build: move e2e dependencies into e2e/go.mod

Several packages are only used while running the e2e suite. These
packages are less important to update, as the they can not influence the
final executable that is part of the Ceph-CSI container-image.

By moving these dependencies out of the main Ceph-CSI go.mod, it is
easier to identify if a reported CVE affects Ceph-CSI, or only the
testing (like most of the Kubernetes CVEs).

Signed-off-by: Niels de Vos <ndevos@ibm.com>

vendor/github.com/opencontainers/selinux/go-selinux/label/label.go

@@ -1,115 +0,0 @@
-package label
-
-import (
-	"fmt"
-
-	"github.com/opencontainers/selinux/go-selinux"
-)
-
-// Deprecated: use selinux.ROFileLabel
-var ROMountLabel = selinux.ROFileLabel
-
-// SetProcessLabel takes a process label and tells the kernel to assign the
-// label to the next program executed by the current process.
-// Deprecated: use selinux.SetExecLabel
-var SetProcessLabel = selinux.SetExecLabel
-
-// ProcessLabel returns the process label that the kernel will assign
-// to the next program executed by the current process.  If "" is returned
-// this indicates that the default labeling will happen for the process.
-// Deprecated: use selinux.ExecLabel
-var ProcessLabel = selinux.ExecLabel
-
-// SetSocketLabel takes a process label and tells the kernel to assign the
-// label to the next socket that gets created
-// Deprecated: use selinux.SetSocketLabel
-var SetSocketLabel = selinux.SetSocketLabel
-
-// SocketLabel retrieves the current default socket label setting
-// Deprecated: use selinux.SocketLabel
-var SocketLabel = selinux.SocketLabel
-
-// SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created
-// Deprecated: use selinux.SetKeyLabel
-var SetKeyLabel = selinux.SetKeyLabel
-
-// KeyLabel retrieves the current default kernel keyring label setting
-// Deprecated: use selinux.KeyLabel
-var KeyLabel = selinux.KeyLabel
-
-// FileLabel returns the label for specified path
-// Deprecated: use selinux.FileLabel
-var FileLabel = selinux.FileLabel
-
-// PidLabel will return the label of the process running with the specified pid
-// Deprecated: use selinux.PidLabel
-var PidLabel = selinux.PidLabel
-
-// Init initialises the labeling system
-func Init() {
-	_ = selinux.GetEnabled()
-}
-
-// ClearLabels will clear all reserved labels
-// Deprecated: use selinux.ClearLabels
-var ClearLabels = selinux.ClearLabels
-
-// ReserveLabel will record the fact that the MCS label has already been used.
-// This will prevent InitLabels from using the MCS label in a newly created
-// container
-// Deprecated: use selinux.ReserveLabel
-func ReserveLabel(label string) error {
-	selinux.ReserveLabel(label)
-	return nil
-}
-
-// ReleaseLabel will remove the reservation of the MCS label.
-// This will allow InitLabels to use the MCS label in a newly created
-// containers
-// Deprecated: use selinux.ReleaseLabel
-func ReleaseLabel(label string) error {
-	selinux.ReleaseLabel(label)
-	return nil
-}
-
-// DupSecOpt takes a process label and returns security options that
-// can be used to set duplicate labels on future container processes
-// Deprecated: use selinux.DupSecOpt
-var DupSecOpt = selinux.DupSecOpt
-
-// FormatMountLabel returns a string to be used by the mount command. Using
-// the SELinux `context` mount option. Changing labels of files on mount
-// points with this option can never be changed.
-// FormatMountLabel returns a string to be used by the mount command.
-// The format of this string will be used to alter the labeling of the mountpoint.
-// The string returned is suitable to be used as the options field of the mount command.
-// If you need to have additional mount point options, you can pass them in as
-// the first parameter.  Second parameter is the label that you wish to apply
-// to all content in the mount point.
-func FormatMountLabel(src, mountLabel string) string {
-	return FormatMountLabelByType(src, mountLabel, "context")
-}
-
-// FormatMountLabelByType returns a string to be used by the mount command.
-// Allow caller to specify the mount options. For example using the SELinux
-// `fscontext` mount option would allow certain container processes to change
-// labels of files created on the mount points, where as `context` option does
-// not.
-// FormatMountLabelByType returns a string to be used by the mount command.
-// The format of this string will be used to alter the labeling of the mountpoint.
-// The string returned is suitable to be used as the options field of the mount command.
-// If you need to have additional mount point options, you can pass them in as
-// the first parameter.  Second parameter is the label that you wish to apply
-// to all content in the mount point.
-func FormatMountLabelByType(src, mountLabel, contextType string) string {
-	if mountLabel != "" {
-		switch src {
-		case "":
-			src = fmt.Sprintf("%s=%q", contextType, mountLabel)
-		default:
-			src = fmt.Sprintf("%s,%s=%q", src, contextType, mountLabel)
-		}
-	}
-	return src
-}

vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -1,147 +0,0 @@
-package label
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/opencontainers/selinux/go-selinux"
-)
-
-// Valid Label Options
-var validOptions = map[string]bool{
-	"disable":  true,
-	"type":     true,
-	"filetype": true,
-	"user":     true,
-	"role":     true,
-	"level":    true,
-}
-
-var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")
-
-// InitLabels returns the process label and file labels to be used within
-// the container.  A list of options can be passed into this function to alter
-// the labels.  The labels returned will include a random MCS String, that is
-// guaranteed to be unique.
-// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
-// to the container_file label with the maximum category. This label is not usable by any confined label.
-func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
-	if !selinux.GetEnabled() {
-		return "", "", nil
-	}
-	processLabel, mountLabel := selinux.ContainerLabels()
-	if processLabel != "" {
-		defer func() {
-			if retErr != nil {
-				selinux.ReleaseLabel(mountLabel)
-			}
-		}()
-		pcon, err := selinux.NewContext(processLabel)
-		if err != nil {
-			return "", "", err
-		}
-		mcsLevel := pcon["level"]
-		mcon, err := selinux.NewContext(mountLabel)
-		if err != nil {
-			return "", "", err
-		}
-		for _, opt := range options {
-			if opt == "disable" {
-				selinux.ReleaseLabel(mountLabel)
-				return "", selinux.PrivContainerMountLabel(), nil
-			}
-			if i := strings.Index(opt, ":"); i == -1 {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
-			}
-			con := strings.SplitN(opt, ":", 2)
-			if !validOptions[con[0]] {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
-			}
-			if con[0] == "filetype" {
-				mcon["type"] = con[1]
-				continue
-			}
-			pcon[con[0]] = con[1]
-			if con[0] == "level" || con[0] == "user" {
-				mcon[con[0]] = con[1]
-			}
-		}
-		if pcon.Get() != processLabel {
-			if pcon["level"] != mcsLevel {
-				selinux.ReleaseLabel(processLabel)
-			}
-			processLabel = pcon.Get()
-			selinux.ReserveLabel(processLabel)
-		}
-		mountLabel = mcon.Get()
-	}
-	return processLabel, mountLabel, nil
-}
-
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(options string) (string, string, error) {
-	return InitLabels(strings.Fields(options))
-}
-
-// SetFileLabel modifies the "path" label to the specified file label
-func SetFileLabel(path string, fileLabel string) error {
-	if !selinux.GetEnabled() || fileLabel == "" {
-		return nil
-	}
-	return selinux.SetFileLabel(path, fileLabel)
-}
-
-// SetFileCreateLabel tells the kernel the label for all files to be created
-func SetFileCreateLabel(fileLabel string) error {
-	if !selinux.GetEnabled() {
-		return nil
-	}
-	return selinux.SetFSCreateLabel(fileLabel)
-}
-
-// Relabel changes the label of path and all the entries beneath the path.
-// It changes the MCS label to s0 if shared is true.
-// This will allow all containers to share the content.
-//
-// The path itself is guaranteed to be relabeled last.
-func Relabel(path string, fileLabel string, shared bool) error {
-	if !selinux.GetEnabled() || fileLabel == "" {
-		return nil
-	}
-
-	if shared {
-		c, err := selinux.NewContext(fileLabel)
-		if err != nil {
-			return err
-		}
-
-		c["level"] = "s0"
-		fileLabel = c.Get()
-	}
-	return selinux.Chcon(path, fileLabel, true)
-}
-
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-// Deprecated: use selinux.DisableSecOpt
-var DisableSecOpt = selinux.DisableSecOpt
-
-// Validate checks that the label does not include unexpected options
-func Validate(label string) error {
-	if strings.Contains(label, "z") && strings.Contains(label, "Z") {
-		return ErrIncompatibleLabel
-	}
-	return nil
-}
-
-// RelabelNeeded checks whether the user requested a relabel
-func RelabelNeeded(label string) bool {
-	return strings.Contains(label, "z") || strings.Contains(label, "Z")
-}
-
-// IsShared checks that the label includes a "shared" mark
-func IsShared(label string) bool {
-	return strings.Contains(label, "z")
-}

vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go

@@ -1,50 +0,0 @@
-//go:build !linux
-// +build !linux
-
-package label
-
-// InitLabels returns the process label and file labels to be used within
-// the container.  A list of options can be passed into this function to alter
-// the labels.
-func InitLabels([]string) (string, string, error) {
-	return "", "", nil
-}
-
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(string) (string, string, error) {
-	return "", "", nil
-}
-
-func SetFileLabel(string, string) error {
-	return nil
-}
-
-func SetFileCreateLabel(string) error {
-	return nil
-}
-
-func Relabel(string, string, bool) error {
-	return nil
-}
-
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-func DisableSecOpt() []string {
-	return nil
-}
-
-// Validate checks that the label does not include unexpected options
-func Validate(string) error {
-	return nil
-}
-
-// RelabelNeeded checks whether the user requested a relabel
-func RelabelNeeded(string) bool {
-	return false
-}
-
-// IsShared checks that the label includes a "shared" mark
-func IsShared(string) bool {
-	return false
-}