Reserver one Category for the privileged containers to use

rhatdan · rhatdan · commit 45683dc92157 · 2021-05-07T06:33:08.000-04:00
Currently each privileged container is reserving a different category
to make sure that other containers can not see their content. This
wastes container categories.  This PR will reserve one category for
all privileged containers (s0:c1023,c1024), and free all of the
other categories for confined containers.

Signed-off-by: Daniel J Walsh &lt;dwalsh@redhat.com&gt;
diff --git a/go-selinux/label/label_linux.go b/go-selinux/label/label_linux.go
@@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
+// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
+// to the container_file label with the maximum category. This label is not usable by any confined label.
 func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
@@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 		}
 		for _, opt := range options {
 			if opt == "disable" {
-				return "", mountLabel, nil
+				selinux.ReleaseLabel(mountLabel)
+				return "", selinux.PrivContainerMountLabel(), nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
diff --git a/go-selinux/label/label_linux_test.go b/go-selinux/label/label_linux_test.go
@@ -29,15 +29,19 @@ func TestInit(t *testing.T) {
 	if roMountLabel == "" {
 		t.Fatal("ROMountLabel: empty")
 	}
-	plabel, _, err := InitLabels(testDisabled)
+	plabel, mlabel, err := InitLabels(testDisabled)
 	if err != nil {
 		t.Fatalf("InitLabels(disabled) failed: %v", err)
 	}
 	if plabel != "" {
 		t.Fatalf("InitLabels(disabled): %q not empty", plabel)
 	}
+	if mlabel != "system_u:object_r:container_file_t:s0:c1022,c1023" {
+		t.Fatalf("InitLabels Disabled mlabel Failed, %s", mlabel)
+	}
+
 	testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}
-	plabel, mlabel, err := InitLabels(testUser)
+	plabel, mlabel, err = InitLabels(testUser)
 	if err != nil {
 		t.Fatalf("InitLabels(user) failed: %v", err)
 	}
@@ -172,7 +176,7 @@ func TestSELinuxNoLevel(t *testing.T) {
 		t.Fatal(err)
 	}
 	if con.Get() != tlabel {
-		t.Errorf("NewContaxt and con.Get() failed on non mls label: expexcted %q, got %q", tlabel, con.Get())
+		t.Errorf("NewContaxt and con.Get() failed on non mls label: expected %q, got %q", tlabel, con.Get())
 	}
 }
 
diff --git a/go-selinux/label/label_stub_test.go b/go-selinux/label/label_stub_test.go
@@ -22,14 +22,16 @@ func TestInit(t *testing.T) {
 	if roMountLabel != "" {
 		t.Errorf("ROMountLabel Failed")
 	}
-	plabel, _, err := InitLabels(testDisabled)
+	plabel, mlabel, err := InitLabels(testDisabled)
 	if err != nil {
 		t.Log("InitLabels Disabled Failed")
 		t.Fatal(err)
 	}
 	if plabel != "" {
-		t.Log("InitLabels Disabled Failed")
-		t.FailNow()
+		t.Fatal("InitLabels Disabled Failed")
+	}
+	if mlabel != "" {
+		t.Fatal("InitLabels Disabled mlabel Failed")
 	}
 	testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}
 	_, _, err = InitLabels(testUser)
diff --git a/go-selinux/selinux.go b/go-selinux/selinux.go
@@ -11,9 +11,10 @@ const (
 	Permissive = 0
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
-
+	// maxCategory is the maximum number of categories used within containers
+	maxCategory = 1024
 	// DefaultCategoryRange is the upper bound on the category range
-	DefaultCategoryRange = uint32(1024)
+	DefaultCategoryRange = uint32(maxCategory)
 )
 
 var (
@@ -276,3 +277,8 @@ func DisableSecOpt() []string {
 func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
 	return getDefaultContextWithLevel(user, level, scon)
 }
+
+// PrivContainerMountLabel returns mount label for privileged containers
+func PrivContainerMountLabel() string {
+	return privContainerMountLabel
+}
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
 	return os.Open(lxcPath)
 }
 
-var labels = loadLabels()
+var labels, privContainerMountLabel = loadLabels()
 
