From 64a86d08aeff09f04f0e5dc885ef5579f5cbdfb5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 00:16:48 +0000 Subject: [PATCH] Bump github.com/opencontainers/selinux from 1.14.1 to 1.15.1 Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.14.1 to 1.15.1. - [Release notes](https://github.com/opencontainers/selinux/releases) - [Commits](https://github.com/opencontainers/selinux/compare/v1.14.1...v1.15.1) --- updated-dependencies: - dependency-name: github.com/opencontainers/selinux dependency-version: 1.15.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../selinux/go-selinux/selinux.go | 20 ++++++++ .../selinux/go-selinux/selinux_linux.go | 47 ++++++++++++++++++- .../selinux/go-selinux/selinux_stub.go | 4 ++ vendor/modules.txt | 2 +- 6 files changed, 74 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1685c2cb6..991efdf22 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/fsnotify/fsnotify v1.9.0 github.com/google/renameio v1.0.1 github.com/google/uuid v1.6.0 - github.com/opencontainers/selinux v1.14.1 + github.com/opencontainers/selinux v1.15.1 github.com/prometheus/procfs v0.20.1 github.com/sirupsen/logrus v1.9.4 github.com/stretchr/testify v1.11.1 diff --git a/go.sum b/go.sum index bca0f9370..c78b32ec5 100644 --- a/go.sum +++ b/go.sum @@ -91,8 +91,8 @@ github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 h1:tAKu3NkKWZYpqBSOJKwTxT1wIGueiF7gcmcNgr5pNTY= github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116/go.mod h1:DKDEfzxvRkoQ6n9TGhxQgg2IM1lY4aM0eaQP4e3oElw= -github.com/opencontainers/selinux v1.14.1 h1:a7XlXV/nN/l5zFP1FWZYoExpClu1QOPMfWUV2CZ8kEQ= -github.com/opencontainers/selinux v1.14.1/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ= +github.com/opencontainers/selinux v1.15.1 h1:ERxeh5caJvCzNAKdI8WQbJmB1LDTn4BuaAg8wihLBpA= +github.com/opencontainers/selinux v1.15.1/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go index 1935bf69e..ad30aa960 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go @@ -48,6 +48,21 @@ var ( privContainerMountLabel string ) +// ProcessKind selects which process domain [SetProcessKind] applies to a label. +type ProcessKind int + +const ( + ProcessKindRegular ProcessKind = 1 + ProcessKindInit ProcessKind = 2 + ProcessKindKVM ProcessKind = 3 +) + +// SetProcessKind returns label with its type component replaced by the one +// corresponding to kind. Other label components are kept intact. +func SetProcessKind(label string, kind ProcessKind) (string, error) { + return setProcessKind(label, kind) +} + // Context is a representation of the SELinux label broken into 4 parts type Context map[string]string @@ -231,6 +246,7 @@ func ReserveLabel(label string) { } // ReserveLabelV2 reserves the MLS/MCS level component of the specified label. +// Labels without MLS/MCS category component (":c") are ignored. // Returns an error if the label can't be reserved. // // Callers that are intentionally reusing an existing level/MCS (e.g. multiple @@ -292,6 +308,8 @@ func KVMContainerLabels() (string, string) { // KVMContainerLabel returns the default process label to be used // for KVM containers by the calling process. +// +// If you only need to change a type of existing label, use [SetProcessKind] instead. func KVMContainerLabel() (string, error) { return kvmContainerLabel() } @@ -306,6 +324,8 @@ func InitContainerLabels() (string, string) { // InitContainerLabel returns the default process label to be used // for containers running an init system like systemd by the calling process. +// +// If you only need to change a type of existing label, use [SetProcessKind] instead. func InitContainerLabel() (string, error) { return initContainerLabel() } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 211715570..6ee2814a3 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -890,8 +890,10 @@ func defaultEnforceMode() int { return Disabled } +// mcsAdd reserves a level. If the argument is empty or does not contain +// MCS/MLS category component (no ":c"), it is ignored. func mcsAdd(mcs string) error { - if mcs == "" { + if !strings.Contains(mcs, ":c") { return nil } state.Lock() @@ -1513,3 +1515,46 @@ func getDefaultContextWithLevel(user, level, scon string) (string, error) { return getDefaultContextFromReaders(&c) } + +func (k ProcessKind) keys() (primary, fallback string, ok bool) { + switch k { + case ProcessKindRegular: + return "process", "", true + case ProcessKindInit: + return "init_process", "process", true + case ProcessKindKVM: + return "kvm_process", "process", true + } + return "", "", false +} + +func setProcessKind(cLabel string, k ProcessKind) (string, error) { + if cLabel == "" { + return "", nil + } + primary, fallback, ok := k.keys() + if !ok { + return "", fmt.Errorf("selinux.SetProcessKind: invalid ProcessKind %d", k) + } + + src := label(primary) + if src == "" && fallback != "" { + src = label(fallback) + } + if src == "" { + return cLabel, nil + } + + // Replace cLabel type with one from src. + srcCtx, err := newContext(src) + if err != nil { + return "", fmt.Errorf("selinux.SetProcessKind: invalid %s label %s: %w", primary, src, err) + } + dstCtx, err := newContext(cLabel) + if err != nil { + return "", fmt.Errorf("selinux.SetProcessKind: invalid label %s: %w", cLabel, err) + } + + dstCtx["type"] = srcCtx["type"] + return dstCtx.get(), nil +} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index 78a4e1fe3..d01bf2615 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -157,3 +157,7 @@ func getDefaultContextWithLevel(string, string, string) (string, error) { func label(_ string) string { return "" } + +func setProcessKind(string, ProcessKind) (string, error) { + return "", nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 23c232ede..c9c5cb584 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -147,7 +147,7 @@ github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate/seccomp github.com/opencontainers/runtime-tools/validate/capabilities -# github.com/opencontainers/selinux v1.14.1 +# github.com/opencontainers/selinux v1.15.1 ## explicit; go 1.22 github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/pkg/pwalkdir