Merge pull request #682 from q384566678/add-selinux

Add SELinux Check
opencontainers · Feb 18, 2019 · d4ec5b8 · d4ec5b8
2 parents f611b4e + 743b0b3
commit d4ec5b8
Show file tree

Hide file tree

Showing 10 changed files with 1,676 additions and 0 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go
@@ -24,6 +24,7 @@ import (
 	"github.com/opencontainers/runtime-tools/cmd/runtimetest/mount"
 	rfc2119 "github.com/opencontainers/runtime-tools/error"
 	"github.com/opencontainers/runtime-tools/specerror"
+	"github.com/opencontainers/selinux/go-selinux/label"
 
 	"golang.org/x/sys/unix"
 )
@@ -1196,6 +1197,27 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error {
 	return mountErrs
 }
 
+func (c *complianceTester) validateMountLabel(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.MountLabel == "" {
+		c.harness.Skip(1, "linux.mountlabel not set")
+		return nil
+	}
+
+	for _, mount := range spec.Mounts {
+		fileLabel, err := label.FileLabel(mount.Destination)
+		if err != nil {
+			return fmt.Errorf("Failed to get mountLabel of %v", mount.Destination)
+		}
+		c.harness.Ok(spec.Linux.MountLabel == fileLabel, "has expected mountlabel")
+		c.harness.YAML(map[string]string{
+			"expected": spec.Linux.MountLabel,
+			"actual":   fileLabel,
+		})
+	}
+
+	return nil
+}
+
 func run(context *cli.Context) error {
 	logLevelString := context.String("log-level")
 	logLevel, err := logrus.ParseLevel(logLevelString)
@@ -1256,6 +1278,7 @@ func run(context *cli.Context) error {
 		c.validateSysctls,
 		c.validateUIDMappings,
 		c.validateGIDMappings,
+		c.validateMountLabel,
 	}
 
 	validations := defaultValidations

diff --git a/validate/validate_linux.go b/validate/validate_linux.go
@@ -16,6 +16,7 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
@@ -226,5 +227,11 @@ func (v *Validator) CheckLinux() (errs error) {
 		}
 	}
 
+	if v.spec.Linux.MountLabel != "" {
+		if err := label.Validate(v.spec.Linux.MountLabel); err != nil {
+			errs = multierror.Append(errs, fmt.Errorf("mountLabel %v is invalid", v.spec.Linux.MountLabel))
+		}
+	}
+
 	return
 }
diff --git a/validation/linux_mount_label/linux_mount_label.go b/validation/linux_mount_label/linux_mount_label.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/opencontainers/runtime-tools/validation/util"
+)
+
+func main() {
+	g, err := util.GetDefaultGenerator()
+	if err != nil {
+		util.Fatal(err)
+	}
+	g.SetLinuxMountLabel("system_u:object_r:svirt_sandbox_file_t:s0:c715,c811")
+	err = util.RuntimeInsideValidate(g, nil, nil)
+	if err != nil {
+		util.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/opencontainers/selinux/LICENSE b/vendor/github.com/opencontainers/selinux/LICENSE