Skip to content

Commit

Permalink
proposed fix
Browse files Browse the repository at this point in the history 
Signed-off-by: Kir Kolyshkin <[email protected]>
  • Loading branch information
@kolyshkin
kolyshkin committed Oct 10, 2023
1 parent 34e12ee commit 650a51b
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 0 deletions.
20 changes: 20 additions & 0 deletions libcontainer/container_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,14 @@ import (
"path"
"path/filepath"
"reflect"
"runtime"
"strconv"
"strings"
"sync"
"time"

"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
"github.com/vishvananda/netlink/nl"
"golang.org/x/sys/execabs"
Expand Down Expand Up @@ -512,7 +514,25 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
} else {
var err error
if isDmzBinarySafe(c.config) {
if label := c.config.ProcessLabel; label != "" {
runtime.LockOSThread()
if err := selinux.SetFSCreateLabel(label); err != nil {
runtime.UnlockOSThread()
return nil, fmt.Errorf("unable to set selinux fs create label: %w", err)
}
}
dmzExe, err = dmz.Binary(c.stateDir)
if label := c.config.ProcessLabel; label != "" {
selinux.SetFSCreateLabel("")

Check failure on line 526 in libcontainer/container_linux.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `selinux.SetFSCreateLabel` is not checked (errcheck)
runtime.UnlockOSThread()
// Check the label is as expected.
if dmzLabel, err2 := selinux.OpenedFileLabel(dmzExe); err2 != nil {
return nil, fmt.Errorf("unable to get dmz file label: %w", err)
} else if dmzLabel != label {
return nil, fmt.Errorf("runc-dmz file label mismatch: want %q, got %q", label, dmzLabel)
}
}

if err == nil {
// We can use our own executable without cloning if we are using
// runc-dmz.
Expand Down
7 changes: 7 additions & 0 deletions vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 35 additions & 0 deletions vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 650a51b

Please sign in to comment.