refactor: optimize flags and SetLabel

Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change. Also avoid unneeded FS writes when appropriate label is already set on file. Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Nov 20, 2024 · ac3e656 · ac3e656
1 parent 4dc58cf
commit ac3e656
Showing 1 changed file with 33 additions and 12 deletions.
diff --git a/internal/pkg/selinux/selinux.go b/internal/pkg/selinux/selinux.go
@@ -6,54 +6,75 @@
 package selinux
 
 import (
+	"bytes"
 	_ "embed"
 	"log"
 	"os"
+	"sync"
 
+	"github.com/pkg/xattr"
 	"github.com/siderolabs/go-procfs/procfs"
-	"golang.org/x/sys/unix"
 
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
 //go:embed policy/policy.33
 var policy []byte
 
-// IsEnabled checks if SELinux is enabled on the system by reading
-// the kernel command line. It returns true if SELinux is enabled,
-// otherwise it returns false. It also ensures we're not in a container.
-// By default SELinux is disabled.
-func IsEnabled() bool {
+var onceIsEnabled = sync.OnceValue(func() bool {
 	if _, err := os.Stat("/usr/etc/in-container"); err == nil {
 		return false
 	}
 
 	val := procfs.ProcCmdline().Get(constants.KernelParamSELinux).First()
 
 	return val != nil && *val == "1"
+})
+
+// IsEnabled checks if SELinux is enabled on the system by reading
+// the kernel command line. It returns true if SELinux is enabled,
+// otherwise it returns false. It also ensures we're not in a container.
+// By default SELinux is disabled.
+func IsEnabled() bool {
+	return onceIsEnabled()
 }
 
-// IsEnforcing checks if SELinux is enabled and the mode should be enforcing.
-// By default if SELinux is enabled we consider it to be permissive.
-func IsEnforcing() bool {
+var onceIsEnforcing = sync.OnceValue(func() bool {
 	if !IsEnabled() {
 		return false
 	}
 
 	val := procfs.ProcCmdline().Get(constants.KernelParamSELinuxEnforcing).First()
 
 	return val != nil && *val == "1"
+})
+
+// IsEnforcing checks if SELinux is enabled and the mode should be enforcing.
+// By default if SELinux is enabled we consider it to be permissive.
+func IsEnforcing() bool {
+	return onceIsEnforcing()
 }
 
-// SetLabel sets label for file or directory, following symlinks
-// It does not perform the operation in case SELinux is disabled or provided label is empty.
+// SetLabel sets label for file, directory or symlink (not following symlinks)
+// It does not perform the operation in case SELinux is disabled, provided label is empty or already set.
 func SetLabel(filename string, label string) error {
 	if label == "" {
 		return nil
 	}
 
 	if IsEnabled() {
-		if err := unix.Lsetxattr(filename, "security.selinux", []byte(label), 0); err != nil {
+		// We use LGet/LSet so that we manipulate label on the exact path, not the symlink target.
+		currentLabel, err := xattr.LGet(filename, "security.selinux")
+		if err != nil {
+			return err
+		}
+
+		// Skip extra FS transactions when labels are okay.
+		if string(bytes.Trim(currentLabel, "\x00\n")) == label {
+			return nil
+		}
+
+		if err := xattr.LSet(filename, "security.selinux", []byte(label)); err != nil {
 			return err
 		}
 	}