Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

selinux: implemented remaining selinux functions #2850

Merged
merged 11 commits into from
Aug 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions experiment/selinux/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion experiment/selinux/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ autoexamples = true
keywords = ["youki", "container", "selinux"]

[dependencies]
nix = { version = "0.29.0", features = ["process", "fs"] }
anyhow = "1.0.86"
nix = { version = "0.29.0", features = ["process", "fs", "socket"] }
rustix = { version = "0.38.34", features = ["fs"] }
tempfile = "3.10.1"
thiserror = "1.0.61"
5 changes: 5 additions & 0 deletions experiment/selinux/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,10 @@ Ref: https://github.com/containers/youki/issues/2718.
Reimplementation of [opencontainers/selinux](https://github.com/opencontainers/selinux) in Rust.
Also selinux depends on xattr, but nix doesn't cover xattr function.
Therefore, this PR will implement xattr in Rust.
Referenced the implementation of xattr in [unix](golang.org/x/sys/unix) repo.

Please import and use this project.

```console
$ cargo run
```
5 changes: 4 additions & 1 deletion experiment/selinux/src/lib.rs
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
pub mod selinux;
pub mod xattrs;
pub mod selinux_label;
pub mod tools;

pub use selinux::SELinux;
43 changes: 43 additions & 0 deletions experiment/selinux/src/main.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
use anyhow::Result;
use selinux::selinux::*;
use selinux::selinux_label::*;
use std::fs::File;
use std::path::Path;

fn main() -> Result<()> {
let mut selinux_instance: SELinux = SELinux::new();

if selinux_instance.get_enabled() {
println!("selinux is enabled");
} else {
println!("selinux is not enabled");

match selinux_instance.set_enforce_mode(SELinuxMode::PERMISSIVE) {
Ok(_) => println!("set selinux mode as permissive"),
Err(e) => println!("{}", e),
}
}
println!(
"default enforce mode is: {}",
selinux_instance.default_enforce_mode()
);
println!(
"current enforce mode is: {}",
selinux_instance.enforce_mode()
);

match selinux_instance.current_label() {
Ok(l) => println!("SELinux label of current process is: {}", l),
Err(e) => println!("{}", e),
}

let file_path = Path::new("./test_file.txt");
let _file = File::create(file_path)?;
let selinux_label =
SELinuxLabel::try_from("unconfined_u:object_r:public_content_t:s1".to_string())?;
SELinux::set_file_label(file_path, selinux_label)?;
let current_label = SELinux::file_label(file_path)?;
println!("file label is {}", current_label);

Ok(())
}
Loading
Loading