diff --git a/examples/inspect/manifest.yaml b/examples/inspect/manifest.yaml index fb120e9f2..4606635ae 100644 --- a/examples/inspect/manifest.yaml +++ b/examples/inspect/manifest.yaml @@ -31,4 +31,5 @@ rlimits: hard: 20000 suppl_groups: [src, inet] selinux: - context: unconfined_u:object_r:user_home_t:s0 \ No newline at end of file + mount_context: unconfined_u:object_r:user_home_t:s0 + exec: unconfined_u:object_r:inspect_t:s0 \ No newline at end of file diff --git a/examples/test-container/manifest.yaml b/examples/test-container/manifest.yaml index 0c7c6039c..5f06709c9 100644 --- a/examples/test-container/manifest.yaml +++ b/examples/test-container/manifest.yaml @@ -61,7 +61,8 @@ seccomp: clone: any # Needed for socket tests. clone3: any # Needed for socket tests. selinux: - context: unconfined_u:object_r:user_home_t:s0 + mount_context: unconfined_u:object_r:user_home_t:s0 + exec: unconfined_u:object_r:test_container_t:s0 sockets: datagram: type: datagram diff --git a/northstar-runtime/src/npk/manifest/selinux.rs b/northstar-runtime/src/npk/manifest/selinux.rs index acd59a05f..dc9c1b0ed 100644 --- a/northstar-runtime/src/npk/manifest/selinux.rs +++ b/northstar-runtime/src/npk/manifest/selinux.rs @@ -5,6 +5,7 @@ use crate::common::non_nul_string::NonNulString; /// SELinux configuration #[derive(Clone, Eq, PartialEq, Debug, Validate, Serialize, Deserialize)] +#[serde(deny_unknown_fields)] pub struct Selinux { /// Default SE label (mount option context=...). #[validate(custom = "validate_context")] @@ -59,3 +60,15 @@ fn validate_context_with_space() { fn validate_invalid_empty_context() { assert!(validate_context("").is_err()); } + +#[test] +fn deserialize_unknown_field() { + serde_json::from_str::( + "{ + \"mount_context\": \"system_u:object_r:container_file_t:s0\", + \"exec\": \"system_u:object_r:container_file_t:s0\", + \"unknown\": \"system_u:object_r:container_file_t:s0\" + }", + ) + .expect_err("unknown field should not be deserialized"); +}