diff --git a/exec.go b/exec.go index 62ab4662548..7fc04402a25 100644 --- a/exec.go +++ b/exec.go @@ -224,5 +224,5 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) { } p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid)) } - return p, nil + return p, validateProcessSpec(p) } diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index 888981f5291..243f77efe56 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -34,10 +34,12 @@ func (l *linuxSetnsInit) Init() error { defer runtime.UnlockOSThread() if !l.config.Config.NoNewKeyring { - if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { - return err + if l.config.ProcessLabel != "" { + if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { + return err + } + defer label.SetKeyLabel("") } - defer label.SetKeyLabel("") // Do not inherit the parent's session keyring. if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil { // Same justification as in standart_init_linux.go as to why we @@ -62,10 +64,12 @@ func (l *linuxSetnsInit) Init() error { return err } } - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err + if l.config.ProcessLabel != "" { + if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { + return err + } + defer label.SetProcessLabel("") } - defer label.SetProcessLabel("") // Without NoNewPrivileges seccomp is a privileged operation, so we need to // do this before dropping capabilities; otherwise do it as late as possible // just before execve so as few syscalls take place after it as possible. diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 4e03b8bc058..59e190018b6 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -48,10 +48,12 @@ func (l *linuxStandardInit) Init() error { runtime.LockOSThread() defer runtime.UnlockOSThread() if !l.config.Config.NoNewKeyring { - if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { - return err + if l.config.ProcessLabel != "" { + if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil { + return err + } + defer label.SetKeyLabel("") } - defer label.SetKeyLabel("") ringname, keepperms, newperms := l.getSessionRingParams() // Do not inherit the parent's session keyring. @@ -146,10 +148,12 @@ func (l *linuxStandardInit) Init() error { if err := syncParentReady(l.pipe); err != nil { return errors.Wrap(err, "sync ready") } - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return errors.Wrap(err, "set process label") + if l.config.ProcessLabel != "" { + if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { + return errors.Wrap(err, "set process label") + } + defer label.SetProcessLabel("") } - defer label.SetProcessLabel("") // Without NoNewPrivileges seccomp is a privileged operation, so we need to // do this before dropping capabilities; otherwise do it as late as possible // just before execve so as few syscalls take place after it as possible. diff --git a/utils_linux.go b/utils_linux.go index ce50db14537..b05e7b609d8 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -17,6 +17,7 @@ import ( "github.com/opencontainers/runc/libcontainer/specconv" "github.com/opencontainers/runc/libcontainer/utils" "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/coreos/go-systemd/activation" "github.com/pkg/errors" @@ -387,6 +388,9 @@ func validateProcessSpec(spec *specs.Process) error { if len(spec.Args) == 0 { return fmt.Errorf("args must not be empty") } + if spec.SelinuxLabel != "" && !selinux.GetEnabled() { + return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported") + } return nil }