-func loadLabels() map[string]string {
+func loadLabels() (map[string]string, string) {
 	labels := make(map[string]string)
 	in, err := openContextFile()
 	if err != nil {
-		return labels
+		return labels, ""
 	}
 	defer in.Close()
 
@@ -920,7 +920,10 @@ func loadLabels() map[string]string {
 		}
 	}
 
-	return labels
+	con, _ := NewContext(labels["file"])
+	con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
+	reserveLabel(con.get())
+	return labels, con.get()
 }
 
 // kvmContainerLabels returns the default processLabel and mountLabel to be used
diff --git a/go-selinux/selinux_stub.go b/go-selinux/selinux_stub.go
@@ -2,6 +2,8 @@
 
 package selinux
 
+const privContainerMountLabel = ""
+
 func setDisabled() {
 }
 

Original file line number	Diff line number	Diff line change
`@@ -29,15 +29,19 @@ func TestInit(t *testing.T) {`
`29`	`29`	`if roMountLabel == "" {`
`30`	`30`	`t.Fatal("ROMountLabel: empty")`
`31`	`31`	`}`
`32`		`- plabel, _, err := InitLabels(testDisabled)`
	`32`	`+ plabel, mlabel, err := InitLabels(testDisabled)`
`33`	`33`	`if err != nil {`
`34`	`34`	`t.Fatalf("InitLabels(disabled) failed: %v", err)`
`35`	`35`	`}`
`36`	`36`	`if plabel != "" {`
`37`	`37`	`t.Fatalf("InitLabels(disabled): %q not empty", plabel)`
`38`	`38`	`}`
	`39`	`+ if mlabel != "system_u:object_r:container_file_t:s0:c1022,c1023" {`
	`40`	`+ t.Fatalf("InitLabels Disabled mlabel Failed, %s", mlabel)`
	`41`	`+ }`
	`42`	`+`
`39`	`43`	`testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}`
`40`		`- plabel, mlabel, err := InitLabels(testUser)`
	`44`	`+ plabel, mlabel, err = InitLabels(testUser)`
`41`	`45`	`if err != nil {`
`42`	`46`	`t.Fatalf("InitLabels(user) failed: %v", err)`
`43`	`47`	`}`
`@@ -172,7 +176,7 @@ func TestSELinuxNoLevel(t *testing.T) {`
`172`	`176`	`t.Fatal(err)`
`173`	`177`	`}`
`174`	`178`	`if con.Get() != tlabel {`
`175`		`- t.Errorf("NewContaxt and con.Get() failed on non mls label: expexcted %q, got %q", tlabel, con.Get())`
	`179`	`+ t.Errorf("NewContaxt and con.Get() failed on non mls label: expected %q, got %q", tlabel, con.Get())`
`176`	`180`	`}`
`177`	`181`	`}`
`178`	`182`
Original file line number	Diff line number	Diff line change
`@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {`
`892`	`892`	`return os.Open(lxcPath)`
`893`	`893`	`}`
`894`	`894`
`895`		`-var labels = loadLabels()`
	`895`	`+var labels, privContainerMountLabel = loadLabels()`
`896`	`896`
`897`		`-func loadLabels() map[string]string {`
	`897`	`+func loadLabels() (map[string]string, string) {`
`898`	`898`	`labels := make(map[string]string)`
`899`	`899`	`in, err := openContextFile()`
`900`	`900`	`if err != nil {`
`901`		`- return labels`
	`901`	`+ return labels, ""`
`902`	`902`	`}`
`903`	`903`	`defer in.Close()`
`904`	`904`
`@@ -920,7 +920,10 @@ func loadLabels() map[string]string {`
`920`	`920`	`}`
`921`	`921`	`}`
`922`	`922`
`923`		`- return labels`
	`923`	`+ con, _ := NewContext(labels["file"])`
	`924`	`+ con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)`
	`925`	`+ reserveLabel(con.get())`
	`926`	`+ return labels, con.get()`
`924`	`927`	`}`
`925`	`928`
`926`	`929`	`// kvmContainerLabels returns the default processLabel and mountLabel to be used`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`
`3`	`3`	`package selinux`
`4`	`4`
	`5`	`+const privContainerMountLabel = ""`
	`6`	`+`
`5`	`7`	`func setDisabled() {`
`6`	`8`	`}`
`7`	`9`