Skip to content

Commit

Permalink
refactor: optimize flags and SetLabel
Browse files Browse the repository at this point in the history
Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change.

Also avoid unneeded FS writes when appropriate label is already set on file.

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
  • Loading branch information
dsseng committed Nov 21, 2024
1 parent 6074a87 commit 4caeae2
Showing 1 changed file with 21 additions and 8 deletions.
29 changes: 21 additions & 8 deletions internal/pkg/selinux/selinux.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
package selinux

import (
"bytes"
_ "embed"
"log"
"os"
"sync"

"github.com/pkg/xattr"
"github.com/siderolabs/go-procfs/procfs"
"golang.org/x/sys/unix"

"github.com/siderolabs/talos/pkg/machinery/constants"
)
Expand All @@ -23,37 +25,48 @@ var policy []byte
// the kernel command line. It returns true if SELinux is enabled,
// otherwise it returns false. It also ensures we're not in a container.
// By default SELinux is disabled.
func IsEnabled() bool {
var IsEnabled = sync.OnceValue(func() bool {
if _, err := os.Stat("/usr/etc/in-container"); err == nil {
return false
}

val := procfs.ProcCmdline().Get(constants.KernelParamSELinux).First()

return val != nil && *val == "1"
}
})

// IsEnforcing checks if SELinux is enabled and the mode should be enforcing.
// By default if SELinux is enabled we consider it to be permissive.
func IsEnforcing() bool {
var IsEnforcing = sync.OnceValue(func() bool {
if !IsEnabled() {
return false
}

val := procfs.ProcCmdline().Get(constants.KernelParamSELinuxEnforcing).First()

return val != nil && *val == "1"
}
})

// SetLabel sets label for file or directory, following symlinks
// It does not perform the operation in case SELinux is disabled or provided label is empty.
// SetLabel sets label for file, directory or symlink (not following symlinks)
// It does not perform the operation in case SELinux is disabled, provided label is empty or already set.
func SetLabel(filename string, label string) error {
if label == "" {
return nil
}

if IsEnabled() {
if err := unix.Lsetxattr(filename, "security.selinux", []byte(label), 0); err != nil {
// We use LGet/LSet so that we manipulate label on the exact path, not the symlink target.
currentLabel, err := xattr.LGet(filename, "security.selinux")
if err != nil {
return err
}

// Skip extra FS transactions when labels are okay.
if string(bytes.Trim(currentLabel, "\x00\n")) == label {
return nil
}

if err := xattr.LSet(filename, "security.selinux", []byte(label)); err != nil {
return err
}
}
Expand Down

0 comments on commit 4caeae2

Please sign in to comment.