diff -Nru podman-1.0.1/cmd/podman/create.go podman-1.0.1/cmd/podman/create.go --- podman-1.0.1/cmd/podman/create.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/cmd/podman/create.go 2019-01-22 04:25:33.000000000 +0000 @@ -173,7 +173,11 @@ if err != nil { return errors.Wrapf(err, "container %q not found", config.PidMode.Container()) } - labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + secopts, err := label.DupSecOpt(ctr.ProcessLabel()) + if err != nil { + return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel()) + } + labelOpts = append(labelOpts, secopts...) } if config.IpcMode.IsHost() { @@ -183,7 +187,11 @@ if err != nil { return errors.Wrapf(err, "container %q not found", config.IpcMode.Container()) } - labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...) + secopts, err := label.DupSecOpt(ctr.ProcessLabel()) + if err != nil { + return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel()) + } + labelOpts = append(labelOpts, secopts...) } for _, opt := range securityOpts { diff -Nru podman-1.0.1/commands.md podman-1.0.1/commands.md --- podman-1.0.1/commands.md 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/commands.md 2019-01-22 04:25:33.000000000 +0000 @@ -8,9 +8,14 @@ | [podman-attach(1)](/docs/podman-attach.1.md) | Attach to a running container |[![...](/docs/play.png)](https://asciinema.org/a/XDlocUrHVETFECg4zlO9nBbLf)| | [podman-build(1)](/docs/podman-build.1.md) | Build an image using instructions from Dockerfiles || | [podman-commit(1)](/docs/podman-commit.1.md) | Create new image based on the changed container || -| [podman-container(1)](/docs/podman-container.1.md) | Manage Containers || +| [podman-container(1)](/docs/podman-container.1.md) | Manage Containers || +| [podman-container-checkpoint(1)](/docs/podman-container-checkpoint.1.md) | Checkpoints one or more running containers || | [podman-container-cleanup(1)](/docs/podman-container-cleanup.1.md) | Cleanup Container storage and networks || +| [podman-container-exists(1)](/docs/podman-container-exists.1.md) | Check if an container exists in local storage || +| [podman-container-prune(1)](/docs/podman-container-prune.1.md) | Remove all stopped containers || | [podman-container-refresh(1)](/docs/podman-container-refresh.1.md) | Refresh all containers state in database || +| [podman-container-restore(1)](/docs/podman-container-restore.1.md) | Restores one or more running containers || +| [podman-container-runlabel(1)](/docs/podman-container-runlabel.1.md) | Execute Image Label Method || | [podman-cp(1)](/docs/podman-cp.1.md) | Instead of providing a `podman cp` command, the man page `podman-cp` describes how to use the `podman mount` command to have even more flexibility and functionality|| | [podman-create(1)](/docs/podman-create.1.md) | Create a new container || | [podman-diff(1)](/docs/podman-diff.1.md) | Inspect changes on a container or image's filesystem |[![...](/docs/play.png)](https://asciinema.org/a/FXfWB9CKYFwYM4EfqW3NSZy1G)| @@ -18,7 +23,11 @@ | [podman-export(1)](/docs/podman-export.1.md) | Export container's filesystem contents as a tar archive |[![...](/docs/play.png)](https://asciinema.org/a/913lBIRAg5hK8asyIhhkQVLtV)| | [podman-generate(1)](/docs/podman-generate.1.md) | Generate structured output based on Podman containers and pods | | | [podman-history(1)](/docs/podman-history.1.md) | Shows the history of an image |[![...](/docs/play.png)](https://asciinema.org/a/bCvUQJ6DkxInMELZdc5DinNSx)| -| [podman-image(1)](/docs/podman-image.1.md) | Manage Images|| +| [podman-image(1)](/docs/podman-image.1.md) | Manage Images|| +| [podman-image-exists(1)](/docs/podman-image-exists.1.md) | Check if an image exists in local