Detecting duplicates in new API
crosbymichael opened this issue · 2 comments
If we use the new API in the root of the selinux package, functions like:
// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
if len(label) != 0 {
con := strings.SplitN(label, ":", 4)
if len(con) > 3 {
mcsAdd(con[3])
}
}
}
do not return the error from mcsAdd()
.
How do we detect duplicate labels from this or does this matter anymore? Should we handle this in higher layers or should we expand the package a little bit to add functions like:
MustReserveLabel(label string) error {
???
We allow more then one container to run with a label now.
I think adding a new interface is fine if you want to guarantee unigueness.
Users can specify that they want to use a label --security-opt label=level:s0:c1,c2
Also sharing containers pid namespace and/or ipc namespace can cause duplicate reservations.
OK, I think I'll just handle duplicates in the high layers for now and not touch the current API.
Thanks!