Lazy initialization for labels

Perform lazy (on demand) init of labels. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Sep 8, 2021 · 397b931 · 397b931
1 parent 7213bfa
commit 397b931
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 18 deletions.
diff --git a/go-selinux/selinux.go b/go-selinux/selinux.go
@@ -280,5 +280,7 @@ func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
 
 // PrivContainerMountLabel returns mount label for privileged containers
 func PrivContainerMountLabel() string {
+	// Make sure label is loaded.
+	_ = label("")
 	return privContainerMountLabel
 }
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
@@ -81,6 +81,11 @@ var (
 	// for policyRoot()
 	policyRootOnce sync.Once
 	policyRootVal  string
+
+	// for label()
+	loadLabelsOnce          sync.Once
+	labels                  map[string]string
+	privContainerMountLabel string
 )
 
 func policyRoot() string {
@@ -904,13 +909,11 @@ func openContextFile() (*os.File, error) {
 	return os.Open(filepath.Join(policyRoot(), "/contexts/lxc_contexts"))
 }
 
-var labels, privContainerMountLabel = loadLabels()
-
-func loadLabels() (map[string]string, string) {
-	labels := make(map[string]string)
+func loadLabels() {
+	labels = make(map[string]string)
 	in, err := openContextFile()
 	if err != nil {
-		return labels, ""
+		return
 	}
 	defer in.Close()
 
@@ -934,30 +937,37 @@ func loadLabels() (map[string]string, string) {
 
 	con, _ := NewContext(labels["file"])
 	con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
-	reserveLabel(con.get())
-	return labels, con.get()
+	privContainerMountLabel = con.get()
+	reserveLabel(privContainerMountLabel)
+}
+
+func label(key string) string {
+	loadLabelsOnce.Do(func() {
+		loadLabels()
+	})
+	return labels[key]
 }
 
 // kvmContainerLabels returns the default processLabel and mountLabel to be used
 // for kvm containers by the calling process.
 func kvmContainerLabels() (string, string) {
-	processLabel := labels["kvm_process"]
+	processLabel := label("kvm_process")
 	if processLabel == "" {
-		processLabel = labels["process"]
+		processLabel = label("process")
 	}
 
-	return addMcs(processLabel, labels["file"])
+	return addMcs(processLabel, label("file"))
 }
 
 // initContainerLabels returns the default processLabel and file labels to be
 // used for containers running an init system like systemd by the calling process.
 func initContainerLabels() (string, string) {
-	processLabel := labels["init_process"]
+	processLabel := label("init_process")
 	if processLabel == "" {
-		processLabel = labels["process"]
+		processLabel = label("process")
 	}
 
-	return addMcs(processLabel, labels["file"])
+	return addMcs(processLabel, label("file"))
 }
 
 // containerLabels returns an allocated processLabel and fileLabel to be used for
@@ -967,9 +977,9 @@ func containerLabels() (processLabel string, fileLabel string) {
 		return "", ""
 	}
 
-	processLabel = labels["process"]
-	fileLabel = labels["file"]
-	readOnlyFileLabel = labels["ro_file"]
+	processLabel = label("process")
+	fileLabel = label("file")
+	readOnlyFileLabel = label("ro_file")
 
 	if processLabel == "" || fileLabel == "" {
 		return "", fileLabel

diff --git a/go-selinux/selinux_linux_test.go b/go-selinux/selinux_linux_test.go
@@ -42,8 +42,6 @@ func TestKVMLabels(t *testing.T) {
 		t.Skip("SELinux not enabled, skipping.")
 	}
 
-	t.Log(labels)
-
 	plabel, flabel := KVMContainerLabels()
 	if plabel == "" {
 		t.Log("Failed to read kvm label")

diff --git a/go-selinux/selinux_stub.go b/go-selinux/selinux_stub.go
@@ -152,3 +152,5 @@ func disableSecOpt() []string {
 func getDefaultContextWithLevel(user, level, scon string) (string, error) {
 	return "", nil
 }
+
+func loadLabels() {}