storage|| +| [podman-image-prune(1)](/docs/podman-image-prune.1.md) | Remove all unused images|| +| [podman-image-sign(1)](/docs/podman-image-sign.1.md) | Create a signature for an image|| +| [podman-image-trust(1)](/docs/podman-image-trust.1.md) | Manage container registry image trust policy|| | [podman-images(1)](/docs/podman-images.1.md) | List images in local storage |[![...](/docs/play.png)](https://asciinema.org/a/133649)| | [podman-import(1)](/docs/podman-import.1.md) | Import a tarball and save it as a filesystem image || | [podman-info(1)](/docs/podman-info.1.md) | Display system information |[![...](/docs/play.png)](https://asciinema.org/a/yKbi5fQ89y5TJ8e1RfJd4ivTD)| diff -Nru podman-1.0.1/contrib/cirrus/build_vm_images.sh podman-1.0.1/contrib/cirrus/build_vm_images.sh --- podman-1.0.1/contrib/cirrus/build_vm_images.sh 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/contrib/cirrus/build_vm_images.sh 2019-01-22 04:25:33.000000000 +0000 @@ -23,6 +23,8 @@ PACKER_BASE $PACKER_BASE " +record_timestamp "cache-image build start" + show_env_vars # Everything here is running on the 'image-builder-image' GCE image @@ -50,3 +52,5 @@ SCRIPT_BASE=$SCRIPT_BASE \ PACKER_BASE=$PACKER_BASE \ BUILT_IMAGE_SUFFIX=$BUILT_IMAGE_SUFFIX + +record_timestamp "cache-image build end" diff -Nru podman-1.0.1/contrib/cirrus/integration_test.sh podman-1.0.1/contrib/cirrus/integration_test.sh --- podman-1.0.1/contrib/cirrus/integration_test.sh 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/contrib/cirrus/integration_test.sh 2019-01-22 04:25:33.000000000 +0000 @@ -9,6 +9,8 @@ OS_RELEASE_VER $OS_RELEASE_VER " +record_timestamp "integration test start" + clean_env set -x @@ -31,3 +33,5 @@ ;; *) bad_os_id_ver ;; esac + +record_timestamp "integration test end" diff -Nru podman-1.0.1/contrib/cirrus/lib.sh podman-1.0.1/contrib/cirrus/lib.sh --- podman-1.0.1/contrib/cirrus/lib.sh 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/contrib/cirrus/lib.sh 2019-01-22 04:25:33.000000000 +0000 @@ -17,7 +17,7 @@ CIRRUS_BUILD_ID=${CIRRUS_BUILD_ID:-DEADBEEF} # a human CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-HEAD} CIRRUS_CHANGE_IN_REPO=${CIRRUS_CHANGE_IN_REPO:-FETCH_HEAD} -START_STAMP_FILEPATH="${START_STAMP_FILEPATH:-/var/tmp/start.timestamp}" +TIMESTAMPS_FILEPATH="${TIMESTAMPS_FILEPATH:-/var/tmp/timestamps}" if ! [[ "$PATH" =~ "/usr/local/bin" ]] then @@ -136,11 +136,14 @@ set -e } -start_timestamp() { - req_env_var "START_STAMP_FILEPATH $START_STAMP_FILEPATH" - [[ -r "$START_STAMP_FILEPATH" ]] || \ - echo -e ".\nThe time at the tone will be:\n$(date --iso-8601=seconds | \ - tee $START_STAMP_FILEPATH)\nBLEEEEEEEEEEP!\n.\n" # Cirrus strips blank lines from output +record_timestamp() { + set +x # sometimes it's turned on + req_env_var "TIMESTAMPS_FILEPATH $TIMESTAMPS_FILEPATH" + echo "." # cirrus webui strips blank-lines + STAMPMSG="The $1 time at the tone will be:" + echo -e "$STAMPMSG\t$(date --iso-8601=seconds)" | \ + tee -a $TIMESTAMPS_FILEPATH + echo -e "BLEEEEEEEEEEP!\n." } # Run sudo in directory with GOPATH set diff -Nru podman-1.0.1/contrib/cirrus/setup_environment.sh podman-1.0.1/contrib/cirrus/setup_environment.sh --- podman-1.0.1/contrib/cirrus/setup_environment.sh 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/contrib/cirrus/setup_environment.sh 2019-01-22 04:25:33.000000000 +0000 @@ -4,7 +4,7 @@ source $(dirname $0)/lib.sh -start_timestamp +record_timestamp "env. setup start" req_env_var " USER $USER @@ -85,3 +85,5 @@ # Only testing-VMs need deps installed [[ -n "$PACKER_BUILDS" ]] || install_testing_dependencies # must exist in $GOPATH fi + +record_timestamp "env. setup end" diff -Nru podman-1.0.1/contrib/cirrus/unit_test.sh podman-1.0.1/contrib/cirrus/unit_test.sh --- podman-1.0.1/contrib/cirrus/unit_test.sh 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/contrib/cirrus/unit_test.sh 2019-01-22 04:25:33.000000000 +0000 @@ -9,6 +9,8 @@ OS_RELEASE_VER $OS_RELEASE_VER " +record_timestamp "unit test start" + clean_env set -x @@ -29,3 +31,5 @@ ;; *) bad_os_id_ver ;; esac + +record_timestamp "unit test end" diff -Nru podman-1.0.1/debian/changelog podman-1.0.1/debian/changelog --- podman-1.0.1/debian/changelog 2019-01-21 04:24:40.000000000 +0000 +++ podman-1.0.1/debian/changelog 2019-01-22 04:25:34.000000000 +0000 @@ -1,3 +1,9 @@ +podman (1.0.1-1~ubuntu16.04.2~ppa8) xenial; urgency=medium + + * autobuilt ec96987 + + -- Lokesh Mandvekar (Bot) Tue, 22 Jan 2019 04:25:34 +0000 + podman (1.0.1-1~ubuntu16.04.2~ppa7) xenial; urgency=medium * autobuilt ef2f6f9 diff -Nru podman-1.0.1/docs/podman-image-trust.1.md podman-1.0.1/docs/podman-image-trust.1.md --- podman-1.0.1/docs/podman-image-trust.1.md 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/docs/podman-image-trust.1.md 2019-01-22 04:25:33.000000000 +0000 @@ -1,7 +1,7 @@ % podman-image-trust "1" # NAME -podman\-trust - Manage container image trust policy +podman\-trust - Manage container registry image trust policy # SYNOPSIS diff -Nru podman-1.0.1/libpod/oci.go podman-1.0.1/libpod/oci.go --- podman-1.0.1/libpod/oci.go 2019-01-21 04:24:34.000000000 +0000 +++ podman-1.0.1/libpod/oci.go 2019-01-22 04:25:33.000000000 +0000 @@ -356,18 +356,25 @@ // Set the label of the conmon process to be level :s0 // This will allow the container processes to talk to fifo-files // passed into the container by conmon - var plabel string + var ( + plabel string + con selinux.Context + ) plabel, err = selinux.CurrentLabel() if err != nil { childPipe.Close() return errors.Wrapf(err, "Failed to get current SELinux label") } - c := selinux.NewContext(plabel) + con, err = selinux.NewContext(plabel) + if err != nil { + return errors.Wrapf(err, "Failed to get new context from SELinux label") + } + runtime.LockOSThread() - if c["level"] != "s0" && c["level"] != "" { - c["level"] = "s0" - if err = label.SetProcessLabel(c.Get()); err != nil { + if con["level"] != "s0" && con["level"] != "" { + con["level"] = "s0" + if err = label.SetProcessLabel(con.Get()); err != nil { runtime.UnlockOSThread() return err } diff -Nru podman-1.0.1/libpod/runtime.go podman-1.0.1/libpod/runtime.go --- podman-1.0.1/libpod/runtime.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/libpod/runtime.go 2019-01-22 04:25:33.000000000 +0000 @@ -824,7 +824,11 @@ // Take advantage of a command that requires a new userns // so that we are running as the root user and able to use refresh() cmd := exec.Command(os.Args[0], "info") - return cmd.Run() + err := cmd.Run() + if err != nil { + return errors.Wrapf(err, "Error running %s info while refreshing state", os.Args[0]) + } + return nil } // Reconfigures the runtime after a reboot diff -Nru podman-1.0.1/transfer.md podman-1.0.1/transfer.md --- podman-1.0.1/transfer.md 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/transfer.md 2019-01-22 04:25:33.000000000 +0000 @@ -40,7 +40,7 @@ | `docker attach` | [`podman exec`](./docs/podman-attach.1.md) | | `docker build` | [`podman build`](./docs/podman-build.1.md) | | `docker commit` | [`podman commit`](./docs/podman-commit.1.md) | -| `docker container`|[`podman container`](./docs/podman-container.1.md) | +| `docker container`|[`podman container`](./docs/podman-container.1.md) | | `docker cp` | [`podman mount`](./docs/podman-cp.1.md) **** | | `docker create` | [`podman create`](./docs/podman-create.1.md) | | `docker diff` | [`podman diff`](./docs/podman-diff.1.md) | @@ -70,7 +70,13 @@ | `docker top` | [`podman top`](./docs/podman-top.1.md) | | `docker