Vendor in latest containers/storage opencontainers/selinux

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-18 15:39:08 +08:00 · 2018-10-18 14:48:41 -04:00
parent 9a6a64f78c
commit 57b0b89d0c
20 changed files with 271 additions and 53 deletions
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@ -48,6 +48,11 @@ func GetPidLabel(pid int) (string, error) {
 func Init() {
 }

+// ClearLabels clears all reserved labels
+func ClearLabels() {
+	return
+}
+
 func ReserveLabel(label string) error {
 	return nil
 }
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@ -24,17 +24,22 @@ var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
-func InitLabels(options []string) (string, string, error) {
+func InitLabels(options []string) (plabel string, mlabel string, Err error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
 	}
 	processLabel, mountLabel := selinux.ContainerLabels()
 	if processLabel != "" {
+		defer func() {
+			if Err != nil {
+				ReleaseLabel(mountLabel)
+			}
+		}()
 		pcon := selinux.NewContext(processLabel)
 		mcon := selinux.NewContext(mountLabel)
 		for _, opt := range options {
 			if opt == "disable" {
-				return "", "", nil
+				return "", mountLabel, nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
@ -156,6 +161,11 @@ func Init() {
 	selinux.GetEnabled()
 }

+// ClearLabels will clear all reserved labels
+func ClearLabels() {
+	selinux.ClearLabels()
+}
+
 // ReserveLabel will record the fact that the MCS label has already been used.
 // This will prevent InitLabels from using the MCS label in a newly created
 // container
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@ -409,6 +409,13 @@ func NewContext(label string) Context {
 	return c
 }

+// ClearLabels clears all reserved labels
+func ClearLabels() {
+	state.Lock()
+	state.mcsList = make(map[string]bool)
+	state.Unlock()
+}
+
 // ReserveLabel reserves the MLS/MCS level component of the specified label
 func ReserveLabel(label string) {
 	if len(label) != 0 {
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@ -107,6 +107,11 @@ func NewContext(label string) Context {
 	return c
 }

+// ClearLabels clears all reserved MLS/MCS levels
+func ClearLabels() {
+	return
+}
+
 // ReserveLabel reserves the MLS/MCS level component of the specified label
 func ReserveLabel(label string) {
 	return