Add MCS label support

Carry of #1246

Signed-off-by: Darren Shepherd <darren@rancher.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>

pkg/store/container/container.go

@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -101,13 +102,15 @@ type Store struct {
 	lock       sync.RWMutex
 	containers map[string]Container
 	idIndex    *truncindex.TruncIndex
+	labels     *label.Store
 }
 
 // NewStore creates a container store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		containers: make(map[string]Container),
 		idIndex:    truncindex.NewTruncIndex([]string{}),
+		labels:     labels,
 	}
 }
 
@@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error {
 	if _, ok := s.containers[c.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(c.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(c.ID); err != nil {
 		return err
 	}
@@ -165,6 +171,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.containers[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.containers, id)
 }

pkg/store/container/container_test.go

@@ -17,9 +17,12 @@
 package container
 
 import (
+	"strings"
 	"testing"
 	"time"
 
+	"github.com/containerd/cri/pkg/store/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	assertlib "github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -39,9 +42,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 1,
 				},
 			},
-			ImageRef:   "TestImage-1",
-			StopSignal: "SIGTERM",
-			LogPath:    "/test/log/path/1",
+			ImageRef:     "TestImage-1",
+			StopSignal:   "SIGTERM",
+			LogPath:      "/test/log/path/1",
+			ProcessLabel: "junk:junk:junk:c1,c2",
 		},
 		"2abcd": {
 			ID:        "2abcd",
@@ -53,9 +57,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 2,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-2",
-			LogPath:    "/test/log/path/2",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-2",
+			LogPath:      "/test/log/path/2",
+			ProcessLabel: "junk:junk:junk:c1,c2",
 		},
 		"4a333": {
 			ID:        "4a333",
@@ -67,9 +72,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 3,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-3",
-			LogPath:    "/test/log/path/3",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-3",
+			LogPath:      "/test/log/path/3",
+			ProcessLabel: "junk:junk:junk:c1,c3",
 		},
 		"4abcd": {
 			ID:        "4abcd",
@@ -81,8 +87,9 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 1,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-4abcd",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-4abcd",
+			ProcessLabel: "junk:junk:junk:c1,c4",
 		},
 	}
 	statuses := map[string]Status{
@@ -136,7 +143,14 @@ func TestContainerStore(t *testing.T) {
 		containers[id] = container
 	}
 
-	s := NewStore()
+	s := NewStore(label.NewStore())
+	reserved := map[string]bool{}
+	s.labels.Reserver = func(label string) {
+		reserved[strings.SplitN(label, ":", 4)[3]] = true
+	}
+	s.labels.Releaser = func(label string) {
+		reserved[strings.SplitN(label, ":", 4)[3]] = false
+	}
 
 	t.Logf("should be able to add container")
 	for _, c := range containers {
@@ -155,6 +169,15 @@ func TestContainerStore(t *testing.T) {
 	cs := s.List()
 	assert.Len(cs, len(containers))
 
+	if selinux.GetEnabled() {
+		t.Logf("should have reserved labels (requires -tag selinux)")
+		assert.Equal(map[string]bool{
+			"c1,c2": true,
+			"c1,c3": true,
+			"c1,c4": true,
+		}, reserved)
+	}
+
 	cntrNum := len(containers)
 	for testID, v := range containers {
 		truncID := genTruncIndex(testID)
@@ -173,6 +196,15 @@ func TestContainerStore(t *testing.T) {
 		assert.Equal(Container{}, c)
 		assert.Equal(store.ErrNotExist, err)
 	}
+
+	if selinux.GetEnabled() {
+		t.Logf("should have released all labels (requires -tag selinux)")
+		assert.Equal(map[string]bool{
+			"c1,c2": false,
+			"c1,c3": false,
+			"c1,c4": false,
+		}, reserved)
+	}
 }
 
 func TestWithContainerIO(t *testing.T) {

pkg/store/container/metadata.go

@@ -61,6 +61,8 @@ type Metadata struct {
 	// StopSignal is the system call signal that will be sent to the container to exit.
 	// TODO(random-liu): Add integration test for stop signal.
 	StopSignal string
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.

pkg/store/label/label.go

@@ -0,0 +1,90 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package label
+
+import (
+	"sync"
+
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+type Store struct {
+	sync.Mutex
+	levels   map[string]int
+	Releaser func(string)
+	Reserver func(string)
+}
+
+func NewStore() *Store {
+	return &Store{
+		levels:   map[string]int{},
+		Releaser: selinux.ReleaseLabel,
+		Reserver: selinux.ReserveLabel,
+	}
+}
+
+func (s *Store) Reserve(label string) error {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return err
+	}
+
+	level := context["level"]
+	// no reason to count empty
+	if level == "" {
+		return nil
+	}
+
+	if _, ok := s.levels[level]; !ok {
+		s.Reserver(label)
+	}
+
+	s.levels[level]++
+	return nil
+}
+
+func (s *Store) Release(label string) {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return
+	}
+
+	level := context["level"]
+	if level == "" {
+		return
+	}
+
+	count, ok := s.levels[level]
+	if !ok {
+		return
+	}
+	switch {
+	case count == 1:
+		s.Releaser(label)
+		delete(s.levels, level)
+	case count < 1:
+		delete(s.levels, level)
+	case count > 1:
+		s.levels[level] = count - 1
+	}
+}

