1 package label 2 3 import ( 4 "fmt" 5 6 "github.com/opencontainers/selinux/go-selinux" 7 ) 8 9 // Deprecated: use selinux.ROFileLabel 10 var ROMountLabel = selinux.ROFileLabel 11 12 // SetProcessLabel takes a process label and tells the kernel to assign the 13 // label to the next program executed by the current process. 14 // Deprecated: use selinux.SetExecLabel 15 var SetProcessLabel = selinux.SetExecLabel 16 17 // ProcessLabel returns the process label that the kernel will assign 18 // to the next program executed by the current process. If "" is returned 19 // this indicates that the default labeling will happen for the process. 20 // Deprecated: use selinux.ExecLabel 21 var ProcessLabel = selinux.ExecLabel 22 23 // SetSocketLabel takes a process label and tells the kernel to assign the 24 // label to the next socket that gets created 25 // Deprecated: use selinux.SetSocketLabel 26 var SetSocketLabel = selinux.SetSocketLabel 27 28 // SocketLabel retrieves the current default socket label setting 29 // Deprecated: use selinux.SocketLabel 30 var SocketLabel = selinux.SocketLabel 31 32 // SetKeyLabel takes a process label and tells the kernel to assign the 33 // label to the next kernel keyring that gets created 34 // Deprecated: use selinux.SetKeyLabel 35 var SetKeyLabel = selinux.SetKeyLabel 36 37 // KeyLabel retrieves the current default kernel keyring label setting 38 // Deprecated: use selinux.KeyLabel 39 var KeyLabel = selinux.KeyLabel 40 41 // FileLabel returns the label for specified path 42 // Deprecated: use selinux.FileLabel 43 var FileLabel = selinux.FileLabel 44 45 // PidLabel will return the label of the process running with the specified pid 46 // Deprecated: use selinux.PidLabel 47 var PidLabel = selinux.PidLabel 48 49 // Init initialises the labeling system 50 func Init() { 51 _ = selinux.GetEnabled() 52 } 53 54 // ClearLabels will clear all reserved labels 55 // Deprecated: use selinux.ClearLabels 56 var ClearLabels = selinux.ClearLabels 57 58 // ReserveLabel will record the fact that the MCS label has already been used. 59 // This will prevent InitLabels from using the MCS label in a newly created 60 // container 61 // Deprecated: use selinux.ReserveLabel 62 func ReserveLabel(label string) error { 63 selinux.ReserveLabel(label) 64 return nil 65 } 66 67 // ReleaseLabel will remove the reservation of the MCS label. 68 // This will allow InitLabels to use the MCS label in a newly created 69 // containers 70 // Deprecated: use selinux.ReleaseLabel 71 func ReleaseLabel(label string) error { 72 selinux.ReleaseLabel(label) 73 return nil 74 } 75 76 // DupSecOpt takes a process label and returns security options that 77 // can be used to set duplicate labels on future container processes 78 // Deprecated: use selinux.DupSecOpt 79 var DupSecOpt = selinux.DupSecOpt 80 81 // FormatMountLabel returns a string to be used by the mount command. Using 82 // the SELinux `context` mount option. Changing labels of files on mount 83 // points with this option can never be changed. 84 // FormatMountLabel returns a string to be used by the mount command. 85 // The format of this string will be used to alter the labeling of the mountpoint. 86 // The string returned is suitable to be used as the options field of the mount command. 87 // If you need to have additional mount point options, you can pass them in as 88 // the first parameter. Second parameter is the label that you wish to apply 89 // to all content in the mount point. 90 func FormatMountLabel(src, mountLabel string) string { 91 return FormatMountLabelByType(src, mountLabel, "context") 92 } 93 94 // FormatMountLabelByType returns a string to be used by the mount command. 95 // Allow caller to specify the mount options. For example using the SELinux 96 // `fscontext` mount option would allow certain container processes to change 97 // labels of files created on the mount points, where as `context` option does 98 // not. 99 // FormatMountLabelByType returns a string to be used by the mount command. 100 // The format of this string will be used to alter the labeling of the mountpoint. 101 // The string returned is suitable to be used as the options field of the mount command. 102 // If you need to have additional mount point options, you can pass them in as 103 // the first parameter. Second parameter is the label that you wish to apply 104 // to all content in the mount point. 105 func FormatMountLabelByType(src, mountLabel, contextType string) string { 106 if mountLabel != "" { 107 switch src { 108 case "": 109 src = fmt.Sprintf("%s=%q", contextType, mountLabel) 110 default: 111 src = fmt.Sprintf("%s,%s=%q", src, contextType, mountLabel) 112 } 113 } 114 return src 115 } 116