Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix can't use empty str as label in some old kernels #50

Closed
wants to merge 1 commit into from
Closed

fix can't use empty str as label in some old kernels #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions go-selinux/label/label.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ func SetProcessLabel(processLabel string) error {
return nil
}

func ClearProcessLabel() error {
return nil
}

func ProcessLabel() (string, error) {
return "", nil
}
Expand All @@ -41,6 +45,10 @@ func SetKeyLabel(processLabel string) error {
return nil
}

func ClearKeyLabel() error {
return nil
}

func KeyLabel() (string, error) {
return "", nil
}
Expand Down
16 changes: 16 additions & 0 deletions go-selinux/label/label_selinux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,17 @@ func FormatMountLabel(src, mountLabel string) string {
// SetProcessLabel takes a process label and tells the kernel to assign the
// label to the next program executed by the current process.
func SetProcessLabel(processLabel string) error {
if processLabel == "" && selinux.GetEnabled() {
processLabel = "unconfined_u:unconfined_r:unconfined_t:s0"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhatdan Does it make sense?

Copy link
Member Author

@lifubang lifubang Apr 4, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or after failure with "", then we try "unconfined_u:unconfined_r:unconfined_t:s0" next?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No we should not hard code this label. "" is a valid label.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It tells the the library to reset the kernel to use default labeling.

}
return selinux.SetExecLabel(processLabel)
}

// ClearProcessLabel is to clear process's label
func ClearProcessLabel() error {
return selinux.SetExecLabel("unconfined_u:unconfined_r:unconfined_t:s0")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No we don't hard code any labels in the library. ClearProcessLabel sets the label to "", which tells the kernel to use default labeling.

}

// SetSocketLabel takes a process label and tells the kernel to assign the
// label to the next socket that gets created
func SetSocketLabel(processLabel string) error {
Expand All @@ -118,9 +126,17 @@ func SocketLabel() (string, error) {
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(processLabel string) error {
if processLabel == "" && selinux.GetEnabled() {
processLabel = "unconfined_u:unconfined_r:unconfined_t:s0"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong see above.

}
return selinux.SetKeyLabel(processLabel)
}

// ClearKeyLabel is to clear key label
func ClearKeyLabel() error {
return selinux.SetKeyLabel("unconfined_u:unconfined_r:unconfined_t:s0")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong.

}

// KeyLabel retrieves the current default kernel keyring label setting
func KeyLabel() (string, error) {
return selinux.KeyLabel()
Expand Down
9 changes: 4 additions & 5 deletions go-selinux/selinux_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,11 +333,6 @@ func writeCon(fpath string, val string) error {
if fpath == "" {
return ErrEmptyPath
}
if val == "" {
if !GetEnabled() {
return nil
}
}

out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
if err != nil {
Expand All @@ -350,6 +345,10 @@ func writeCon(fpath string, val string) error {
} else {
_, err = out.Write(nil)
}
// for some kernels, we can't write "" as label.
if val == "" {
return nil
}
return err
}

Expand Down