Fix transition test to work with latest selinux policy
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
parent
159bf35270
commit
135b5a8f03
|
|
@ -27,12 +27,12 @@ env:
|
|||
####
|
||||
# GCE project where images live
|
||||
IMAGE_PROJECT: "libpod-218412"
|
||||
FEDORA_NAME: "fedora-37"
|
||||
PRIOR_FEDORA_NAME: "fedora-36"
|
||||
DEBIAN_NAME: "debian-12"
|
||||
FEDORA_NAME: "fedora-38"
|
||||
PRIOR_FEDORA_NAME: "fedora-37"
|
||||
DEBIAN_NAME: "debian-13"
|
||||
|
||||
# Image identifiers
|
||||
IMAGE_SUFFIX: "c20230405t152256z-f37f36d12"
|
||||
IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
|
||||
FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
|
||||
PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
|
||||
DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
|
||||
|
|
|
|||
2
go.mod
2
go.mod
|
|
@ -9,7 +9,7 @@ require (
|
|||
github.com/containers/common v0.54.0
|
||||
github.com/containers/image/v5 v5.26.0
|
||||
github.com/containers/ocicrypt v1.1.7
|
||||
github.com/containers/storage v1.47.0
|
||||
github.com/containers/storage v1.48.0
|
||||
github.com/cyphar/filepath-securejoin v0.2.3
|
||||
github.com/docker/distribution v2.8.2+incompatible
|
||||
github.com/docker/docker v24.0.2+incompatible
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -59,8 +59,8 @@ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYgle
|
|||
github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
|
||||
github.com/containers/ocicrypt v1.1.7 h1:thhNr4fu2ltyGz8aMx8u48Ae0Pnbip3ePP9/mzkZ/3U=
|
||||
github.com/containers/ocicrypt v1.1.7/go.mod h1:7CAhjcj2H8AYp5YvEie7oVSK2AhBY8NscCYRawuDNtw=
|
||||
github.com/containers/storage v1.47.0 h1:Tl/onL8yE/4QABc2kfPDaTSYijk3QrmXGrO21KXkj58=
|
||||
github.com/containers/storage v1.47.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
|
||||
github.com/containers/storage v1.48.0 h1:wiPs8J2xiFoOEAhxHDRtP6A90Jzj57VqzLRXOqeizns=
|
||||
github.com/containers/storage v1.48.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
|
||||
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/fs"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
|
@ -782,7 +783,7 @@ func fsHeaderForEntry(hdr *tar.Header) FSHeader {
|
|||
Name: hdr.Name,
|
||||
Linkname: hdr.Linkname,
|
||||
Size: hdr.Size,
|
||||
Mode: hdr.Mode,
|
||||
Mode: (hdr.Mode & int64(fs.ModePerm)),
|
||||
UID: hdr.Uid,
|
||||
GID: hdr.Gid,
|
||||
ModTime: hdr.ModTime,
|
||||
|
|
|
|||
|
|
@ -46,10 +46,11 @@ load helpers
|
|||
cid=$output
|
||||
run_buildah run $cid sh -c 'tr \\0 \\n < /proc/self/attr/current'
|
||||
context=$output
|
||||
|
||||
run id -Z
|
||||
crole=$(secon -r $output)
|
||||
# Role and Type should always be constant. (We don't check user)
|
||||
role=$(awk -F: '{print $2}' <<<$context)
|
||||
expect_output --from="$role" "system_r" "SELinux role"
|
||||
expect_output --from="$role" "${crole}" "SELinux role"
|
||||
|
||||
type=$(awk -F: '{print $3}' <<<$context)
|
||||
expect_output --from="$type" "spc_t" "SELinux type"
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
1.47.0
|
||||
1.48.0
|
||||
|
|
|
|||
|
|
@ -131,16 +131,6 @@ const (
|
|||
OverlayWhiteoutFormat
|
||||
)
|
||||
|
||||
const (
|
||||
modeISDIR = 0o40000 // Directory
|
||||
modeISFIFO = 0o10000 // FIFO
|
||||
modeISREG = 0o100000 // Regular file
|
||||
modeISLNK = 0o120000 // Symbolic link
|
||||
modeISBLK = 0o60000 // Block special file
|
||||
modeISCHR = 0o20000 // Character special file
|
||||
modeISSOCK = 0o140000 // Socket
|
||||
)
|
||||
|
||||
// IsArchivePath checks if the (possibly compressed) file at the given path
|
||||
// starts with a tar file header.
