()
| 49 | } |
| 50 | |
| 51 | func (l *linuxStandardInit) Init() error { |
| 52 | if !l.config.Config.NoNewKeyring { |
| 53 | if l.config.ProcessLabel != "" { |
| 54 | if err := selinux.SetKeyLabel(l.config.ProcessLabel); err != nil { |
| 55 | return err |
| 56 | } |
| 57 | defer selinux.SetKeyLabel("") //nolint: errcheck |
| 58 | } |
| 59 | ringname, keepperms, newperms := l.getSessionRingParams() |
| 60 | |
| 61 | // Do not inherit the parent's session keyring. |
| 62 | if sessKeyId, err := keys.JoinSessionKeyring(ringname); err != nil { |
| 63 | logrus.Warnf("KeyctlJoinSessionKeyring: %v", err) |
| 64 | // If keyrings aren't supported then it is likely we are on an |
| 65 | // older kernel (or inside an LXC container). While we could bail, |
| 66 | // the security feature we are using here is best-effort (it only |
| 67 | // really provides marginal protection since VFS credentials are |
| 68 | // the only significant protection of keyrings). |
| 69 | if !errors.Is(err, unix.ENOSYS) { |
| 70 | return fmt.Errorf("unable to join session keyring: %w", err) |
| 71 | } |
| 72 | } else { |
| 73 | // Make session keyring searchable. If we've gotten this far we |
| 74 | // bail on any error -- we don't want to have a keyring with bad |
| 75 | // permissions. |
| 76 | if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil { |
| 77 | return fmt.Errorf("unable to mod keyring permissions: %w", err) |
| 78 | } |
| 79 | } |
| 80 | } |
| 81 | |
| 82 | if err := setupNetwork(l.config); err != nil { |
| 83 | return err |
| 84 | } |
| 85 | if err := setupRoute(l.config.Config); err != nil { |
| 86 | return err |
| 87 | } |
| 88 | |
| 89 | // initialises the labeling system |
| 90 | selinux.GetEnabled() |
| 91 | |
| 92 | err := prepareRootfs(l.pipe, l.config) |
| 93 | if err != nil { |
| 94 | return err |
| 95 | } |
| 96 | |
| 97 | // Set up the console. This has to be done *before* we finalize the rootfs, |
| 98 | // but *after* we've given the user the chance to set up all of the mounts |
| 99 | // they wanted. |
| 100 | if l.config.CreateConsole { |
| 101 | if err := setupConsole(l.consoleSocket, l.config, true); err != nil { |
| 102 | return err |
| 103 | } |
| 104 | if err := system.Setctty(); err != nil { |
| 105 | return &os.SyscallError{Syscall: "ioctl(setctty)", Err: err} |
| 106 | } |
| 107 | } |
| 108 |
no test coverage detected