Add LFileLabel and LSetFileLabel #169
Conversation
rhatdan
requested review from
kolyshkin,
mrunalp,
runcom and
thaJeztah
as code owners
|
This is a breaking change, but I think it is worth it, and probably affects almost nobody. |
|
@nalind PTAL |
|
@thaJeztah @kolyshkin @mrunalp PTAL |
go-selinux/selinux.go
Outdated
| // SetFileLabel sets the SELinux label for this path or returns an error. | ||
| // follow symlinks |
There was a problem hiding this comment.
This have to be a complete sentence.
go-selinux/selinux.go
Outdated
| return setFileLabel(fpath, label) | ||
| } | ||
|
|
||
| // SetFileLabel sets the SELinux label for this path or returns an error. |
There was a problem hiding this comment.
s/SetFileLabel/LSetFileLabel/g
go-selinux/selinux.go
Outdated
| } | ||
|
|
||
| // SetFileLabel sets the SELinux label for this path or returns an error. | ||
| // does not follow symlinks |
There was a problem hiding this comment.
If the argument is a symbolic link, the label is set on the link itself. This function makes no attempt to follow the symlink.
Or somesuch.
go-selinux/selinux.go
Outdated
| // LFileLabel returns the SELinux label for this path does not follow symlinks | ||
| // or returns an error. |
There was a problem hiding this comment.
Does not look like a valid English sentence.
go-selinux/selinux_linux.go
Outdated
| return index, nil | ||
| } | ||
|
|
||
| // setFileLabel sets the SELinux label for this path or returns an error. |
There was a problem hiding this comment.
s/setFileLabel/lsetFileLabel/
go-selinux/selinux.go
Outdated
|
|
||
| // SetFileLabel sets the SELinux label for this path or returns an error. | ||
| // does not follow symlinks | ||
| func LSetFileLabel(fpath string, label string) error { |
There was a problem hiding this comment.
Maybe it should be named LsetFileLabel as other similar functions have lowercase letter after L (os.Lstat, unix.Lsetxattr).
go-selinux/selinux_linux.go
Outdated
| return string(label), nil | ||
| } | ||
|
|
||
| // fileLabel returns the SELinux label for this path or returns an error. |
| func lfileLabel(fpath string) (string, error) { | ||
| if fpath == "" { | ||
| return "", ErrEmptyPath | ||
| } |
There was a problem hiding this comment.
I would use lFileLabel.
go-selinux/selinux_linux.go
Outdated
|
|
||
| label, err := getxattr(fpath, xattrNameSelinux) | ||
| if err != nil { | ||
| return "", &os.PathError{Op: "lgetxattr", Path: fpath, Err: err} |
There was a problem hiding this comment.
typo: /slgetxattr/getxattr/
go-selinux/xattrs_linux.go
Outdated
| } | ||
|
|
||
| dest = make([]byte, sz) | ||
| sz, errno = doLgetxattr(path, attr, dest) |
There was a problem hiding this comment.
Typo? s/doLgetxattr/dogetxattr/
rhatdan
force-pushed
the
lgetfile
branch
4 times, most recently
from
7902b0b to
71d5187
Compare
|
@kolyshkin @thaJeztah I think i have fixed all my cut and paste errors. PTAL |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
code LGTM
the remaining nits are for non-exported functions, not a show-stopper per-se
go-selinux/selinux_linux.go
Outdated
|
|
||
| // setFileLabel sets the SELinux label for this path or returns an error. | ||
| func setFileLabel(fpath string, label string) error { | ||
| // lSetFileLabel sets the SELinux label for this path or returns an error. |
There was a problem hiding this comment.
nit: I guess this one also could use the "not following symlinks"
go-selinux/selinux_linux.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // setFileLabel sets the SELinux label for this path or returns an error. |
go-selinux/selinux_linux.go
Outdated
| return string(label), nil | ||
| } | ||
|
|
||
| // lFileLabel returns the SELinux label for this path or returns an error. |
|
The only thing I'm wondering (w.r.t. breaking change); could there be cases where labels are set on |
|
I think this change would not effect a path with a symlink in it, it only effects if the basename is a symlink. But if you were labeling /var/run/foobar, and foobar was a file, it would label the file correctly. |
SELinux C library has two functions for dealing with file labels, one which follows symlinks and one that does not. Golang bindings should work the same way. The lack of this function is resulting in containers/buildah#3630 which has to hack around the problem. Signed-off-by: Daniel J Walsh <[email protected]>
Thanks! Makes sense (should probably have looked closer); agreed I don't expect that to be too problematic. (post-merge LGTM - saw you addressed those last nits; thanks!) |
3 participants
SELinux C library has two functions for dealing with file labels, one
which follows symlinks and one that does not.
Golang bindings should work the same way. The lack of this function is
resulting in containers/buildah#3630 which has
to hack around the problem.
Signed-off-by: Daniel J Walsh [email protected]