-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a crate like opencontainers/selinux #2718
Comments
@utam0k |
Hey @Gekko0114 , do you need any help with this? |
Thanks, but I don't have enough time to work on these days.. |
I completely understand, no worries!
This is not exactly urgent, but given that this is an incorrect implementation , I would prefer to have it fixed sooner than later. I was just wondering if you are still planning to work on this or not, so pinged you. Take your time 💜 |
Sorry for not doing this task for a while. I will resume it.
|
No worries! Hey @Gekko0114 , I don't think I'll be able to help much in near future, but one thing I can suggest is we can implement this under the Also checking the files, |
Sure, thanks for your suggestion! SGTM. |
I agree with @YJDoc2 . It would be an good idea. |
I have a question. go-selinux handles xattr https://github.com/opencontainers/selinux/blob/main/go-selinux/selinux_linux.go#L346. However, https://github.com/nix-rust/nix doesn't seem to have functions handling xattr. Should I create a crate handling xattr as well? |
Hey regarding this, if the implementation of related xattr functions is not too complex, and there are not too many edge-cases to be considered, I'd prefer not to add a dependency to deal with it. For implementing it , I'd prefer to have it as a module in the same selinux crate instead of separate crate, so that we don't have to publish and manage two crates for this. wdyt? |
SGTM, thanks! Then I will add xattr function in one crate. |
Since the initial motivation for the SELinux project is that Youki doesn't follow runc's implementation regarding SELinux, can I implement the SELinux part in Youki? |
Hey, I think we should be able to start with this change now that we have finished the experimental crate. I have a couple of minor comments for that crate I feel we should discuss before we move that crate from experimental to "stable" . Will add them here in some time. Also need to discuss if we are going to publish this crate as a standalone crate (like libcontainer,libcgroups etc) as well. I also want to thank you @Gekko0114 for all your work and follow up on this. Thanks for making Youki better 💜 |
Sure, then I will implement the part utilizing SELinux in runc.
You're welcome, thank you so much for your kind review ❤️ |
So mu questions were -
Apart from that I think we can bring the create from exp to normal crates and start integrating with youki. Also we need to make sure that we make this releasable, so in next release the dependencies do not give issues. |
Thanks @YJDoc2 Q1: After creating a PR fixing these two questions, I will start implementing SELinux part in Youki. |
Since I've merged the PR based on feedback from @YJDoc2, I will start implementing the SELinux part in Youki. |
@Gekko0114 As far as I know, the selinux crate is ready for integration into youki itself. What do you think? |
I agree. Basically, the selinux crate should work fine. BTW, sorry for not working on implementing the SELinux logic in Youki. I will work on it when I have time |
Don't worry. I'm happy to know your schedule and willingness. |
After reading runc's and Youki's source codes, I understood what I have to do.
I will create PRs related to these four points. |
It sounds good to me, but I'd like to refactor it before integrating this crate into libcontainer. |
@utam0k a happy new year! |
First of all, we have to publish it to crates.io before using it from libcontainer. |
@Gekko0114 I'd like to make it simple by reducing the function we wouldn't use youki. WDYT? |
Basically sounds good to me, but I guess most functions in selinux crate wouldn't use in Youki. |
Since we need to keep the functions related to labels and config, I'll keep most of the functions. |
Sure, no problem! |
background
In this PR #2688, it was found that the implementation of linux mount label is different between runc and youki.
What we will do
Youki should follow runc's implementation.
Therefore, we will implement the crate like opencontainers/selinux in this issue.
The text was updated successfully, but these errors were encountered: