Reserve one Category for the privileged containers to use #143
Conversation
rhatdan
force-pushed
the
version
branch
3 times, most recently
from
7e3c75b
to
396422d
Compare
go-selinux/selinux.go
Outdated
| @@ -12,8 +12,9 @@ const ( | |||
| // Disabled constant to indicate SELinux is disabled | |||
| Disabled = -1 | |||
|
|
|||
| MAX_CATEGORY = 1024 | |||
There was a problem hiding this comment.
This should be MaxCategory or maxCategory
Is this intended to be used externally? or only to initialize DefaultCategoryRange ? If the latter, could you un-export the const (maxCategory)?
If this is meant for external use, and must be exported, could you add a GoDoc comment to this (linters may fail on this otherwise)
There was a problem hiding this comment.
Yikes, quite the brain fart.
Fixed.
| @@ -47,7 +47,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) { | |||
| } | |||
| for _, opt := range options { | |||
| if opt == "disable" { | |||
| return "", mountLabel, nil | |||
| selinux.ReleaseLabel(mountLabel) | |||
| return "", selinux.PrivContainerMountLabel(), nil | |||
There was a problem hiding this comment.
This always returns PrivContaienrMountLabel, irregardless if the container is privileged or not?
Does this need an updated description of InitLabels() (and are consumers of this function required to make changes?); current description is:
// InitLabels returns the process label and file labels to be used within
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
There was a problem hiding this comment.
If the selinux is disabled, then by definition it is Privileged from an SELinux point of view. The goal is to always apply a label to the content, so that confined containers can not write to it. Currently if we return "". The label might be read/writable by other containers.
There was a problem hiding this comment.
@thaJeztah Updated the docs.
|
@kolyshkin ptal |
|
@thaJeztah @kolyshkin Can we get a final review on this, I want to merge so we can prepare a new release of the container tools. |
|
@vrothberg @giuseppe PTAL |
go-selinux/label/label_linux_test.go
Outdated
| t.Log("InitLabels Disabled mlabel Failed", mlabel) | ||
| t.FailNow() |
There was a problem hiding this comment.
Can be t.Fatalf("InitLabels Disabled mlabel Failed", mlabel) (same for other cases), but that is not important.
go-selinux/label/label_stub_test.go
Outdated
| t.Log("InitLabels Disabled mlabel Failed") | ||
| t.FailNow() |
go-selinux/selinux.go
Outdated
| @@ -11,9 +11,10 @@ const ( | |||
| Permissive = 0 | |||
| // Disabled constant to indicate SELinux is disabled | |||
| Disabled = -1 | |||
|
|
|||
| // maxCategoriy is the maximum number of categories used within containers | |||
There was a problem hiding this comment.
typo: s/maxCategoriy/maxCategory/
go-selinux/selinux.go
Outdated
| @@ -276,3 +277,8 @@ func DisableSecOpt() []string { | |||
| func GetDefaultContextWithLevel(user, level, scon string) (string, error) { | |||
| return getDefaultContextWithLevel(user, level, scon) | |||
| } | |||
|
|
|||
| // PrivContainerMountLabel returns mount labels for privileged containers | |||
go-selinux/selinux_stub.go
Outdated
| @@ -2,6 +2,8 @@ | |||
|
|
|||
| package selinux | |||
|
|
|||
| var privContainerMountLabel string | |||
There was a problem hiding this comment.
can be
const privContainerMountLabel = ""but doesn't matter.
rhatdan
force-pushed
the
version
branch
2 times, most recently
from
9fb9a89
to
e6cbcaf
Compare
Currently each privileged container is reserving a different category to make sure that other containers can not see their content. This wastes container categories. This PR will reserve one category for all privileged containers (s0:c1023,c1024), and free all of the other categories for confined containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan
changed the title
Currently each privileged container is reserving a different category
to make sure that other containers can not see their content. This
wastes container categories. This PR will reserve one category for
all privileged containers (s0:c1023,c1024), and free all of the
other categories for confined containers.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com