SetKeyLabel: add thread group leader requirement

kolyshkin · kolyshkin · commit 88a443731a71 · 2025-03-11T19:44:49.000-07:00
Since commit bbbc51c ("Need to set process attributes not task") SetKeyLabel and KeyLabel operate on /proc/self/attr/keycreate, which can only be modified by the thread group leader; a non thread group leader thread will get EACCES: > write /proc/self/attr/keycreate: permission denied Let's document that, and return a more meaningful error (ErrNotTGLeader) if that is the case. Modify the test case accordingly, i.e. skip it if the current thread is not the thread group leader. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/go-selinux/label/label_linux_test.go b/go-selinux/label/label_linux_test.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 	"testing"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/opencontainers/selinux/go-selinux"
 )
 
@@ -204,6 +206,16 @@ func TestSocketLabel(t *testing.T) {
 func TestKeyLabel(t *testing.T) {
 	needSELinux(t)
 
+	// Ensure the thread stays the same for duration of the test.
+	// Otherwise Go runtime can switch this to a different thread,
+	// which results in EACCES in call to SetKeyLabel.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	if unix.Getpid() != unix.Gettid() {
+		t.Skip(selinux.ErrNotTGLeader)
+	}
+
 	label := "system_u:object_r:container_t:s0:c1,c2"
 	if err := selinux.SetKeyLabel(label); err != nil {
 		t.Fatal(err)
diff --git a/go-selinux/selinux.go b/go-selinux/selinux.go
@@ -41,6 +41,10 @@ var (
 	// ErrVerifierNil is returned when a context verifier function is nil.
 	ErrVerifierNil = errors.New("verifier function is nil")
 
+	// ErrNotTGLeader is returned by [SetKeyLabel] if the calling thread
+	// is not the thread group leader.
+	ErrNotTGLeader = errors.New("calling thread is not the thread group leader")
+
 	// CategoryRange allows the upper bound on the category range to be adjusted
 	CategoryRange = DefaultCategoryRange
 
@@ -180,10 +184,14 @@ func PeerLabel(fd uintptr) (string, error) {
 }
 
 // SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created. Calls to SetKeyLabel
-// should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until
-// the kernel keyring is created to guarantee another goroutine does not migrate
-// to the current thread before execution is complete.
+// label to the next kernel keyring that gets created.
+//
+// Calls to SetKeyLabel should be wrapped in
+// runtime.LockOSThread()/runtime.UnlockOSThread() until the kernel keyring is
+// created to guarantee another goroutine does not migrate to the current
+// thread before execution is complete.
+//
+// Only the thread group leader can set key label.
 func SetKeyLabel(label string) error {
 	return setKeyLabel(label)
 }
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
@@ -731,6 +731,9 @@ func setKeyLabel(label string) error {
 	if label == "" && errors.Is(err, os.ErrPermission) {
 		return nil
 	}
+	if errors.Is(err, unix.EACCES) && unix.Getuid() != unix.Gettid() {
+		return ErrNotTGLeader
+	}
 	return err
 }
 

Original file line number	Diff line number	Diff line change
`@@ -731,6 +731,9 @@ func setKeyLabel(label string) error {`
`731`	`731`	`if label == "" && errors.Is(err, os.ErrPermission) {`
`732`	`732`	`return nil`
`733`	`733`	`}`
	`734`	`+ if errors.Is(err, unix.EACCES) && unix.Getuid() != unix.Gettid() {`
	`735`	`+ return ErrNotTGLeader`
	`736`	`+ }`
`734`	`737`	`return err`
`735`	`738`	`}`
`736`	`739`