add selinux category range to config

crosbymichael · crosbymichael · commit 5f5d954b6af9 · 2020-07-20T16:02:07.000-04:00
This allows an admin to set the upper bounds on the category range for selinux
labels.  This can be useful when handling allocation of PVs or other volume
types that need to be shared with selinux enabled on the hosts and volumes.

Signed-off-by: Michael Crosby &lt;michael@thepasture.io&gt;
diff --git a/docs/config.md b/docs/config.md
@@ -35,6 +35,10 @@ version = 2
   # enable_selinux indicates to enable the selinux support.
   enable_selinux = false
 
+  # selinux_category_range allows the upper bound on the category range to be set.
+  # if not specified or set to 0, defaults to 1024 from the selinux package.
+  selinux_category_range = 1024
+
   # sandbox_image is the image used by sandbox container.
   sandbox_image = "k8s.gcr.io/pause:3.2"
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -198,6 +198,9 @@ type PluginConfig struct {
 	StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
+	// SelinuxCategoryRange allows the upper bound on the category range to be set.
+	// If not specified or set to 0, defaults to 1024 from the selinux package.
+	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.
diff --git a/pkg/config/config_unix.go b/pkg/config/config_unix.go
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		DisableTCPService:   true,
-		StreamServerAddress: "127.0.0.1",
-		StreamServerPort:    "0",
-		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
-		EnableSelinux:       false,
-		EnableTLSStreaming:  false,
+		DisableTCPService:    true,
+		StreamServerAddress:  "127.0.0.1",
+		StreamServerPort:     "0",
+		StreamIdleTimeout:    streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableSelinux:        false,
+		SelinuxCategoryRange: 1024,
+		EnableTLSStreaming:   false,
 		X509KeyPairStreaming: X509KeyPairStreaming{
 			TLSKeyFile:  "",
 			TLSCertFile: "",
diff --git a/pkg/server/service_unix.go b/pkg/server/service_unix.go
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
 		if !selinux.GetEnabled() {
 			logrus.Warn("Selinux is not supported")
 		}
+		if r := c.config.SelinuxCategoryRange; r > 0 {
+			selinux.CategoryRange = uint32(r)
+		}
 	} else {
 		selinux.SetDisabled()
 	}
diff --git a/vendor.conf b/vendor.conf
@@ -1,8 +1,8 @@
 # cri dependencies
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/opencontainers/selinux                   v1.6.0
-github.com/willf/bitset								d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 github.com/tchap/go-patricia                        v2.2.6
+github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 
 # containerd dependencies
 github.com/beorn7/perks                             v1.0.1

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {`
`44`	`44`	`if !selinux.GetEnabled() {`
`45`	`45`	`logrus.Warn("Selinux is not supported")`
`46`	`46`	`}`
	`47`	`+ if r := c.config.SelinuxCategoryRange; r > 0 {`
	`48`	`+ selinux.CategoryRange = uint32(r)`
	`49`	`+ }`
`47`	`50`	`} else {`
`48`	`51`	`selinux.SetDisabled()`
`49`	`52`	`}`