func (d *Daemon) PolicyInit() error {
for k, v := range labels.ResDec {
key := labels.ReservedID(uint32(v)).String()
lbl := labels.NewLabel(
key, "", common.ReservedLabelSource,
)
secLbl := labels.NewSecCtxLabel()
secLbl.ID = uint32(v)
secLbl.AddOrUpdateContainer(lbl.String())
secLbl.Labels[k] = lbl
policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v))
policyMap, _, err := policymap.OpenMap(policyMapPath)
if err != nil {
return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err)
}
if c := policy.GetConsumable(uint32(v), secLbl); c == nil {
return fmt.Errorf("Unable to initialize consumable for %v", secLbl)
} else {
d.reservedConsumables = append(d.reservedConsumables, c)
c.AddMap(policyMap)
}
}
return nil
}
// PutLabels stores to given labels in consul and returns the SecCtxLabels created for
// the given labels.
func (d *Daemon) PutLabels(lbls labels.Labels, contID string) (*labels.SecCtxLabel, bool, error) {
log.Debugf("Resolving labels %+v of %s", lbls, contID)
isNew := false
// Retrieve unique SHA256Sum for labels
sha256Sum, err := lbls.SHA256Sum()
if err != nil {
return nil, false, err
}
lblPath := path.Join(common.LabelsKeyPath, sha256Sum)
// Lock that sha256Sum
lockKey, err := d.kvClient.LockPath(lblPath)
if err != nil {
return nil, false, err
}
defer lockKey.Unlock()
// After lock complete, get label's path
rmsg, err := d.kvClient.GetValue(lblPath)
if err != nil {
return nil, false, err
}
secCtxLbls := labels.NewSecCtxLabel()
if rmsg == nil {
secCtxLbls.Labels = lbls
isNew = true
} else {
if err := json.Unmarshal(rmsg, &secCtxLbls); err != nil {
return nil, false, err
}
// If RefCount is 0 then we have to retrieve a new ID
if secCtxLbls.RefCount() == 0 {
isNew = true
secCtxLbls.Containers = make(map[string]time.Time)
}
}
secCtxLbls.AddOrUpdateContainer(contID)
if isNew {
if err := d.gasNewSecLabelID(secCtxLbls); err != nil {
return nil, false, err
}
} else if err := d.updateSecLabelIDRef(*secCtxLbls); err != nil {
return nil, false, err
}
log.Debugf("Incrementing label %d ref-count to %d\n", secCtxLbls.ID, secCtxLbls.RefCount())
d.AddOrUpdateUINode(secCtxLbls.ID, secCtxLbls.Labels.ToSlice(), secCtxLbls.RefCount())
err = d.kvClient.SetValue(lblPath, secCtxLbls)
return secCtxLbls, isNew, err
}
// GetLabels returns the SecCtxLabels that belongs to the given id.
func (d *Daemon) GetLabels(id uint32) (*labels.SecCtxLabel, error) {
if id > 0 && id < common.FirstFreeLabelID {
key := labels.ReservedID(id).String()
if key == "" {
return nil, nil
}
lbl := labels.NewLabel(
key, "", common.ReservedLabelSource,
)
secLbl := labels.NewSecCtxLabel()
secLbl.AddOrUpdateContainer(lbl.String())
secLbl.ID = id
secLbl.Labels = labels.Labels{
common.ReservedLabelSource: lbl,
}
return secLbl, nil
}
strID := strconv.FormatUint(uint64(id), 10)
rmsg, err := d.kvClient.GetValue(path.Join(common.LabelIDKeyPath, strID))
if err != nil {
return nil, err
}
if rmsg == nil {
return nil, nil
}
var secCtxLabels labels.SecCtxLabel
if err := json.Unmarshal(rmsg, &secCtxLabels); err != nil {
return nil, err
}
if secCtxLabels.RefCount() == 0 {
return nil, nil
}
return &secCtxLabels, nil
}