unpause` | [`podman unpause`](./docs/podman-unpause.1.md) | | `docker version` | [`podman version`](./docs/podman-version.1.md) | -| `docker wait` | [`podman wait`](./docs/podman-wait.1.md) | +| `docker volume` | [`podman volume`](./docs/podman-volume.1.md) | +| `docker volume create` | [`podman volume create`](./docs/podman-volume-create.1.md) | +| `docker volume inspect`| [`podman volume inspect`](./docs/podman-volume-inspect.1.md)| +| `docker volume ls` | [`podman volume ls`](./docs/podman-volume-ls.1.md) | +| `docker volume prune` | [`podman volume prune`](./docs/podman-volume-prune.1.md) | +| `docker volume rm` | [`podman volume rm`](./docs/podman-volume-rm.1.md) | +| `docker wait` | [`podman wait`](./docs/podman-wait.1.md) | **** Use mount to take advantage of the entire linux tool chain rather then just cp. Read [`here`](./docs/podman-cp.1.md) for more information. @@ -83,18 +89,45 @@ | `docker events` || | `docker network` || | `docker node` || -| `docker plugin` |podman does not support plugins. We recommend you use alternative OCI Runtimes or OCI Runtime Hooks to alter behavior of podman.| +| `docker plugin` | podman does not support plugins. We recommend you use alternative OCI Runtimes or OCI Runtime Hooks to alter behavior of podman.| | `docker rename` | podman does not support rename, you need to use `podman rm` and `podman create` to rename a container.| | `docker secret` || | `docker service` || | `docker stack` || | `docker swarm` | podman does not support swarm. We support Kubernetes for orchestration using [CRI-O](https://github.com/kubernetes-sigs/cri-o).| | `docker system` || -| `docker volume` | podman does not support volumes. Volumes should be built on the host operating system and then volume mounted into the containers.| +| `docker volume` | podman currently supports file volumes. Future enhancement planned to support Docker Volumes Plugins ## Missing commands in Docker The following podman commands do not have a Docker equivalent: +* [`podman generate`](./docs/podman-generate.1.md) +* [`podman generate kube`](./docs/podman-generate-kube.1.md) +* [`podman container checkpoint`](/docs/podman-container-checkpoint.1.md) +* [`podman container cleanup`](/docs/podman-container-cleanup.1.md) +* [`podman container exists`](/docs/podman-container-exists.1.md) +* [`podman container refresh`](/docs/podman-container-refresh.1.md) +* [`podman container runlabel`](/docs/podman-container-runlabel.1.md) +* [`podman container restore`](/docs/podman-container-restore.1.md) +* [`podman image exists`](./docs/podman-image-exists.1.md) +* [`podman image sign`](./docs/podman-image-sign.1.md) +* [`podman image trust`](./docs/podman-image-trust.1.md) * [`podman mount`](./docs/podman-mount.1.md) +* [`podman play`](./docs/podman-play.1.md) +* [`podman play kube`](./docs/podman-play-kube.1.md) +* [`podman pod`](./docs/podman-pod.1.md) +* [`podman pod create`](./docs/podman-pod-create.1.md) +* [`podman pod exists`](./docs/podman-pod-exists.1.md) +* [`podman pod inspect`](./docs/podman-pod-inspect.1.md) +* [`podman pod kill`](./docs/podman-pod-kill.1.md) +* [`podman pod pause`](./docs/podman-pod-pause.1.md) +* [`podman pod ps`](./docs/podman-pod-ps.1.md) +* [`podman pod restart`](./docs/podman-pod-restart.1.md) +* [`podman pod rm`](./docs/podman-pod-rm.1.md) +* [`podman pod start`](./docs/podman-pod-start.1.md) +* [`podman pod stop`](./docs/podman-pod-stop.1.md) +* [`podman pod top`](./docs/podman-pod-top.1.md) +* [`podman pod unpause`](./docs/podman-pod-unpause.1.md) +* [`podman varlink`](./docs/podman-varlink.1.md) * [`podman umount`](./docs/podman-umount.1.md) diff -Nru podman-1.0.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go podman-1.0.