SetKeyLabel: add thread group leader requirement

Since commit bbbc51c ("Need to set process attributes not task")
SetKeyLabel and KeyLabel operate on /proc/self/attr/keycreate, which
can only be modified by the thread group leader; a non thread group
leader thread will get EACCES:

> write /proc/self/attr/keycreate: permission denied

Let's document that, and return a more meaningful error (ErrNotTGLeader)
if that is the case.

Modify the test case accordingly, i.e. skip it if the current thread is
not the thread group leader.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

go-selinux/selinux.go

@@ -41,6 +41,10 @@ var (
 	// ErrVerifierNil is returned when a context verifier function is nil.
 	ErrVerifierNil = errors.New("verifier function is nil")
 
+	// ErrNotTGLeader is returned by [SetKeyLabel] if the calling thread
+	// is not the thread group leader.
+	ErrNotTGLeader = errors.New("calling thread is not the thread group leader")
+
 	// CategoryRange allows the upper bound on the category range to be adjusted
 	CategoryRange = DefaultCategoryRange
 
@@ -180,10 +184,14 @@ func PeerLabel(fd uintptr) (string, error) {
 }
 
 // SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created. Calls to SetKeyLabel
-// should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until
-// the kernel keyring is created to guarantee another goroutine does not migrate
-// to the current thread before execution is complete.
+// label to the next kernel keyring that gets created.
+//
+// Calls to SetKeyLabel should be wrapped in
+// runtime.LockOSThread()/runtime.UnlockOSThread() until the kernel keyring is
+// created to guarantee another goroutine does not migrate to the current
+// thread before execution is complete.
+//
+// Only the thread group leader can set key label.
 func SetKeyLabel(label string) error {
 	return setKeyLabel(label)
 }

go-selinux/selinux_linux.go

@@ -735,6 +735,9 @@ func setKeyLabel(label string) error {
 	if label == "" && errors.Is(err, os.ErrPermission) {
 		return nil
 	}
+	if errors.Is(err, unix.EACCES) && unix.Getuid() != unix.Gettid() {
+		return ErrNotTGLeader
+	}
 	return err
 }
 

go-selinux/selinux_linux_test.go

@@ -11,6 +11,8 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+
+	"golang.org/x/sys/unix"
 )
 
 func TestSetFileLabel(t *testing.T) {
@@ -212,6 +214,16 @@ func TestKeyLabel(t *testing.T) {
 		t.Skip("SELinux not enabled, skipping.")
 	}
 
+	// Ensure the thread stays the same for duration of the test.
+	// Otherwise Go runtime can switch this to a different thread,
+	// which results in EACCES in call to SetKeyLabel.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	if unix.Getpid() != unix.Gettid() {
+		t.Skip(ErrNotTGLeader)
+	}
+
 	label := "system_u:object_r:container_t:s0:c1,c2"
 	if err := SetKeyLabel(label); err != nil {
 		t.Fatal(err)