-
Notifications
You must be signed in to change notification settings - Fork 18.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This patch adds SELinux labeling support.
docker will run the process(es) within the container with an SELinux label and will label all of the content within the container with mount label. Any temporary file systems created within the container need to be mounted with the same mount label. The user can override the process label by specifying -Z With a string of space separated options. -Z "user=unconfined_u role=unconfined_r type=unconfined_t level=s0" Would cause the process label to run with unconfined_u:unconfined_r:unconfined_t:s0" By default the processes will run execute within the container as svirt_lxc_net_t. All of the content in the container as svirt_sandbox_file_t. The process mcs level is based of the PID of the docker process that is creating the container. If you run the container in --priv mode, the labeling will be disabled. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
- Loading branch information
Showing
26 changed files
with
700 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
// +build !selinux !linux | ||
|
||
package label | ||
|
||
func GenLabels(options string) (string, string, error) { | ||
return "", "", nil | ||
} | ||
|
||
func FormatMountLabel(src string, MountLabel string) string { | ||
return src | ||
} | ||
|
||
func SetProcessLabel(processLabel string) error { | ||
return nil | ||
} | ||
|
||
func SetFileLabel(path string, fileLabel string) error { | ||
return nil | ||
} | ||
|
||
func GetPidCon(pid int) (string, error) { | ||
return "", nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
// +build selinux,linux | ||
|
||
package label | ||
|
||
import ( | ||
"fmt" | ||
"github.com/dotcloud/docker/pkg/selinux" | ||
"strings" | ||
) | ||
|
||
func GenLabels(options string) (string, string, error) { | ||
processLabel, mountLabel := selinux.GetLxcContexts() | ||
var err error | ||
if processLabel == "" { // SELinux is disabled | ||
return "", "", err | ||
} | ||
s := strings.Fields(options) | ||
l := len(s) | ||
if l > 0 { | ||
pcon := selinux.NewContext(processLabel) | ||
for i := 0; i < l; i++ { | ||
o := strings.Split(s[i], "=") | ||
pcon[o[0]] = o[1] | ||
} | ||
processLabel = pcon.Get() | ||
mountLabel, err = selinux.CopyLevel(processLabel, mountLabel) | ||
} | ||
return processLabel, mountLabel, err | ||
} | ||
|
||
func FormatMountLabel(src string, MountLabel string) string { | ||
var mountLabel string | ||
if src != "" { | ||
mountLabel = src | ||
if MountLabel != "" { | ||
mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel) | ||
} | ||
} else { | ||
if MountLabel != "" { | ||
mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel) | ||
} | ||
} | ||
return mountLabel | ||
} | ||
|
||
func SetProcessLabel(processLabel string) error { | ||
if selinux.SelinuxEnabled() { | ||
return selinux.Setexeccon(processLabel) | ||
} | ||
return nil | ||
} | ||
|
||
func GetProcessLabel() (string, error) { | ||
if selinux.SelinuxEnabled() { | ||
return selinux.Getexeccon() | ||
} | ||
return "", nil | ||
} | ||
|
||
func SetFileLabel(path string, fileLabel string) error { | ||
if selinux.SelinuxEnabled() && fileLabel != "" { | ||
return selinux.Setfilecon(path, fileLabel) | ||
} | ||
return nil | ||
} | ||
|
||
func GetPidCon(pid int) (string, error) { | ||
return selinux.Getpidcon(pid) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.