var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
35e3b4
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
35e3b4
 				return "", mountLabel, nil
35e3b4
 			}
35e3b4
 			if i := strings.Index(opt, ":"); i == -1 {
35e3b4
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
35e3b4
+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
35e3b4
 			}
35e3b4
 			con := strings.SplitN(opt, ":", 2)
35e3b4
 			if !validOptions[con[0]] {
35e3b4
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
35e3b4
+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
35e3b4
 
35e3b4
 			}
35e3b4
+			if con[0] == "filetype" {
35e3b4
+				mcon["type"] = con[1]
35e3b4
+			}
35e3b4
 			pcon[con[0]] = con[1]
35e3b4
 			if con[0] == "level" || con[0] == "user" {
35e3b4
 				mcon[con[0]] = con[1]
35e3b4
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
35e3b4
index d7786c33c..8cdf1b054 100644
35e3b4
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
35e3b4
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
35e3b4
@@ -18,6 +18,8 @@ import (
35e3b4
 	"strings"
35e3b4
 	"sync"
35e3b4
 	"syscall"
35e3b4
+
35e3b4
+	"golang.org/x/sys/unix"
35e3b4
 )
35e3b4
 
35e3b4
 const (
35e3b4
@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
35e3b4
 	return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
35e3b4
 }
35e3b4
 
35e3b4
+func isProcHandle(fh *os.File) (bool, error) {
35e3b4
+	var buf unix.Statfs_t
35e3b4
+	err := unix.Fstatfs(int(fh.Fd()), &buf)
35e3b4
+	return buf.Type == unix.PROC_SUPER_MAGIC, err
35e3b4
+}
35e3b4
+
35e3b4
 func readCon(fpath string) (string, error) {
35e3b4
 	if fpath == "" {
35e3b4
 		return "", ErrEmptyPath
35e3b4
@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
35e3b4
 	}
35e3b4
 	defer in.Close()
35e3b4
 
35e3b4
+	if ok, err := isProcHandle(in); err != nil {
35e3b4
+		return "", err
35e3b4
+	} else if !ok {
35e3b4
+		return "", fmt.Errorf("%s not on procfs", fpath)
35e3b4
+	}
35e3b4
+
35e3b4
 	var retval string
35e3b4
 	if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
35e3b4
 		return "", err
35e3b4
@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
35e3b4
 	}
35e3b4
 	defer out.Close()
35e3b4
 
35e3b4
+	if ok, err := isProcHandle(out); err != nil {
35e3b4
+		return err
35e3b4
+	} else if !ok {
35e3b4
+		return fmt.Errorf("%s not on procfs", fpath)
35e3b4
+	}
35e3b4
+
35e3b4
 	if val != "" {
35e3b4
 		_, err = out.Write([]byte(val))
35e3b4
 	} else {
35e3b4
@@ -392,6 +412,14 @@ func SetExecLabel(label string) error {
35e3b4
 	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
35e3b4
 }
35e3b4
 
35e3b4
+/*
35e3b4
+SetTaskLabel sets the SELinux label for the current thread, or an error.
35e3b4
+This requires the dyntransition permission.
35e3b4
+*/
35e3b4
+func SetTaskLabel(label string) error {
35e3b4
+	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
35e3b4
+}
35e3b4
+
35e3b4
 // SetSocketLabel takes a process label and tells the kernel to assign the
35e3b4
 // label to the next socket that gets created
35e3b4
 func SetSocketLabel(label string) error {
35e3b4
@@ -403,6 +431,11 @@ func SocketLabel() (string, error) {
35e3b4
 	return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
35e3b4
 }
35e3b4
 
35e3b4
+// PeerLabel retrieves the label of the client on the other side of a socket
35e3b4
+func PeerLabel(fd uintptr) (string, error) {
35e3b4
+	return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
35e3b4
+}
35e3b4
+
35e3b4
 // SetKeyLabel takes a process label and tells the kernel to assign the
35e3b4
 // label to the next kernel keyring that gets created
35e3b4
 func SetKeyLabel(label string) error {
35e3b4
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
35e3b4
index 79b005d19..0c2e1cd38 100644
35e3b4
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
35e3b4
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
35e3b4
@@ -96,6 +96,14 @@ func SetExecLabel(label string) error {
35e3b4
 	return nil
35e3b4
 }
35e3b4
 
35e3b4
+/*
35e3b4
+SetTaskLabel sets the SELinux label for the current thread, or an error.
35e3b4
+This requires the dyntransition permission.
35e3b4
+*/
35e3b4
+func SetTaskLabel(label string) error {
35e3b4
+        return nil
35e3b4
+}
35e3b4
+
35e3b4
 /*
35e3b4
 SetSocketLabel sets the SELinux label that the kernel will use for any programs
35e3b4
 that are executed by the current process thread, or an error.
35e3b4
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
35e3b4
 	return "", nil
35e3b4
 }
35e3b4
 
35e3b4
+// PeerLabel retrieves the label of the client on the other side of a socket
35e3b4
+func PeerLabel(fd uintptr) (string, error) {
35e3b4
+	return "", nil
35e3b4
+}
35e3b4
+
35e3b4
 // SetKeyLabel takes a process label and tells the kernel to assign the
35e3b4
 // label to the next kernel keyring that gets created
35e3b4
 func SetKeyLabel(label string) error {