Mask over the /sys/fs/selinux in mask branch

This is required so that the mount point shows up when buildah
is vendored into Podman.

Signed-off-by: Daniel J Walsh <[email protected]>
Signed-off-by: TomSweeneyRedHat <[email protected]>

.cirrus.yml

@@ -6,7 +6,7 @@ env:
     #### Global variables used for all tasks
     ####
     # Name of the ultimate destination branch for this CI run, PR or post-merge.
-    DEST_BRANCH: "master"
+    DEST_BRANCH: "release-1.15"
     GOPATH: "/var/tmp/go"
     GOSRC: "${GOPATH}/src/github.com/containers/buildah"
     # Overrides default location (/tmp/cirrus) for repo clone

CHANGELOG.md

@@ -12,9 +12,7 @@
     vendor golang.org/x/[email protected]
     Cirrus: Fix missing htpasswd in registry img
     Switch scripts to use containers.conf
-    Merge pull request #2471 from vrothberg/1.15-update-x/text
     Make imagebuildah.BuildOptions.Architecture/OS optional
-    Merge pull request #2483 from nalind/release-1.15-arch
 
 ## v1.15.0 (2020-06-17)
     Bump github.com/containers/common from 0.12.0 to 0.13.1

changelog.txt

@@ -8,9 +8,7 @@
   * vendor golang.org/x/[email protected]
   * Cirrus: Fix missing htpasswd in registry img
   * Switch scripts to use containers.conf
-  * Merge pull request #2471 from vrothberg/1.15-update-x/text
   * Make imagebuildah.BuildOptions.Architecture/OS optional
-  * Merge pull request #2483 from nalind/release-1.15-arch
 
 - Changelog for v1.15.0 (2020-06-17)
   * Bump github.com/containers/common from 0.12.0 to 0.13.1

chroot/run.go

@@ -1106,10 +1106,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 	}
 	logrus.Debugf("bind mounted %q to %q", "/sys", filepath.Join(spec.Root.Path, "/sys"))
 
-	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
-	// attempting to interact with labeling, when they aren't allowed to do so.
-	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
-
 	// Bind mount in everything we've been asked to mount.
 	for _, m := range spec.Mounts {
 		// Skip anything that we just mounted.

contrib/rpm/buildah.spec

@@ -109,9 +109,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 - vendor golang.org/x/[email protected]
 - Cirrus: Fix missing htpasswd in registry img
 - Switch scripts to use containers.conf 
-- Merge pull request #2471 from vrothberg/1.15-update-x/text
 - Make imagebuildah.BuildOptions.Architecture/OS optional
-- Merge pull request #2483 from nalind/release-1.15-arch
 
 * Wed Jun 17, 2020 Tom Sweeney <[email protected]> 1.15.0-1
 - Bump github.com/containers/common from 0.12.0 to 0.13.1

run_linux.go

@@ -1779,6 +1779,7 @@ func setupMaskedPaths(g *generate.Generator) {
 		"/proc/sched_debug",
 		"/proc/scsi",
 		"/sys/firmware",
+		"/sys/fs/selinux",
 	} {
 		g.AddLinuxMaskedPaths(mp)
 	}
@@ -2023,13 +2024,10 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string
 			Options:     []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"},
 		},
 	}
-	// Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys.
+	// Cover up /sys/fs/cgroup, if it exist in our source for /sys.
 	if _, err := os.Stat("/sys/fs/cgroup"); err == nil {
 		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup")
 	}
-	if _, err := os.Stat("/sys/fs/selinux"); err == nil {
-		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
-	}
 	// Keep anything that isn't under /dev, /proc, or /sys.
 	for i := range spec.Mounts {
 		if spec.Mounts[i].Destination == "/dev" || strings.HasPrefix(spec.Mounts[i].Destination, "/dev/") ||

tests/validate/git-validation.sh

@@ -13,7 +13,8 @@ fi
 
 if [[ "$TRAVIS" != 'true' ]]; then
 	#GITVALIDATE_EPOCH=":/git-validation epoch"
-	GITVALIDATE_EPOCH="c5546750573cdef524be7159fe837f23274e9718"
+	# Set to the branch's origin point
+	GITVALIDATE_EPOCH="3b1d6ebe12445dfe84cb5932634440a20b10fc03"
 fi
 
 OUTPUT_OPTIONS="-q"