lsm: exit early if the process already has install_t

There's no need to perform any additional steps if the bootc process already has install_t. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
containers · Jan 16, 2024 · 68dbdba · 68dbdba
1 parent 0c47374
commit 68dbdba
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
@@ -84,6 +84,10 @@ impl Drop for SetEnforceGuard {
 #[context("Ensuring selinux install_t type")]
 #[cfg(feature = "install")]
 pub(crate) fn selinux_ensure_install_or_setenforce() -> Result<Option<SetEnforceGuard>> {
+    // If the process already has install_t, exit early
+    if self_has_install_t()? {
+        return Ok(None);
+    }
     selinux_ensure_install()?;
     let current = std::fs::read_to_string("/proc/self/attr/current")
         .context("Reading /proc/self/attr/current")?;
@@ -170,3 +174,10 @@ pub(crate) fn xattrs_have_selinux(xattrs: &ostree::glib::Variant) -> bool {
     }
     false
 }
+
+fn self_has_install_t() -> Result<bool> {
+    let current = std::fs::read_to_string("/proc/self/attr/current")
+        .context("Reading /proc/self/attr/current")?;
+
+    Ok(current.contains("install_t"))
+}