Detecting duplicates in new API

Question

Detecting duplicates in new API

crosbymichael opened this issue 4 years ago · 2 comments

If we use the new API in the root of the selinux package, functions like:

// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
	if len(label) != 0 {
		con := strings.SplitN(label, ":", 4)
		if len(con) > 3 {
			mcsAdd(con[3])
		}
	}
}

do not return the error from mcsAdd().

How do we detect duplicate labels from this or does this matter anymore? Should we handle this in higher layers or should we expand the package a little bit to add functions like:

MustReserveLabel(label string) error { ???

Answer 1 · 2020-06-10T21:14:36.000Z

We allow more then one container to run with a label now.
I think adding a new interface is fine if you want to guarantee unigueness.

Users can specify that they want to use a label --security-opt label=level:s0:c1,c2
Also sharing containers pid namespace and/or ipc namespace can cause duplicate reservations.

Answer 2 · 2020-06-12T14:55:03.000Z

OK, I think I'll just handle duplicates in the high layers for now and not touch the current API.

Thanks!