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go --- podman-1.0.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go 2019-01-22 04:25:33.000000000 +0000 @@ -158,6 +158,7 @@ return nil, err } + var usingMetacopy bool var supportsDType bool if opts.mountProgram != "" { supportsDType = true @@ -172,18 +173,17 @@ } return nil, errors.Wrap(err, "kernel does not support overlay fs") } - } - - usingMetacopy, err := doesMetacopy(home, opts.mountOptions) - if err == nil { - if usingMetacopy { - logrus.Debugf("overlay test mount indicated that metacopy is being used") + usingMetacopy, err = doesMetacopy(home, opts.mountOptions) + if err == nil { + if usingMetacopy { + logrus.Debugf("overlay test mount indicated that metacopy is being used") + } else { + logrus.Debugf("overlay test mount indicated that metacopy is not being used") + } } else { - logrus.Debugf("overlay test mount indicated that metacopy is not being used") + logrus.Warnf("overlay test mount did not indicate whether or not metacopy is being used: %v", err) + return nil, err } - } else { - logrus.Warnf("overlay test mount did not indicate whether or not metacopy is being used: %v", err) - return nil, err } if !opts.skipMountHome { diff -Nru podman-1.0.1/vendor/github.com/containers/storage/vendor.conf podman-1.0.1/vendor/github.com/containers/storage/vendor.conf --- podman-1.0.1/vendor/github.com/containers/storage/vendor.conf 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/containers/storage/vendor.conf 2019-01-22 04:25:33.000000000 +0000 @@ -8,7 +8,7 @@ github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062 github.com/opencontainers/go-digest master github.com/opencontainers/runc 6c22e77604689db8725fa866f0f2ec0b3e8c3a07 -github.com/opencontainers/selinux 36a9bc45a08c85f2c52bd9eb32e20267876773bd +github.com/opencontainers/selinux v1.1 github.com/ostreedev/ostree-go master github.com/pborman/uuid 1b00554d822231195d1babd97ff4a781231955c9 github.com/pkg/errors master diff -Nru podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go --- podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2019-01-22 04:25:33.000000000 +0000 @@ -75,8 +75,8 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can disable labeling diff -Nru podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go --- podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2019-01-22 04:25:33.000000000 +0000 @@ -4,6 +4,8 @@ import ( "fmt" + "os" + "os/user" "strings" "github.com/opencontainers/selinux/go-selinux" @@ -35,8 +37,15 @@ ReleaseLabel(mountLabel) } }() - pcon := selinux.NewContext(processLabel) - mcon := selinux.NewContext(mountLabel) + pcon, err := selinux.NewContext(processLabel) + if err != nil { + return "", "", err + } + + mcon, err := selinux.NewContext(mountLabel) + if err != nil { + return "", "", err + } for _, opt := range options { if opt == "disable" { return "", mountLabel, nil @@ -146,13 +155,56 @@ return nil } - exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true, "/tmp": true, "/home": true, "/run": true, "/var": true, "/root": true} + exclude_paths := map[string]bool{ + "/": true, + "/bin": true, + "/boot": true, + "/dev": true, + "/etc": true, + "/etc/passwd": true, + "/etc/pki": true, + "/etc/shadow": true, + "/home": true, + "/lib": true, + "/lib64": true, + "/media": true, + "/opt": true, + "/proc": true, + "/root": true, + "/run": true, + "/sbin": true, + "/srv": true, + "/sys": true, + "/tmp": true, + "/usr": true, + "/var": true, + "/var/lib": true, + "/var/log": true, + } + + if home := os.Getenv("HOME"); home != "" { + exclude_paths[home] = true + } + + if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { + if usr, err := user.Lookup(sudoUser); err == nil { + exclude_paths[usr.HomeDir] = true + } + } + + if path != "/" { + path = strings.TrimSuffix(path, "/") + } if exclude_paths[path] { return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { - c := selinux.NewContext(fileLabel) + c, err := selinux.NewContext(fileLabel) + if err != nil { + return err + } + c["level"] = "s0" fileLabel = c.Get() } @@ -195,7 +247,7 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { return selinux.DupSecOpt(src) } diff -Nru podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go --- podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2019-01-22 04:25:33.000000000 +0000 @@ -52,6 +52,8 @@ ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // InvalidLabel is returned when an invalid label is specified. + InvalidLabel = errors.New("Invalid Label") assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string @@ -405,11 +407,14 @@ } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) if len(label) != 0 { con := strings.SplitN(label, ":", 4) + if len(con) < 3 { + return c, InvalidLabel + } c["user"] = con[0] c["role"] = con[1] c["type"] = con[2] @@ -417,7 +422,7 @@ c["level"] = con[3] } } - return c + return c, nil } // ClearLabels clears all reserved labels @@ -630,12 +635,12 @@ roFileLabel = fileLabel } exit: - scon := NewContext(processLabel) + scon, _ := NewContext(processLabel) if scon["level"] != "" { mcs := uniqMcs(1024) scon["level"] = mcs processLabel = scon.Get() - scon = NewContext(fileLabel) + scon, _ = NewContext(fileLabel) scon["level"] = mcs fileLabel = scon.Get() } @@ -661,8 +666,14 @@ if err := SecurityCheckContext(dest); err != nil { return "", err } - scon := NewContext(src) - tcon := NewContext(dest) + scon, err := NewContext(src) + if err != nil { + return "", err + } + tcon, err := NewContext(dest) + if err != nil { + return "", err + } mcsDelete(tcon["level"]) mcsAdd(scon["level"]) tcon["level"] = scon["level"] @@ -714,15 +725,18 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { if src == "" { - return nil + return nil, nil + } + con, err := NewContext(src) + if err != nil { + return nil, err } - con := NewContext(src) if con["user"] == "" || con["role"] == "" || con["type"] == "" { - return nil + return nil, nil } dup := []string{"user:" + con["user"], "role:" + con["role"], @@ -733,7 +747,7 @@ dup = append(dup, "level:"+con["level"]) } - return dup + return dup, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -Nru podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go --- podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2019-01-22 04:25:33.000000000 +0000 @@ -115,9 +115,9 @@ } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) - return c + return c, nil } // ClearLabels clears all reserved MLS/MCS levels @@ -195,8 +195,8 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -Nru podman-1.0.1/vendor.conf podman-1.0.1/vendor.conf --- podman-1.0.1/vendor.conf 2019-01-21 04:21:17.000000000 +0000 +++ podman-1.0.1/vendor.conf 2019-01-22 04:25:33.000000000 +0000 @@ -16,7 +16,7 @@ github.com/containernetworking/cni v0.7.0-alpha1 github.com/containernetworking/plugins v0.7.4 github.com/containers/image v1.3 -github.com/containers/storage v1.7 +github.com/containers/storage v1.8 github.com/containers/psgo v1.1 github.com/coreos/go-systemd v14 github.com/cri-o/ocicni 2d2983e40c242322a56c22a903785e7f83eb378c @@ -54,7 +54,7 @@ github.com/opencontainers/runc v1.0.0-rc6 github.com/opencontainers/runtime-spec 1722abf79c2f8f2675f47367f827c6491472cf27 github.com/opencontainers/runtime-tools v0.8.0 -github.com/opencontainers/selinux v1.0.0 +github.com/opencontainers/selinux v1.1 github.com/ostreedev/ostree-go d0388bd827cfac6fa8eec760246eb8375674b2a0 github.com/pkg/errors v0.8.1 github.com/pmezard/go-difflib v1.0.0