|
|
35e3b4 |
From 9aef50441511f0e9954d31d5ae84429040032e7c Mon Sep 17 00:00:00 2001
|
|
|
35e3b4 |
From: Aleksa Sarai <asarai@suse.de>
|
|
|
35e3b4 |
Date: Mon, 30 Sep 2019 00:35:33 +1000
|
|
|
35e3b4 |
Subject: [PATCH] vendor: update github.com/opencontainers/selinux
|
|
|
35e3b4 |
|
|
|
35e3b4 |
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.
|
|
|
35e3b4 |
|
|
|
35e3b4 |
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
|
35e3b4 |
---
|
|
|
35e3b4 |
vendor.conf | 2 +-
|
|
|
35e3b4 |
.../selinux/go-selinux/label/label_selinux.go | 18 ++++++----
|
|
|
35e3b4 |
.../selinux/go-selinux/selinux_linux.go | 33 +++++++++++++++++++
|
|
|
35e3b4 |
.../selinux/go-selinux/selinux_stub.go | 13 ++++++++
|
|
|
35e3b4 |
4 files changed, 58 insertions(+), 8 deletions(-)
|
|
|
35e3b4 |
|
|
|
35e3b4 |
diff --git a/vendor.conf b/vendor.conf
|
|
|
35e3b4 |
index e3f8e6d7e..a29764cd7 100644
|
|
|
35e3b4 |
--- a/vendor.conf
|
|
|
35e3b4 |
+++ b/vendor.conf
|
|
|
35e3b4 |
@@ -5,7 +5,7 @@
|
|
|
35e3b4 |
# Core libcontainer functionality.
|
|
|
35e3b4 |
github.com/checkpoint-restore/go-criu v3.11
|
|
|
35e3b4 |
github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
|
|
|
35e3b4 |
-github.com/opencontainers/selinux v1.2.2
|
|
|
35e3b4 |
+github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf # v1.3.0 (+ CVE-2019-16884)
|
|
|
35e3b4 |
github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
|
|
|
35e3b4 |
github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
|
|
|
35e3b4 |
github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
|
|
|
35e3b4 |
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
|
|
|
35e3b4 |
index 1eb9a6bf2..2730fcf4a 100644
|
|
|
35e3b4 |
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
|
|
|
35e3b4 |
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
|
|
|
35e3b4 |
@@ -13,11 +13,12 @@ import (
|
|
|
35e3b4 |
|
|
|
35e3b4 |
// Valid Label Options
|
|
|
35e3b4 |
var validOptions = map[string]bool{
|
|
|
35e3b4 |
- "disable": true,
|
|
|
35e3b4 |
- "type": true,
|
|
|
35e3b4 |
- "user": true,
|
|
|
35e3b4 |
- "role": true,
|
|
|
35e3b4 |
- "level": true,
|
|
|
35e3b4 |
+ "disable": true,
|
|
|
35e3b4 |
+ "type": true,
|
|
|
35e3b4 |
+ "filetype": true,
|
|
|
35e3b4 |
+ "user": true,
|
|
|
35e3b4 |
+ "role": true,
|
|
|
35e3b4 |
+ "level": true,
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
|
|
|
35e3b4 |
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
|
|
|
35e3b4 |
return "", mountLabel, nil
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
if i := strings.Index(opt, ":"); i == -1 {
|
|
|
35e3b4 |
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
|
|
|
35e3b4 |
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
con := strings.SplitN(opt, ":", 2)
|
|
|
35e3b4 |
if !validOptions[con[0]] {
|
|
|
35e3b4 |
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
|
|
|
35e3b4 |
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
|
|
|
35e3b4 |
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
+ if con[0] == "filetype" {
|
|
|
35e3b4 |
+ mcon["type"] = con[1]
|
|
|
35e3b4 |
+ }
|
|
|
35e3b4 |
pcon[con[0]] = con[1]
|
|
|
35e3b4 |
if con[0] == "level" || con[0] == "user" {
|
|
|
35e3b4 |
mcon[con[0]] = con[1]
|
|
|
35e3b4 |
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
|
|
|
35e3b4 |
index d7786c33c..8cdf1b054 100644
|
|
|
35e3b4 |
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
|
|
|
35e3b4 |
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
|
|
|
35e3b4 |
@@ -18,6 +18,8 @@ import (
|
|
|
35e3b4 |
"strings"
|
|
|
35e3b4 |
"sync"
|
|
|
35e3b4 |
"syscall"
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
+ "golang.org/x/sys/unix"
|
|
|
35e3b4 |
)
|
|
|
35e3b4 |
|
|
|
35e3b4 |
const (
|
|
|
35e3b4 |
@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
|
|
|
35e3b4 |
return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+func isProcHandle(fh *os.File) (bool, error) {
|
|
|
35e3b4 |
+ var buf unix.Statfs_t
|
|
|
35e3b4 |
+ err := unix.Fstatfs(int(fh.Fd()), &buf)
|
|
|
35e3b4 |
