add selinux deps

Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com> Signed-off-by: Zhou Hao <zhouhao@cn.fujitsu.com>
opencontainers · Jan 23, 2019 · cce1a4a · cce1a4a
1 parent 555c03d
commit cce1a4a
Show file tree

Hide file tree

Showing 10 changed files with 1,649 additions and 104 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go
@@ -1197,15 +1197,22 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error {
 	return mountErrs
 }
 
-func validateMountLabel(spec *rspec.Spec) error {
+func (c *complianceTester) validateMountLabel(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.MountLabel == "" {
+		c.harness.Skip(1, "linux.mountlabel not set")
+		return nil
+	}
+
 	for _, mount := range spec.Mounts {
-		fileLabel, err := label.GetFileLabel(mount.Destination)
+		fileLabel, err := label.FileLabel(mount.Destination)
 		if err != nil {
 			return fmt.Errorf("Failed to get mountLabel of %v", mount.Destination)
 		}
-		if fileLabel != spec.Linux.MountLabel {
-			return fmt.Errorf("Expected mountLabel %v, actual %v", spec.Linux.MountLabel, fileLabel)
-		}
+		c.harness.Ok(spec.Linux.MountLabel == fileLabel, "hase expected mountlabel")
+		c.harness.YAML(map[string]string{
+			"expected": spec.Linux.MountLabel,
+			"actual":   fileLabel,
+		})
 	}
 
 	return nil
@@ -1230,98 +1237,6 @@ func run(context *cli.Context) error {
 		return err
 	}
 
-	defaultValidations := []validation{
-		{
-			test:        validateRootFS,
-			description: "root filesystem",
-		},
-		{
-			test:        validateHostname,
-			description: "hostname",
-		},
-		{
-			test:        validateProcess,
-			description: "process",
-		},
-	}
-
-	posixValidations := []validation{
-		{
-			test:        validatePosixMounts,
-			description: "mounts",
-		},
-		{
-			test:        validatePosixUser,
-			description: "user",
-		},
-		{
-			test:        validateRlimits,
-			description: "rlimits",
-		},
-	}
-
-	linuxValidations := []validation{
-		{
-			test:        validateCapabilities,
-			description: "capabilities",
-		},
-		{
-			test:        validateDefaultSymlinks,
-			description: "default symlinks",
-		},
-		{
-			test:        validateDefaultFS,
-			description: "default file system",
-		},
-		{
-			test:        validateDefaultDevices,
-			description: "default devices",
-		},
-		{
-			test:        validateLinuxDevices,
-			description: "linux devices",
-		},
-		{
-			test:        validateLinuxProcess,
-			description: "linux process",
-		},
-		{
-			test:        validateMaskedPaths,
-			description: "masked paths",
-		},
-		{
-			test:        validateOOMScoreAdj,
-			description: "oom score adj",
-		},
-		{
-			test:        validateROPaths,
-			description: "read only paths",
-		},
-		{
-			test:        validateRootfsPropagation,
-			description: "rootfs propagation",
-		},
-		{
-			test:        validateSysctls,
-			description: "sysctls",
-		},
-		{
-			test:        validateUIDMappings,
-			description: "uid mappings",
-		},
-		{
-			test:        validateGIDMappings,
-			description: "gid mappings",
-		},
-		{
-			test:        validateMountLabel,
-			description: "mountLabel",
-		},
-	}
-
-	t := tap.New()
-	t.Header(0)
-
 	complianceLevelString := context.String("compliance-level")
 	complianceLevel, err := rfc2119.ParseLevel(complianceLevelString)
 	if err != nil {
@@ -1363,6 +1278,7 @@ func run(context *cli.Context) error {
 		c.validateSysctls,
 		c.validateUIDMappings,
 		c.validateGIDMappings,
+		c.validateMountLabel,
 	}
 
 	validations := defaultValidations

diff --git a/validate/validate.go b/validate/validate.go
@@ -20,7 +20,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
 
@@ -685,12 +684,6 @@ func (v *Validator) CheckAnnotations() (errs error) {
 		}
 	}
 
-	if v.spec.Linux.MountLabel != "" {
-		if err := label.Validate(v.spec.Linux.MountLabel); err != nil {
-			msgs = append(msgs, "mountLabel %v is invalid", v.spec.Linux.MountLabel)
-		}
-	}
-
 	return
 }
 

diff --git a/validate/validate_linux.go b/validate/validate_linux.go
@@ -16,6 +16,7 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
@@ -226,5 +227,11 @@ func (v *Validator) CheckLinux() (errs error) {
 		}
 	}
 
+	if v.spec.Linux.MountLabel != "" {
+		if err := label.Validate(v.spec.Linux.MountLabel); err != nil {
+			errs = multierror.Append(errs, fmt.Errorf("mountLabel %v is invalid", v.spec.Linux.MountLabel))
+		}
+	}
+
 	return
 }
diff --git a/vendor/github.com/opencontainers/selinux/LICENSE b/vendor/github.com/opencontainers/selinux/LICENSE