mirror of
https://github.com/containers/podman.git
synced 2025-12-02 11:08:36 +08:00
vendor: update c/{common,buildah} to main
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
41
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
generated
vendored
41
vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
generated
vendored
@@ -45,7 +45,7 @@ type selinuxState struct {
|
||||
|
||||
type level struct {
|
||||
cats *big.Int
|
||||
sens uint
|
||||
sens int
|
||||
}
|
||||
|
||||
type mlsRange struct {
|
||||
@@ -138,6 +138,7 @@ func verifySELinuxfsMount(mnt string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
//#nosec G115 -- there is no overflow here.
|
||||
if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) {
|
||||
return false
|
||||
}
|
||||
@@ -501,14 +502,14 @@ func catsToBitset(cats string) (*big.Int, error) {
|
||||
return nil, err
|
||||
}
|
||||
for i := catstart; i <= catend; i++ {
|
||||
bitset.SetBit(bitset, int(i), 1)
|
||||
bitset.SetBit(bitset, i, 1)
|
||||
}
|
||||
} else {
|
||||
cat, err := parseLevelItem(ranges[0], category)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
bitset.SetBit(bitset, int(cat), 1)
|
||||
bitset.SetBit(bitset, cat, 1)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -516,16 +517,17 @@ func catsToBitset(cats string) (*big.Int, error) {
|
||||
}
|
||||
|
||||
// parseLevelItem parses and verifies that a sensitivity or category are valid
|
||||
func parseLevelItem(s string, sep levelItem) (uint, error) {
|
||||
func parseLevelItem(s string, sep levelItem) (int, error) {
|
||||
if len(s) < minSensLen || levelItem(s[0]) != sep {
|
||||
return 0, ErrLevelSyntax
|
||||
}
|
||||
val, err := strconv.ParseUint(s[1:], 10, 32)
|
||||
const bitSize = 31 // Make sure the result fits into signed int32.
|
||||
val, err := strconv.ParseUint(s[1:], 10, bitSize)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
return uint(val), nil
|
||||
return int(val), nil
|
||||
}
|
||||
|
||||
// parseLevel fills a level from a string that contains
|
||||
@@ -582,7 +584,8 @@ func bitsetToStr(c *big.Int) string {
|
||||
var str string
|
||||
|
||||
length := 0
|
||||
for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ {
|
||||
i0 := int(c.TrailingZeroBits()) //#nosec G115 -- don't expect TralingZeroBits to return values with highest bit set.
|
||||
for i := i0; i < c.BitLen(); i++ {
|
||||
if c.Bit(i) == 0 {
|
||||
continue
|
||||
}
|
||||
@@ -622,7 +625,7 @@ func (l *level) equal(l2 *level) bool {
|
||||
|
||||
// String returns an mlsRange as a string.
|
||||
func (m mlsRange) String() string {
|
||||
low := "s" + strconv.Itoa(int(m.low.sens))
|
||||
low := "s" + strconv.Itoa(m.low.sens)
|
||||
if m.low.cats != nil && m.low.cats.BitLen() > 0 {
|
||||
low += ":" + bitsetToStr(m.low.cats)
|
||||
}
|
||||
@@ -631,7 +634,7 @@ func (m mlsRange) String() string {
|
||||
return low
|
||||
}
|
||||
|
||||
high := "s" + strconv.Itoa(int(m.high.sens))
|
||||
high := "s" + strconv.Itoa(m.high.sens)
|
||||
if m.high.cats != nil && m.high.cats.BitLen() > 0 {
|
||||
high += ":" + bitsetToStr(m.high.cats)
|
||||
}
|
||||
@@ -639,15 +642,16 @@ func (m mlsRange) String() string {
|
||||
return low + "-" + high
|
||||
}
|
||||
|
||||
// TODO: remove min and max once Go < 1.21 is not supported.
|
||||
func max(a, b uint) uint {
|
||||
// TODO: remove these in favor of built-in min/max
|
||||
// once we stop supporting Go < 1.21.
|
||||
func maxInt(a, b int) int {
|
||||
if a > b {
|
||||
return a
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
func min(a, b uint) uint {
|
||||
func minInt(a, b int) int {
|
||||
if a < b {
|
||||
return a
|
||||
}
|
||||
@@ -676,10 +680,10 @@ func calculateGlbLub(sourceRange, targetRange string) (string, error) {
|
||||
outrange := &mlsRange{low: &level{}, high: &level{}}
|
||||
|
||||
/* take the greatest of the low */
|
||||
outrange.low.sens = max(s.low.sens, t.low.sens)
|
||||
outrange.low.sens = maxInt(s.low.sens, t.low.sens)
|
||||
|
||||
/* take the least of the high */
|
||||
outrange.high.sens = min(s.high.sens, t.high.sens)
|
||||
outrange.high.sens = minInt(s.high.sens, t.high.sens)
|
||||
|
||||
/* find the intersecting categories */
|
||||
if s.low.cats != nil && t.low.cats != nil {
|
||||
@@ -731,6 +735,9 @@ func setKeyLabel(label string) error {
|
||||
if label == "" && errors.Is(err, os.ErrPermission) {
|
||||
return nil
|
||||
}
|
||||
if errors.Is(err, unix.EACCES) && unix.Getuid() != unix.Gettid() {
|
||||
return ErrNotTGLeader
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -809,8 +816,7 @@ func enforceMode() int {
|
||||
// setEnforceMode sets the current SELinux mode Enforcing, Permissive.
|
||||
// Disabled is not valid, since this needs to be set at boot time.
|
||||
func setEnforceMode(mode int) error {
|
||||
//nolint:gosec // ignore G306: permissions to be 0600 or less.
|
||||
return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
|
||||
return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0)
|
||||
}
|
||||
|
||||
// defaultEnforceMode returns the systems default SELinux mode Enforcing,
|
||||
@@ -1017,8 +1023,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
|
||||
|
||||
// securityCheckContext validates that the SELinux label is understood by the kernel
|
||||
func securityCheckContext(val string) error {
|
||||
//nolint:gosec // ignore G306: permissions to be 0600 or less.
|
||||
return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
|
||||
return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0)
|
||||
}
|
||||
|
||||
// copyLevel returns a label with the MLS/MCS level from src label replaced on
|
||||
|
||||
Reference in New Issue
Block a user