Merge pull request containerd#1534 from crosbymichael/selinux-range

Update selinux pkg and allow category range to be set in config
crosbymichael · Jul 23, 2020 · 8448b92 · 8448b92
2 parents 0443a13 + 5f5d954
commit 8448b92
Show file tree

Hide file tree

Showing 25 changed files with 2,027 additions and 335 deletions.
diff --git a/docs/config.md b/docs/config.md
@@ -35,6 +35,10 @@ version = 2
   # enable_selinux indicates to enable the selinux support.
   enable_selinux = false
 
+  # selinux_category_range allows the upper bound on the category range to be set.
+  # if not specified or set to 0, defaults to 1024 from the selinux package.
+  selinux_category_range = 1024
+
   # sandbox_image is the image used by sandbox container.
   sandbox_image = "k8s.gcr.io/pause:3.2"
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -198,6 +198,9 @@ type PluginConfig struct {
 	StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
+	// SelinuxCategoryRange allows the upper bound on the category range to be set.
+	// If not specified or set to 0, defaults to 1024 from the selinux package.
+	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.

diff --git a/pkg/config/config_unix.go b/pkg/config/config_unix.go
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		DisableTCPService:   true,
-		StreamServerAddress: "127.0.0.1",
-		StreamServerPort:    "0",
-		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
-		EnableSelinux:       false,
-		EnableTLSStreaming:  false,
+		DisableTCPService:    true,
+		StreamServerAddress:  "127.0.0.1",
+		StreamServerPort:     "0",
+		StreamIdleTimeout:    streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableSelinux:        false,
+		SelinuxCategoryRange: 1024,
+		EnableTLSStreaming:   false,
 		X509KeyPairStreaming: X509KeyPairStreaming{
 			TLSKeyFile:  "",
 			TLSCertFile: "",

diff --git a/pkg/server/service_unix.go b/pkg/server/service_unix.go
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
 		if !selinux.GetEnabled() {
 			logrus.Warn("Selinux is not supported")
 		}
+		if r := c.config.SelinuxCategoryRange; r > 0 {
+			selinux.CategoryRange = uint32(r)
+		}
 	} else {
 		selinux.SetDisabled()
 	}

diff --git a/vendor.conf b/vendor.conf
@@ -1,7 +1,8 @@
 # cri dependencies
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
-github.com/opencontainers/selinux                   v1.5.1
+github.com/opencontainers/selinux                   v1.6.0
 github.com/tchap/go-patricia                        v2.2.6
+github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 
 # containerd dependencies
 github.com/beorn7/perks                             v1.0.1

diff --git a/vendor/github.com/opencontainers/selinux/README.md b/vendor/github.com/opencontainers/selinux/README.md
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go