Add MCS label support

Carry of #1246

Signed-off-by: Darren Shepherd <darren@rancher.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>

pkg/store/container/container.go

@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -101,13 +102,15 @@ type Store struct {
 	lock       sync.RWMutex
 	containers map[string]Container
 	idIndex    *truncindex.TruncIndex
+	labels     *label.Store
 }
 
 // NewStore creates a container store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		containers: make(map[string]Container),
 		idIndex:    truncindex.NewTruncIndex([]string{}),
+		labels:     labels,
 	}
 }
 
@@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error {
 	if _, ok := s.containers[c.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(c.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(c.ID); err != nil {
 		return err
 	}
@@ -165,6 +171,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.containers[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.containers, id)
 }

pkg/store/container/container_test.go

@@ -17,9 +17,12 @@
 package container
 
 import (
+	"strings"
 	"testing"
 	"time"
 
+	"github.com/containerd/cri/pkg/store/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	assertlib "github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -39,9 +42,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 1,
 				},
 			},
-			ImageRef:   "TestImage-1",
-			StopSignal: "SIGTERM",
-			LogPath:    "/test/log/path/1",
+			ImageRef:     "TestImage-1",
+			StopSignal:   "SIGTERM",
+			LogPath:      "/test/log/path/1",
+			ProcessLabel: "junk:junk:junk:c1,c2",
 		},
 		"2abcd": {
 			ID:        "2abcd",
@@ -53,9 +57,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 2,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-2",
-			LogPath:    "/test/log/path/2",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-2",
+			LogPath:      "/test/log/path/2",
+			ProcessLabel: "junk:junk:junk:c1,c2",
 		},
 		"4a333": {
 			ID:        "4a333",
@@ -67,9 +72,10 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 3,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-3",
-			LogPath:    "/test/log/path/3",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-3",
+			LogPath:      "/test/log/path/3",
+			ProcessLabel: "junk:junk:junk:c1,c3",
 		},
 		"4abcd": {
 			ID:        "4abcd",
@@ -81,8 +87,9 @@ func TestContainerStore(t *testing.T) {
 					Attempt: 1,
 				},
 			},
-			StopSignal: "SIGTERM",
-			ImageRef:   "TestImage-4abcd",
+			StopSignal:   "SIGTERM",
+			ImageRef:     "TestImage-4abcd",
+			ProcessLabel: "junk:junk:junk:c1,c4",
 		},
 	}
 	statuses := map[string]Status{
@@ -136,7 +143,14 @@ func TestContainerStore(t *testing.T) {
 		containers[id] = container
 	}
 
-	s := NewStore()
+	s := NewStore(label.NewStore())
+	reserved := map[string]bool{}
+	s.labels.Reserver = func(label string) {
+		reserved[strings.SplitN(label, ":", 4)[3]] = true
+	}
+	s.labels.Releaser = func(label string) {
+		reserved[strings.SplitN(label, ":", 4)[3]] = false
+	}
 
 	t.Logf("should be able to add container")
 	for _, c := range containers {
@@ -155,6 +169,15 @@ func TestContainerStore(t *testing.T) {
 	cs := s.List()
 	assert.Len(cs, len(containers))
 
+	if selinux.GetEnabled() {
+		t.Logf("should have reserved labels (requires -tag selinux)")
+		assert.Equal(map[string]bool{
+			"c1,c2": true,
+			"c1,c3": true,
+			"c1,c4": true,
+		}, reserved)
+	}
+
 	cntrNum := len(containers)
 	for testID, v := range containers {
 		truncID := genTruncIndex(testID)
@@ -173,6 +196,15 @@ func TestContainerStore(t *testing.T) {
 		assert.Equal(Container{}, c)
 		assert.Equal(store.ErrNotExist, err)
 	}
+
+	if selinux.GetEnabled() {
+		t.Logf("should have released all labels (requires -tag selinux)")
+		assert.Equal(map[string]bool{
+			"c1,c2": false,
+			"c1,c3": false,
+			"c1,c4": false,
+		}, reserved)
+	}
 }
 
 func TestWithContainerIO(t *testing.T) {

pkg/store/container/metadata.go

@@ -61,6 +61,8 @@ type Metadata struct {
 	// StopSignal is the system call signal that will be sent to the container to exit.
 	// TODO(random-liu): Add integration test for stop signal.
 	StopSignal string
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.