pkg/store/label/label_test.go

@@ -0,0 +1,116 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package label
+
+import (
+	"testing"
+
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAddThenRemove(t *testing.T) {
+	if !selinux.GetEnabled() {
+		t.Skip("selinux is not enabled")
+	}
+
+	assert := assert.New(t)
+	store := NewStore()
+	releaseCount := 0
+	reserveCount := 0
+	store.Releaser = func(label string) {
+		assert.Contains(label, ":c1,c2")
+		releaseCount++
+		assert.Equal(1, releaseCount)
+	}
+	store.Reserver = func(label string) {
+		assert.Contains(label, ":c1,c2")
+		reserveCount++
+		assert.Equal(1, reserveCount)
+	}
+
+	t.Log("should count to two level")
+	assert.NoError(store.Reserve("junk:junk:junk:c1,c2"))
+	assert.NoError(store.Reserve("junk2:junk2:junk2:c1,c2"))
+
+	t.Log("should have one item")
+	assert.Equal(1, len(store.levels))
+
+	t.Log("c1,c2 count should be 2")
+	assert.Equal(2, store.levels["c1,c2"])
+
+	store.Release("junk:junk:junk:c1,c2")
+	store.Release("junk2:junk2:junk2:c1,c2")
+
+	t.Log("should have 0 items")
+	assert.Equal(0, len(store.levels))
+
+	t.Log("should have reserved")
+	assert.Equal(1, reserveCount)
+
+	t.Log("should have released")
+	assert.Equal(1, releaseCount)
+}
+
+func TestJunkData(t *testing.T) {
+	if !selinux.GetEnabled() {
+		t.Skip("selinux is not enabled")
+	}
+
+	assert := assert.New(t)
+	store := NewStore()
+	releaseCount := 0
+	store.Releaser = func(label string) {
+		releaseCount++
+	}
+	reserveCount := 0
+	store.Reserver = func(label string) {
+		reserveCount++
+	}
+
+	t.Log("should ignore empty label")
+	assert.NoError(store.Reserve(""))
+	assert.Equal(0, len(store.levels))
+	store.Release("")
+	assert.Equal(0, len(store.levels))
+	assert.Equal(0, releaseCount)
+	assert.Equal(0, reserveCount)
+
+	t.Log("should fail on bad label")
+	assert.Error(store.Reserve("junkjunkjunkc1c2"))
+	assert.Equal(0, len(store.levels))
+	store.Release("junkjunkjunkc1c2")
+	assert.Equal(0, len(store.levels))
+	assert.Equal(0, releaseCount)
+	assert.Equal(0, reserveCount)
+
+	t.Log("should not release unknown label")
+	store.Release("junk2:junk2:junk2:c1,c2")
+	assert.Equal(0, len(store.levels))
+	assert.Equal(0, releaseCount)
+	assert.Equal(0, reserveCount)
+
+	t.Log("should release once even if too many deletes")
+	assert.NoError(store.Reserve("junk2:junk2:junk2:c1,c2"))
+	assert.Equal(1, len(store.levels))
+	assert.Equal(1, store.levels["c1,c2"])
+	store.Release("junk2:junk2:junk2:c1,c2")
+	store.Release("junk2:junk2:junk2:c1,c2")
+	assert.Equal(0, len(store.levels))
+	assert.Equal(1, releaseCount)
+	assert.Equal(1, reserveCount)
+}

pkg/store/sandbox/metadata.go

@@ -61,6 +61,8 @@ type Metadata struct {
 	RuntimeHandler string
 	// CNIresult resulting configuration for attached network namespace interfaces
 	CNIResult *cni.CNIResult
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.

pkg/store/sandbox/sandbox.go

@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 
 	"github.com/containerd/cri/pkg/netns"
@@ -62,13 +63,15 @@ type Store struct {
 	lock      sync.RWMutex
 	sandboxes map[string]Sandbox
 	idIndex   *truncindex.TruncIndex
+	labels    *label.Store
 }
 
 // NewStore creates a sandbox store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		sandboxes: make(map[string]Sandbox),
 		idIndex:   truncindex.NewTruncIndex([]string{}),
+		labels:    labels,
 	}
 }
 
@@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error {
 	if _, ok := s.sandboxes[sb.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(sb.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(sb.ID); err != nil {
 		return err
 	}
@@ -125,6 +131,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.sandboxes[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.sandboxes, id)
 }

pkg/store/sandbox/sandbox_test.go

@@ -19,6 +19,7 @@ package sandbox
 import (
 	"testing"
 
+	"github.com/containerd/cri/pkg/store/label"
 	assertlib "github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -109,7 +110,7 @@ func TestSandboxStore(t *testing.T) {
 		Status{State: StateUnknown},
 	)
 	assert := assertlib.New(t)
-	s := NewStore()
+	s := NewStore(label.NewStore())
 
 	t.Logf("should be able to add sandbox")
 	for _, sb := range sandboxes {