-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reserve one Category for the privileged containers to use #143
Conversation
7e3c75b
to
396422d
Compare
go-selinux/selinux.go
Outdated
@@ -12,8 +12,9 @@ const ( | |||
// Disabled constant to indicate SELinux is disabled | |||
Disabled = -1 | |||
|
|||
MAX_CATEGORY = 1024 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be MaxCategory
or maxCategory
Is this intended to be used externally? or only to initialize DefaultCategoryRange
? If the latter, could you un-export the const (maxCategory
)?
If this is meant for external use, and must be exported, could you add a GoDoc comment to this (linters may fail on this otherwise)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes, quite the brain fart.
Fixed.
@@ -47,7 +47,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) { | |||
} | |||
for _, opt := range options { | |||
if opt == "disable" { | |||
return "", mountLabel, nil | |||
selinux.ReleaseLabel(mountLabel) | |||
return "", selinux.PrivContainerMountLabel(), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This always returns PrivContaienrMountLabel
, irregardless if the container is privileged or not?
Does this need an updated description of InitLabels()
(and are consumers of this function required to make changes?); current description is:
// InitLabels returns the process label and file labels to be used within
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the selinux is disabled, then by definition it is Privileged from an SELinux point of view. The goal is to always apply a label to the content, so that confined containers can not write to it. Currently if we return "". The label might be read/writable by other containers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah Updated the docs.
@kolyshkin ptal |
@thaJeztah @kolyshkin Can we get a final review on this, I want to merge so we can prepare a new release of the container tools. |
@vrothberg @giuseppe PTAL |
go-selinux/label/label_linux_test.go
Outdated
t.Log("InitLabels Disabled mlabel Failed", mlabel) | ||
t.FailNow() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be t.Fatalf("InitLabels Disabled mlabel Failed", mlabel)
(same for other cases), but that is not important.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
go-selinux/label/label_stub_test.go
Outdated
t.Log("InitLabels Disabled mlabel Failed") | ||
t.FailNow() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
go-selinux/selinux.go
Outdated
@@ -11,9 +11,10 @@ const ( | |||
Permissive = 0 | |||
// Disabled constant to indicate SELinux is disabled | |||
Disabled = -1 | |||
|
|||
// maxCategoriy is the maximum number of categories used within containers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: s/maxCategoriy/maxCategory/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
go-selinux/selinux.go
Outdated
@@ -276,3 +277,8 @@ func DisableSecOpt() []string { | |||
func GetDefaultContextWithLevel(user, level, scon string) (string, error) { | |||
return getDefaultContextWithLevel(user, level, scon) | |||
} | |||
|
|||
// PrivContainerMountLabel returns mount labels for privileged containers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo? s/labels/label/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
go-selinux/selinux_stub.go
Outdated
@@ -2,6 +2,8 @@ | |||
|
|||
package selinux | |||
|
|||
var privContainerMountLabel string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be
const privContainerMountLabel = ""
but doesn't matter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
9fb9a89
to
e6cbcaf
Compare
Currently each privileged container is reserving a different category to make sure that other containers can not see their content. This wastes container categories. This PR will reserve one category for all privileged containers (s0:c1023,c1024), and free all of the other categories for confined containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Currently each privileged container is reserving a different category
to make sure that other containers can not see their content. This
wastes container categories. This PR will reserve one category for
all privileged containers (s0:c1023,c1024), and free all of the
other categories for confined containers.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com