Skip to content

Commit 8448b92

Browse files
mikebrowmikebrow
authored
Merge pull request containerd#1534 from crosbymichael/selinux-range
Update selinux pkg and allow category range to be set in config
2 parents 0443a13 + 5f5d954 commit 8448b92

File tree

25 files changed

+2027
-335
lines changed

25 files changed

+2027
-335
lines changed

docs/config.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,10 @@ version = 2
3535
# enable_selinux indicates to enable the selinux support.
3636
enable_selinux = false
3737

38+
# selinux_category_range allows the upper bound on the category range to be set.
39+
# if not specified or set to 0, defaults to 1024 from the selinux package.
40+
selinux_category_range = 1024
41+
3842
# sandbox_image is the image used by sandbox container.
3943
sandbox_image = "k8s.gcr.io/pause:3.2"
4044

pkg/config/config.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,9 @@ type PluginConfig struct {
198198
StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
199199
// EnableSelinux indicates to enable the selinux support.
200200
EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
201+
// SelinuxCategoryRange allows the upper bound on the category range to be set.
202+
// If not specified or set to 0, defaults to 1024 from the selinux package.
203+
SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
201204
// SandboxImage is the image used by sandbox container.
202205
SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
203206
// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.

pkg/config/config_unix.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
4444
},
4545
},
4646
},
47-
DisableTCPService: true,
48-
StreamServerAddress: "127.0.0.1",
49-
StreamServerPort: "0",
50-
StreamIdleTimeout: streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
51-
EnableSelinux: false,
52-
EnableTLSStreaming: false,
47+
DisableTCPService: true,
48+
StreamServerAddress: "127.0.0.1",
49+
StreamServerPort: "0",
50+
StreamIdleTimeout: streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
51+
EnableSelinux: false,
52+
SelinuxCategoryRange: 1024,
53+
EnableTLSStreaming: false,
5354
X509KeyPairStreaming: X509KeyPairStreaming{
5455
TLSKeyFile: "",
5556
TLSCertFile: "",

pkg/server/service_unix.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
4444
if !selinux.GetEnabled() {
4545
logrus.Warn("Selinux is not supported")
4646
}
47+
if r := c.config.SelinuxCategoryRange; r > 0 {
48+
selinux.CategoryRange = uint32(r)
49+
}
4750
} else {
4851
selinux.SetDisabled()
4952
}

vendor.conf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
# cri dependencies
22
github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f
3-
github.com/opencontainers/selinux v1.5.1
3+
github.com/opencontainers/selinux v1.6.0
44
github.com/tchap/go-patricia v2.2.6
5+
github.com/willf/bitset d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
56

67
# containerd dependencies
78
github.com/beorn7/perks v1.0.1

vendor/github.com/opencontainers/selinux/README.md

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/opencontainers/selinux/go-selinux/label/label.go

Lines changed: 21 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go

Lines changed: 9 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go

Lines changed: 0 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)