Merge pull request #41786 from thaJeztah/test_selinux_tip

vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs

Dockerfile

@@ -6,7 +6,7 @@ ARG SYSTEMD="false"
 ARG GO_VERSION=1.13.15
 ARG DEBIAN_FRONTEND=noninteractive
 ARG VPNKIT_VERSION=0.4.0
-ARG DOCKER_BUILDTAGS="apparmor seccomp selinux"
+ARG DOCKER_BUILDTAGS="apparmor seccomp"
 
 ARG BASE_DEBIAN_DISTRO="buster"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

daemon/daemon_unix.go

@@ -45,6 +45,7 @@ import (
 	lntypes "github.com/docker/libnetwork/types"
 	"github.com/moby/sys/mount"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -822,7 +823,7 @@ func overlaySupportsSelinux() (bool, error) {
 // configureKernelSecuritySupport configures and validates security support for the kernel
 func configureKernelSecuritySupport(config *config.Config, driverName string) error {
 	if config.EnableSelinuxSupport {
-		if !selinuxEnabled() {
+		if !selinux.GetEnabled() {
 			logrus.Warn("Docker could not enable SELinux on the host system")
 			return nil
 		}
@@ -840,7 +841,7 @@ func configureKernelSecuritySupport(config *config.Config, driverName string) er
 			}
 		}
 	} else {
-		selinuxSetDisabled()
+		selinux.SetDisabled()
 	}
 	return nil
 }

daemon/delete.go

@@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -134,7 +135,7 @@ func (daemon *Daemon) cleanupContainer(container *container.Container, forceRemo
 	}
 
 	linkNames := daemon.linkIndex.delete(container)
-	selinuxFreeLxcContexts(container.ProcessLabel)
+	selinux.ReleaseLabel(container.ProcessLabel)
 	daemon.idIndex.Delete(container.ID)
 	daemon.containers.Delete(container.ID)
 	daemon.containersReplica.Delete(container)

daemon/info.go

@@ -22,6 +22,7 @@ import (
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/registry"
 	metrics "github.com/docker/go-metrics"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 )
 
@@ -188,7 +189,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 		}
 		securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
 	}
-	if selinuxEnabled() {
+	if selinux.GetEnabled() {
 		securityOptions = append(securityOptions, "name=selinux")
 	}
 	if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 {

daemon/selinux_linux.go

@@ -1,15 +0,0 @@
-package daemon // import "github.com/docker/docker/daemon"
-
-import selinux "github.com/opencontainers/selinux/go-selinux"
-
-func selinuxSetDisabled() {
-	selinux.SetDisabled()
-}
-
-func selinuxFreeLxcContexts(label string) {
-	selinux.ReleaseLabel(label)
-}
-
-func selinuxEnabled() bool {
-	return selinux.GetEnabled()
-}

daemon/selinux_unsupported.go

@@ -1,13 +0,0 @@
-// +build !linux
-
-package daemon // import "github.com/docker/docker/daemon"
-
-func selinuxSetDisabled() {
-}
-
-func selinuxFreeLxcContexts(label string) {
-}
-
-func selinuxEnabled() bool {
-	return false
-}

project/PACKAGERS.md

@@ -156,12 +156,6 @@ AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows:
 export DOCKER_BUILDTAGS='apparmor'
 ```
 
-If you're building a binary that may need to be used on platforms that include
-SELinux, you will need to use the `selinux` build tag:
-```bash
-export DOCKER_BUILDTAGS='selinux'
-```
-
 If you're building a binary that may need to be used on platforms that include
 seccomp, you will need to use the `seccomp` build tag:
 ```bash
@@ -188,7 +182,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs'
 
 NOTE: if you need to set more than one build tag, space separate them:
 ```bash
-export DOCKER_BUILDTAGS='apparmor selinux exclude_graphdriver_aufs'
+export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs'
 ```
 
 ### LCOW (Linux Containers On Windows)

vendor.conf

@@ -176,7 +176,7 @@ github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9
 # metrics
 github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1
 
-github.com/opencontainers/selinux                   63ad55b76fd78d4c76c2f5491f68516e60c9d523 # v1.7.0
+github.com/opencontainers/selinux                   2f45b3796d18f1ab4c9fc0c888a98d0a0fd6e429 # v1.8.0
 github.com/willf/bitset                             559910e8471e48d76d9e5a1ba15842dee77ad45d # v1.1.11
 
 

vendor/github.com/opencontainers/selinux/README.md

@@ -6,7 +6,8 @@ Common SELinux package used across the container ecosystem.
 
 ## Usage
 
-When compiling consumers of this project, the `selinux` build tag must be used to enable selinux functionality.
+Prior to v1.8.0, the `selinux` build tag had to be used to enable selinux functionality for compiling consumers of this project.
+Starting with v1.8.0, the `selinux` build tag is no longer needed.
 
 For complete documentation, see [godoc](https://godoc.org/github.com/opencontainers/selinux).
 

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

@@ -5,9 +5,6 @@ This package uses a selinux build tag to enable the selinux functionality. This
 allows non-linux and linux users who do not have selinux support to still use
 tools that rely on this library.
 
-To compile with full selinux support use the -tags=selinux option in your build
-and test commands.
-
 Usage:
 
 	import "github.com/opencontainers/selinux/go-selinux"

vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go → vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -1,5 +1,3 @@
-// +build selinux,linux
-
 package label
 
 import (

vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go

@@ -1,4 +1,4 @@
-// +build !selinux !linux
+// +build !linux
 
 package label
 

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -1,5 +1,3 @@
-// +build selinux,linux
-
 package selinux
 
 import (

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -1,4 +1,4 @@
-// +build !selinux !linux
+// +build !linux
 
 package selinux
 

vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go → vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go

@@ -1,5 +1,3 @@
-// +build selinux,linux
-
 package selinux
 
 import (