Check if SELinux is enabled only once at startup

esrlabs · Oct 19, 2023 · 3773d44 · 3773d44
1 parent 33e1d0a
commit 3773d44
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 16 deletions.
diff --git a/northstar-runtime/src/runtime/fork/forker/mod.rs b/northstar-runtime/src/runtime/fork/forker/mod.rs
@@ -114,11 +114,12 @@ impl Forker {
         console: Option<OwnedFd>,
         sockets: Vec<OwnedFd>,
         containers: I,
+        selinux: bool,
     ) -> Result<Pid, Error> {
         debug_assert_eq!(manifest.console.is_some(), console.is_some());
 
         // Request
-        let init = init::build(config, manifest, containers).await?;
+        let init = init::build(config, manifest, containers, selinux).await?;
         let request = Message::CreateRequest {
             init,
             io,

diff --git a/northstar-runtime/src/runtime/fork/init/builder.rs b/northstar-runtime/src/runtime/fork/init/builder.rs
@@ -25,6 +25,7 @@ pub async fn build<'a, I: Iterator<Item = &'a Container> + Clone>(
     config: &Config,
     manifest: &Manifest,
     containers: I,
+    selinux: bool,
 ) -> Result<Init, Error> {
     let container = manifest.container();
     let root = config.run_dir.join(container.to_string());
@@ -46,7 +47,10 @@ pub async fn build<'a, I: Iterator<Item = &'a Container> + Clone>(
         .map(Into::into)
         .sorted()
         .collect();
-    let selinux = manifest.selinux.clone();
+    let selinux = selinux
+        .then_some(())
+        .and(manifest.selinux.as_ref())
+        .cloned();
 
     Ok(Init {
         container,

diff --git a/northstar-runtime/src/runtime/mount.rs b/northstar-runtime/src/runtime/mount.rs
@@ -115,6 +115,7 @@ impl MountControl {
         npk: &Npk,
         target: &Path,
         key: Option<&PublicKey>,
+        selinux: bool,
     ) -> impl Future<Output = Result<()>> {
         let dm = self.dm.clone();
         let lc = self.lc.clone();
@@ -147,7 +148,7 @@ impl MountControl {
                 lo_timeout,
             };
             debug!("Mounting {container}");
-            mount(dm, lc, mount_info).map(drop)
+            mount(dm, lc, mount_info, selinux).map(drop)
         })
         .map(|r| match r {
             Ok(r) => r,
@@ -180,6 +181,7 @@ fn mount(
     dm: Arc<devicemapper::DeviceMapper>,
     lc: Arc<Mutex<LoopControl>>,
     mount_info: Mount,
+    selinux: bool,
 ) -> Result<()> {
     let Mount {
         container,
@@ -268,16 +270,10 @@ fn mount(
     const FLAGS: MountFlags = MountFlags::MS_RDONLY;
     const FSTYPE: Option<&str> = Some(FS_TYPE);
     let source = Some(&device);
-    let data = if let Some(selinux_context) = selinux_context {
-        if Path::new("/sys/fs/selinux/enforce").exists() {
-            Some(format!("{}{}", "context=", selinux_context.as_str()))
-        } else {
-            warn!("Failed to determine SELinux status of host system. SELinux is disabled.");
-            None
-        }
-    } else {
-        None
-    };
+    let data = selinux
+        .then_some(())
+        .and(selinux_context)
+        .map(|context| format!("context={}", context.as_str()));
     let data = data.as_deref();
     let mount_result = nix::mount::mount(source, target, FSTYPE, FLAGS, data);
 

diff --git a/northstar-runtime/src/runtime/state.rs b/northstar-runtime/src/runtime/state.rs
@@ -40,7 +40,7 @@ use std::{
     fmt::Debug,
     iter::{once, FromIterator},
     os::unix::{net::UnixStream as StdUnixStream, prelude::OwnedFd},
-    path::PathBuf,
+    path::{Path, PathBuf},
     sync::Arc,
 };
 use tokio::{
@@ -65,6 +65,8 @@ pub(super) struct State {
     forker: Forker,
     containers: HashMap<Container, ContainerState>,
     repositories: HashMap<RepositoryId, Repository>,
+    /// Is SELinux enabled on the host.
+    selinux_enabled: bool,
 }
 
 #[derive(Debug, Default)]
@@ -116,6 +118,7 @@ impl State {
     ) -> Result<State> {
         let repositories = HashMap::new();
         let containers = HashMap::new();
+        let selinux_enabled = is_selinux_enabled();
         let mount_control = Arc::new(
             MountControl::new(config.loop_device_timeout)
                 .await
@@ -130,6 +133,7 @@ impl State {
             config,
             forker,
             mount_control,
+            selinux_enabled,
         };
 
         // Initialize repositories. This populates self.containers and self.repositories
@@ -308,7 +312,7 @@ impl State {
         let root = self.config.run_dir.join(container.to_string());
         let mount_control = self.mount_control.clone();
         mount_control
-            .mount(npk, &root, key.as_ref())
+            .mount(npk, &root, key.as_ref(), self.selinux_enabled)
             .map_ok(|_| root)
     }
 
@@ -525,7 +529,14 @@ impl State {
         let pid = self
             .forker
             .create(
-                container, config, &manifest, io, console_fd, socket_fds, containers,
+                container,
+                config,
+                &manifest,
+                io,
+                console_fd,
+                socket_fds,
+                containers,
+                self.selinux_enabled,
             )
             .await?;
 
@@ -1243,6 +1254,16 @@ impl State {
     }
 }
 
+/// Returns true if SELinux is enabled on the host system.
+fn is_selinux_enabled() -> bool {
+    let enabled = Path::new("/sys/fs/selinux/enforce").exists();
+    debug!(
+        "SELinux is {}",
+        enabled.then_some("enabled").unwrap_or("disabled")
+    );
+    enabled
+}
+
 #[test]
 #[allow(clippy::unwrap_used)]
 fn find_newest_resource() {