|
||||
func IsArchivePath(path string) bool {
|
||||
|
|
@ -358,7 +348,7 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
hdr.Mode = fillGo18FileTypeBits(int64(chmodTarEntry(os.FileMode(hdr.Mode))), fi)
|
||||
hdr.Mode = int64(chmodTarEntry(os.FileMode(hdr.Mode)))
|
||||
name, err = canonicalTarName(name, fi.IsDir())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("tar: cannot canonicalize path: %w", err)
|
||||
|
|
@ -370,31 +360,6 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
|
|||
return hdr, nil
|
||||
}
|
||||
|
||||
// fillGo18FileTypeBits fills type bits which have been removed on Go 1.9 archive/tar
|
||||
// https://github.com/golang/go/commit/66b5a2f
|
||||
func fillGo18FileTypeBits(mode int64, fi os.FileInfo) int64 {
|
||||
fm := fi.Mode()
|
||||
switch {
|
||||
case fm.IsRegular():
|
||||
mode |= modeISREG
|
||||
case fi.IsDir():
|
||||
mode |= modeISDIR
|
||||
case fm&os.ModeSymlink != 0:
|
||||
mode |= modeISLNK
|
||||
case fm&os.ModeDevice != 0:
|
||||
if fm&os.ModeCharDevice != 0 {
|
||||
mode |= modeISCHR
|
||||
} else {
|
||||
mode |= modeISBLK
|
||||
}
|
||||
case fm&os.ModeNamedPipe != 0:
|
||||
mode |= modeISFIFO
|
||||
case fm&os.ModeSocket != 0:
|
||||
mode |= modeISSOCK
|
||||
}
|
||||
return mode
|
||||
}
|
||||
|
||||
// ReadSecurityXattrToTarHeader reads security.capability, security,image
|
||||
// xattrs from filesystem to a tar header
|
||||
func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
|
||||
|
|
|
|||
|
|
@ -10,7 +10,9 @@ import (
|
|||
// used as global variables. Using this structure helps speed the startup time
|
||||
// of apps that want to use global regex variables. This library initializes them on
|
||||
// first use as opposed to the start of the executable.
|
||||
type Regexp = *regexpStruct
|
||||
type Regexp struct {
|
||||
*regexpStruct
|
||||
}
|
||||
|
||||
type regexpStruct struct {
|
||||
_ noCopy
|
||||
|
|
@ -26,7 +28,7 @@ func Delayed(val string) Regexp {
|
|||
if precompile {
|
||||
re.regexp = regexp.MustCompile(re.val)
|
||||
}
|
||||
return re
|
||||
return Regexp{re}
|
||||
}
|
||||
|
||||
func (re *regexpStruct) compile() {
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ func (c *Cmd) Start() error {
|
|||
if err != nil {
|
||||
pidRead.Close()
|
||||
pidWrite.Close()
|
||||
return fmt.Errorf("creating pid pipe: %w", err)
|
||||
return fmt.Errorf("creating continue read/write pipe: %w", err)
|
||||
}
|
||||
c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
|
||||
c.ExtraFiles = append(c.ExtraFiles, continueRead)
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ func (c *Cmd) Start() error {
|
|||
if err != nil {
|
||||
pidRead.Close()
|
||||
pidWrite.Close()
|
||||
return fmt.Errorf("creating pid pipe: %w", err)
|
||||
return fmt.Errorf("creating continue read/write pipe: %w", err)
|
||||
}
|
||||
c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
|
||||
c.ExtraFiles = append(c.ExtraFiles, continueRead)
|
||||
|
|
|
|||
|
|
@ -222,7 +222,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7
|
|||
github.com/containers/ocicrypt/spec
|
||||
github.com/containers/ocicrypt/utils
|
||||
github.com/containers/ocicrypt/utils/keyprovider
|
||||
# github.com/containers/storage v1.47.0
|
||||
# github.com/containers/storage v1.48.0
|
||||
## explicit; go 1.19
|
||||
github.com/containers/storage
|
||||
github.com/containers/storage/drivers
|
||||
|
|
|
|||
Loading…
Reference in New Issue