Add selinux enable flag to config

Value defaults to runtime detection.

northstar-runtime/src/runtime/config.rs

@@ -34,6 +34,9 @@ pub struct Config {
     /// Notification buffer size
     #[serde(default = "default_notification_buffer_size")]
     pub notification_buffer_size: usize,
+    /// Enable SELinux. The option defaults to the presence of `/sys/fs/selinux/enforce`.
+    #[serde(default = "default_selinux")]
+    pub selinux: bool,
     /// Console configuration.
     #[serde(default)]
     pub console: Console,
@@ -229,6 +232,11 @@ const fn default_notification_buffer_size() -> usize {
     128
 }
 
+/// Default selinux enabled flag.
+fn default_selinux() -> bool {
+    Path::new("/sys/fs/selinux/enforce").exists()
+}
+
 /// Default token validity time.
 const fn default_token_validity() -> time::Duration {
     time::Duration::from_secs(60)

northstar-runtime/src/runtime/fork/forker/mod.rs

@@ -118,7 +118,7 @@ impl Forker {
         debug_assert_eq!(manifest.console.is_some(), console.is_some());
 
         // Request
-        let init = init::build(config, manifest, containers).await?;
+        let init = init::build(config, manifest, containers, config.selinux).await?;
         let request = Message::CreateRequest {
             init,
             io,

northstar-runtime/src/runtime/fork/init/builder.rs

@@ -25,6 +25,7 @@ pub async fn build<'a, I: Iterator<Item = &'a Container> + Clone>(
     config: &Config,
     manifest: &Manifest,
     containers: I,
+    is_selinux_enabled: bool,
 ) -> Result<Init, Error> {
     let container = manifest.container();
     let root = config.run_dir.join(container.to_string());
@@ -46,9 +47,7 @@ pub async fn build<'a, I: Iterator<Item = &'a Container> + Clone>(
         .map(Into::into)
         .sorted()
         .collect();
-    // TODO: Get the selinux state somewhen at boot.
-    let selinux_context = Path::new("/sys/fs/selinux/enforce")
-        .exists()
+    let selinux_context = is_selinux_enabled
         .then(|| manifest.selinux.as_ref().map(|s| s.context.clone()))
         .flatten();
 

northstar-runtime/src/runtime/mount.rs

@@ -114,6 +114,7 @@ impl MountControl {
         npk: &Npk,
         target: &Path,
         key: Option<&PublicKey>,
+        is_selinux_enabled: bool,
     ) -> impl Future<Output = Result<()>> {
         let dm = self.dm.clone();
         let lc = self.lc.clone();
@@ -124,10 +125,11 @@ impl MountControl {
         let fsimg_offset = npk.fsimg_offset();
         let container = npk.manifest().container();
         let verity_header = npk.verity_header().cloned();
-        let selinux_context = npk.manifest().selinux.as_ref().map(|s| s.context.clone());
+        let selinux_context = is_selinux_enabled
+            .then(|| npk.manifest().selinux.as_ref().map(|s| s.context.clone()))
+            .flatten();
         let hashes = npk.hashes().cloned();
         let lo_timeout = self.lo_timeout;
-        let nosuid = npk.manifest().selinux.is_none();
 
         task::spawn_blocking(move || {
             let mount_info = Mount {
@@ -143,7 +145,7 @@ impl MountControl {
                 lo_timeout,
             };
             debug!("Mounting {container}");
-            mount(dm, lc, mount_info, nosuid).map(drop)
+            mount(dm, lc, mount_info).map(drop)
         })
         .map(|r| match r {
             Ok(r) => r,
@@ -176,7 +178,6 @@ fn mount(
     dm: Arc<devicemapper::DeviceMapper>,
     lc: Arc<Mutex<LoopControl>>,
     mount_info: Mount,
-    nosuid: bool,
 ) -> Result<()> {
     let Mount {
         container,
@@ -265,19 +266,15 @@ fn mount(
 
     // nosuid prevents a successfull transition to the container context.
     // https://danwalsh.livejournal.com/68723.html
-    let flags = if nosuid {
+    let flags = if selinux_context.is_none() {
         MountFlags::MS_RDONLY | MountFlags::MS_NOSUID
     } else {
         MountFlags::MS_RDONLY
     };
     let source = Some(&device);
     const FSTYPE: Option<&str> = Some(FS_TYPE);
-    // TODO: Get the selinux state somewhen at boot.
-    let data = if Path::new("/sys/fs/selinux/enforce").exists() {
-        selinux_context.map(|selinux_context| format!("{}{}", "context=", selinux_context.as_str()))
-    } else {
-        None
-    };
+    let data = selinux_context
+        .map(|selinux_context| format!("{}{}", "context=", selinux_context.as_str()));
     let mount_result = nix::mount::mount(source, target, FSTYPE, flags, data.as_deref());
 
     if let Err(ref e) = mount_result {

northstar-runtime/src/runtime/state.rs

@@ -308,7 +308,7 @@ impl State {
         let root = self.config.run_dir.join(container.to_string());
         let mount_control = self.mount_control.clone();
         mount_control
-            .mount(npk, &root, key.as_ref())
+            .mount(npk, &root, key.as_ref(), self.config.selinux)
             .map_ok(|_| root)
     }
 

northstar-tests/src/runtime.rs

@@ -127,6 +127,7 @@ impl Runtime {
             loop_device_timeout: time::Duration::from_secs(10),
             cgroup: NonNulString::try_from(format!("northstar-{}", nanoid!())).unwrap(),
             repositories,
+            selinux: false,
             console: Console {
                 global: Some(ConsoleGlobal {
                     bind: console_url(),