+ return buf.Type == unix.PROC_SUPER_MAGIC, err
|
|
|
35e3b4 |
+}
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
func readCon(fpath string) (string, error) {
|
|
|
35e3b4 |
if fpath == "" {
|
|
|
35e3b4 |
return "", ErrEmptyPath
|
|
|
35e3b4 |
@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
defer in.Close()
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+ if ok, err := isProcHandle(in); err != nil {
|
|
|
35e3b4 |
+ return "", err
|
|
|
35e3b4 |
+ } else if !ok {
|
|
|
35e3b4 |
+ return "", fmt.Errorf("%s not on procfs", fpath)
|
|
|
35e3b4 |
+ }
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
var retval string
|
|
|
35e3b4 |
if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
|
|
|
35e3b4 |
return "", err
|
|
|
35e3b4 |
@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
defer out.Close()
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+ if ok, err := isProcHandle(out); err != nil {
|
|
|
35e3b4 |
+ return err
|
|
|
35e3b4 |
+ } else if !ok {
|
|
|
35e3b4 |
+ return fmt.Errorf("%s not on procfs", fpath)
|
|
|
35e3b4 |
+ }
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
if val != "" {
|
|
|
35e3b4 |
_, err = out.Write([]byte(val))
|
|
|
35e3b4 |
} else {
|
|
|
35e3b4 |
@@ -392,6 +412,14 @@ func SetExecLabel(label string) error {
|
|
|
35e3b4 |
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+/*
|
|
|
35e3b4 |
+SetTaskLabel sets the SELinux label for the current thread, or an error.
|
|
|
35e3b4 |
+This requires the dyntransition permission.
|
|
|
35e3b4 |
+*/
|
|
|
35e3b4 |
+func SetTaskLabel(label string) error {
|
|
|
35e3b4 |
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
|
|
|
35e3b4 |
+}
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
// SetSocketLabel takes a process label and tells the kernel to assign the
|
|
|
35e3b4 |
// label to the next socket that gets created
|
|
|
35e3b4 |
func SetSocketLabel(label string) error {
|
|
|
35e3b4 |
@@ -403,6 +431,11 @@ func SocketLabel() (string, error) {
|
|
|
35e3b4 |
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+// PeerLabel retrieves the label of the client on the other side of a socket
|
|
|
35e3b4 |
+func PeerLabel(fd uintptr) (string, error) {
|
|
|
35e3b4 |
+ return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
|
|
|
35e3b4 |
+}
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
// SetKeyLabel takes a process label and tells the kernel to assign the
|
|
|
35e3b4 |
// label to the next kernel keyring that gets created
|
|
|
35e3b4 |
func SetKeyLabel(label string) error {
|
|
|
35e3b4 |
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
|
|
|
35e3b4 |
index 79b005d19..0c2e1cd38 100644
|
|
|
35e3b4 |
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
|
|
|
35e3b4 |
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
|
|
|
35e3b4 |
@@ -96,6 +96,14 @@ func SetExecLabel(label string) error {
|
|
|
35e3b4 |
return nil
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+/*
|
|
|
35e3b4 |
+SetTaskLabel sets the SELinux label for the current thread, or an error.
|
|
|
35e3b4 |
+This requires the dyntransition permission.
|
|
|
35e3b4 |
+*/
|
|
|
35e3b4 |
+func SetTaskLabel(label string) error {
|
|
|
35e3b4 |
+ return nil
|
|
|
35e3b4 |
+}
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
/*
|
|
|
35e3b4 |
SetSocketLabel sets the SELinux label that the kernel will use for any programs
|
|
|
35e3b4 |
that are executed by the current process thread, or an error.
|
|
|
35e3b4 |
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
|
|
|
35e3b4 |
return "", nil
|
|
|
35e3b4 |
}
|
|
|
35e3b4 |
|
|
|
35e3b4 |
+// PeerLabel retrieves the label of the client on the other side of a socket
|
|
|
35e3b4 |
+func PeerLabel(fd uintptr) (string, error) {
|
|
|
35e3b4 |
+ return "", nil
|
|
|
35e3b4 |
+}
|
|
|
35e3b4 |
+
|
|
|
35e3b4 |
// SetKeyLabel takes a process label and tells the kernel to assign the
|
|
|
35e3b4 |
// label to the next kernel keyring that gets created
|
|
|
35e3b4 |
func SetKeyLabel(label string) error {
|