selinux: implemented remaining selinux functions (youki-dev#2850)

* added selinux functions Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * not use arc Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * follow reviewer comment Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * divided selinux impl into two files Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * fix Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * fix Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * fix Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * use SELinuxLabel struct Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * use pointer instead of clone Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * not loop Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> * add main.rs Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com> --------- Signed-off-by: Hiroyuki Moriya <41197469+Gekko0114@users.noreply.github.com>
sat0ken · Oct 4, 2024 · c8eb148 · c8eb148
1 parent 23aacf7
commit c8eb148
Show file tree

Hide file tree

Showing 11 changed files with 883 additions and 287 deletions.
diff --git a/experiment/selinux/Cargo.lock b/experiment/selinux/Cargo.lock
diff --git a/experiment/selinux/Cargo.toml b/experiment/selinux/Cargo.toml
@@ -12,7 +12,8 @@ autoexamples = true
 keywords = ["youki", "container", "selinux"]
 
 [dependencies]
-nix = { version = "0.29.0", features = ["process", "fs"] }
+anyhow = "1.0.86"
+nix = { version = "0.29.0", features = ["process", "fs", "socket"] }
 rustix = { version = "0.38.34", features = ["fs"] }
 tempfile = "3.10.1"
 thiserror = "1.0.61"
diff --git a/experiment/selinux/README.md b/experiment/selinux/README.md
@@ -3,5 +3,10 @@ Ref: https://github.com/containers/youki/issues/2718.
 Reimplementation of [opencontainers/selinux](https://github.com/opencontainers/selinux) in Rust.  
 Also selinux depends on xattr, but nix doesn't cover xattr function. 
 Therefore, this PR will implement xattr in Rust.  
+Referenced the implementation of xattr in [unix](golang.org/x/sys/unix) repo.  
 
 Please import and use this project.
+
+```console
+$ cargo run
+```
diff --git a/experiment/selinux/src/lib.rs b/experiment/selinux/src/lib.rs
@@ -1,2 +1,5 @@
 pub mod selinux;
-pub mod xattrs;
+pub mod selinux_label;
+pub mod tools;
+
+pub use selinux::SELinux;
diff --git a/experiment/selinux/src/main.rs b/experiment/selinux/src/main.rs
@@ -0,0 +1,43 @@
+use anyhow::Result;
+use selinux::selinux::*;
+use selinux::selinux_label::*;
+use std::fs::File;
+use std::path::Path;
+
+fn main() -> Result<()> {
+    let mut selinux_instance: SELinux = SELinux::new();
+
+    if selinux_instance.get_enabled() {
+        println!("selinux is enabled");
+    } else {
+        println!("selinux is not enabled");
+
+        match selinux_instance.set_enforce_mode(SELinuxMode::PERMISSIVE) {
+            Ok(_) => println!("set selinux mode as permissive"),
+            Err(e) => println!("{}", e),
+        }
+    }
+    println!(
+        "default enforce mode is: {}",
+        selinux_instance.default_enforce_mode()
+    );
+    println!(
+        "current enforce mode is: {}",
+        selinux_instance.enforce_mode()
+    );
+
+    match selinux_instance.current_label() {
+        Ok(l) => println!("SELinux label of current process is: {}", l),
+        Err(e) => println!("{}", e),
+    }
+
+    let file_path = Path::new("./test_file.txt");
+    let _file = File::create(file_path)?;
+    let selinux_label =
+        SELinuxLabel::try_from("unconfined_u:object_r:public_content_t:s1".to_string())?;
+    SELinux::set_file_label(file_path, selinux_label)?;
+    let current_label = SELinux::file_label(file_path)?;
+    println!("file label is {}", current_label);
+
+    Ok(())
+}