diff --git a/pkg/kubelet/cm/devicemanager/manager.go b/pkg/kubelet/cm/devicemanager/manager.go index db6a015031a..4c9d296c30f 100644 --- a/pkg/kubelet/cm/devicemanager/manager.go +++ b/pkg/kubelet/cm/devicemanager/manager.go @@ -28,6 +28,7 @@ import ( "time" cadvisorapi "github.com/google/cadvisor/info/v1" + "github.com/opencontainers/selinux/go-selinux" "google.golang.org/grpc" "k8s.io/klog/v2" @@ -48,7 +49,6 @@ import ( "k8s.io/kubernetes/pkg/kubelet/metrics" "k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache" schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework" - "k8s.io/kubernetes/pkg/util/selinux" ) const nodeWithoutTopology = -1 @@ -259,7 +259,7 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc if err = os.MkdirAll(m.socketdir, 0750); err != nil { return err } - if selinux.SELinuxEnabled() { + if selinux.GetEnabled() { if err := selinux.SetFileLabel(m.socketdir, config.KubeletPluginsDirSELinuxLabel); err != nil { klog.InfoS("Unprivileged containerized plugins might not work. Could not set selinux context on socket dir", "path", m.socketdir, "err", err) } diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 6bdb3b99c85..f7831958573 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -32,6 +32,7 @@ import ( "sync/atomic" "time" + "github.com/opencontainers/selinux/go-selinux" "k8s.io/client-go/informers" cadvisorapi "github.com/google/cadvisor/info/v1" @@ -109,7 +110,6 @@ import ( "k8s.io/kubernetes/pkg/security/apparmor" sysctlallowlist "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl" "k8s.io/kubernetes/pkg/util/oom" - "k8s.io/kubernetes/pkg/util/selinux" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/util/hostutil" @@ -1265,7 +1265,7 @@ func (kl *Kubelet) setupDataDirs() error { if err := os.MkdirAll(kl.getPodResourcesDir(), 0750); err != nil { return fmt.Errorf("error creating podresources directory: %v", err) } - if selinux.SELinuxEnabled() { + if selinux.GetEnabled() { err := selinux.SetFileLabel(pluginRegistrationDir, config.KubeletPluginsDirSELinuxLabel) if err != nil { klog.InfoS("Unprivileged containerized plugins might not work, could not set selinux context on plugin registration dir", "path", pluginRegistrationDir, "err", err) diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go index 3de4fcadd17..dce0ba0d9a2 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_container.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go @@ -34,6 +34,7 @@ import ( "sync" "time" + "github.com/opencontainers/selinux/go-selinux" grpcstatus "google.golang.org/grpc/status" "github.com/armon/circbuf" @@ -51,7 +52,6 @@ import ( "k8s.io/kubernetes/pkg/kubelet/events" "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/pkg/kubelet/util/format" - "k8s.io/kubernetes/pkg/util/selinux" "k8s.io/kubernetes/pkg/util/tail" volumeutil "k8s.io/kubernetes/pkg/volume/util" ) @@ -378,7 +378,7 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO for idx := range opts.Mounts { v := opts.Mounts[idx] - selinuxRelabel := v.SELinuxRelabel && selinux.SELinuxEnabled() + selinuxRelabel := v.SELinuxRelabel && selinux.GetEnabled() mount := &runtimeapi.Mount{ HostPath: v.HostPath, ContainerPath: v.ContainerPath, @@ -418,7 +418,7 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO // Volume Mounts fail on Windows if it is not of the form C:/ containerLogPath = volumeutil.MakeAbsolutePath(goruntime.GOOS, containerLogPath) terminationMessagePath := volumeutil.MakeAbsolutePath(goruntime.GOOS, container.TerminationMessagePath) - selinuxRelabel := selinux.SELinuxEnabled() + selinuxRelabel := selinux.GetEnabled() volumeMounts = append(volumeMounts, &runtimeapi.Mount{ HostPath: containerLogPath, ContainerPath: terminationMessagePath, diff --git a/pkg/util/selinux/doc.go b/pkg/util/selinux/doc.go deleted file mode 100644 index 2757203f93c..00000000000 --- a/pkg/util/selinux/doc.go +++ /dev/null @@ -1,19 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package selinux contains wrapper functions for the libcontainer SELinux -// package. A NOP implementation is provided for non-linux platforms. -package selinux // import "k8s.io/kubernetes/pkg/util/selinux" diff --git a/pkg/util/selinux/selinux.go b/pkg/util/selinux/selinux.go deleted file mode 100644 index c367f7bbe7c..00000000000 --- a/pkg/util/selinux/selinux.go +++ /dev/null @@ -1,39 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package selinux - -// Note: the libcontainer SELinux package is only built for Linux, so it is -// necessary to have a NOP wrapper which is built for non-Linux platforms to -// allow code that links to this package not to differentiate its own methods -// for Linux and non-Linux platforms. -// -// SELinuxRunner wraps certain libcontainer SELinux calls. For more -// information, see: -// -// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go -type SELinuxRunner interface { - // Getfilecon returns the SELinux context for the given path or returns an - // error. - Getfilecon(path string) (string, error) -} - -// NewSELinuxRunner returns a new SELinuxRunner appropriate for the platform. -// On Linux, all methods short-circuit and return NOP values if SELinux is -// disabled. On non-Linux platforms, a NOP implementation is returned. -func NewSELinuxRunner() SELinuxRunner { - return &realSELinuxRunner{} -} diff --git a/pkg/util/selinux/selinux_linux.go b/pkg/util/selinux/selinux_linux.go deleted file mode 100644 index 96525ed2ee5..00000000000 --- a/pkg/util/selinux/selinux_linux.go +++ /dev/null @@ -1,58 +0,0 @@ -//go:build linux -// +build linux - -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package selinux - -import ( - selinux "github.com/opencontainers/selinux/go-selinux" -) - -// SELinuxEnabled returns whether SELinux is enabled on the system. SELinux -// has a tri-state: -// -// 1. disabled: SELinux Kernel modules not loaded, SELinux policy is not -// checked during Kernel MAC checks -// 2. enforcing: Enabled; SELinux policy violations are denied and logged -// in the audit log -// 3. permissive: Enabled, but SELinux policy violations are permitted and -// logged in the audit log -// -// SELinuxEnabled returns true if SELinux is enforcing or permissive, and -// false if it is disabled. -func SELinuxEnabled() bool { - return selinux.GetEnabled() -} - -// realSELinuxRunner is the real implementation of SELinuxRunner interface for -// Linux. -type realSELinuxRunner struct{} - -var _ SELinuxRunner = &realSELinuxRunner{} - -func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) { - if !SELinuxEnabled() { - return "", nil - } - return selinux.FileLabel(path) -} - -// SetFileLabel applies the SELinux label on the path or returns an error. -func SetFileLabel(path string, label string) error { - return selinux.SetFileLabel(path, label) -} diff --git a/pkg/util/selinux/selinux_unsupported.go b/pkg/util/selinux/selinux_unsupported.go deleted file mode 100644 index fb54d5a7b37..00000000000 --- a/pkg/util/selinux/selinux_unsupported.go +++ /dev/null @@ -1,39 +0,0 @@ -//go:build !linux -// +build !linux - -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package selinux - -// SELinuxEnabled always returns false on non-linux platforms. -func SELinuxEnabled() bool { - return false -} - -// realSELinuxRunner is the NOP implementation of the SELinuxRunner interface. -type realSELinuxRunner struct{} - -var _ SELinuxRunner = &realSELinuxRunner{} - -func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) { - return "", nil -} - -// FileLabel returns the SELinux label for this path or returns an error. -func SetFileLabel(path string, label string) error { - return nil -} diff --git a/pkg/volume/util/hostutil/hostutil_linux.go b/pkg/volume/util/hostutil/hostutil_linux.go index 03748508ba6..60e76e0e7d5 100644 --- a/pkg/volume/util/hostutil/hostutil_linux.go +++ b/pkg/volume/util/hostutil/hostutil_linux.go @@ -27,9 +27,9 @@ import ( "strings" "syscall" + "github.com/opencontainers/selinux/go-selinux" "golang.org/x/sys/unix" "k8s.io/klog/v2" - "k8s.io/kubernetes/pkg/util/selinux" "k8s.io/mount-utils" utilpath "k8s.io/utils/path" ) @@ -263,7 +263,7 @@ func GetSELinux(path string, mountInfoFilename string, selinuxEnabled seLinuxEna // GetSELinuxSupport returns true if given path is on a mount that supports // SELinux. func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) { - return GetSELinux(pathname, procMountInfoPath, selinux.SELinuxEnabled) + return GetSELinux(pathname, procMountInfoPath, selinux.GetEnabled) } // GetOwner returns the integer ID for the user and group of the given path