open context files lazily

capnspacehook · capnspacehook · commit 32b994597a1c · 2025-11-20T14:14:32.000-05:00
Signed-off-by: Andrew LeFevre &lt;andrew.lefevre@goteleport.com&gt;
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
@@ -57,11 +57,19 @@ type mlsRange struct {
 	high *level
 }
 
+type openReaderCloser func() (io.ReadCloser, error)
+
+func createOpener(path string) openReaderCloser {
+	return func() (io.ReadCloser, error) {
+		return os.Open(path)
+	}
+}
+
 type defaultSECtx struct {
-	userRdr           io.Reader
+	openUserRdr       openReaderCloser
 	verifier          func(string) error
-	defaultRdr        io.Reader
-	failsafeRdr       io.Reader
+	openDefaultRdr    openReaderCloser
+	openFailsafeRdr   openReaderCloser
 	user, level, scon string
 }
 
@@ -1491,7 +1499,13 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
 	context["user"] = c.user
 	context["level"] = c.level
 
-	conn, err := findUserInContext(context, c.userRdr, c.verifier)
+	userRdr, err := c.openUserRdr()
+	if err != nil {
+		return "", fmt.Errorf("failed to open user context file: %w", err)
+	}
+	defer userRdr.Close()
+
+	conn, err := findUserInContext(context, userRdr, c.verifier)
 	if err != nil {
 		return "", fmt.Errorf("failed to read %q's user context file: %w", c.user, err)
 	}
@@ -1500,7 +1514,13 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
 		return conn, nil
 	}
 
-	conn, err = findUserInContext(context, c.defaultRdr, c.verifier)
+	defaultRdr, err := c.openDefaultRdr()
+	if err != nil {
+		return "", fmt.Errorf("failed to open default context file: %w", err)
+	}
+	defer defaultRdr.Close()
+
+	conn, err = findUserInContext(context, defaultRdr, c.verifier)
 	if err != nil {
 		return "", fmt.Errorf("failed to read default user context file: %w", err)
 	}
@@ -1509,7 +1529,13 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
 		return conn, nil
 	}
 
-	conn, err = getFailsafeContext(context, c.failsafeRdr, c.verifier)
+	failsafeRdr, err := c.openFailsafeRdr()
+	if err != nil {
+		return "", fmt.Errorf("failed to open failsafe context file: %w", err)
+	}
+	defer failsafeRdr.Close()
+
+	conn, err = getFailsafeContext(context, failsafeRdr, c.verifier)
 	if err != nil {
 		return "", fmt.Errorf("failed to read failsafe_context: %w", err)
 	}
@@ -1523,34 +1549,17 @@ func getDefaultContextFromReaders(c *defaultSECtx) (string, error) {
 
 func getDefaultContextWithLevel(user, level, scon string) (string, error) {
 	userPath := filepath.Join(policyRoot(), selinuxUsersDir, user)
-	fu, err := os.Open(userPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to open %q's user context file: %w", user, err)
-	}
-	defer fu.Close()
-
 	defaultPath := filepath.Join(policyRoot(), defaultContexts)
-	fd, err := os.Open(defaultPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to open default user context file: %w", err)
-	}
-	defer fd.Close()
-
 	failsafePath := filepath.Join(policyRoot(), failsafeContext)
-	fs, err := os.Open(failsafePath)
-	if err != nil {
-		return "", fmt.Errorf("failed to open failsafe user context file: %w", err)
-	}
-	defer fs.Close()
 
 	c := defaultSECtx{
-		user:        user,
-		level:       level,
-		scon:        scon,
-		userRdr:     fu,
-		defaultRdr:  fd,
-		failsafeRdr: fs,
-		verifier:    securityCheckContext,
+		user:            user,
+		level:           level,
+		scon:            scon,
+		openUserRdr:     createOpener(userPath),
+		openDefaultRdr:  createOpener(defaultPath),
+		openFailsafeRdr: createOpener(failsafePath),
+		verifier:        securityCheckContext,
 	}
 
 	return getDefaultContextFromReaders(&c)
diff --git a/go-selinux/selinux_linux_test.go b/go-selinux/selinux_linux_test.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -782,12 +783,16 @@ fake_r:fake_t:s0                 baz_r:baz_t:s0   sysadm_r:sysadm_t:s0
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := defaultSECtx{
-				user:       "bob",
-				level:      "SystemLow-SystemHigh",
-				scon:       "system_u:staff_r:staff_t:s0",
-				userRdr:    bytes.NewBufferString(tt.userBuff),
-				defaultRdr: bytes.NewBufferString(tt.defaultBuff),
-				verifier:   verifier,
+				user:  "bob",
+				level: "SystemLow-SystemHigh",
+				scon:  "system_u:staff_r:staff_t:s0",
+				openUserRdr: func() (io.ReadCloser, error) {
+					return io.NopCloser(bytes.NewBufferString(tt.userBuff)), nil
+				},
+				openDefaultRdr: func() (io.ReadCloser, error) {
+					return io.NopCloser(bytes.NewBufferString(tt.defaultBuff)), nil
+				},
+				verifier: verifier,
 			}
 
 			got, err := getDefaultContextFromReaders(&c)
@@ -809,12 +814,18 @@ fake_r:fake_t:s0                 baz_r:baz_t:s0   sysadm_r:sysadm_t:s0
 		dne_r:dne_t:s0                 baz_r:baz_t:s0   sysadm_r:sysadm_t:s0
 		`
 		c := defaultSECtx{
-			user:        "bob",
-			level:       "SystemLow-SystemHigh",
-			scon:        "system_u:staff_r:staff_t:s0",
-			userRdr:     bytes.NewBufferString(badUserBuff),
-			defaultRdr:  bytes.NewBufferString(badDefaultBuff),
-			failsafeRdr: bytes.NewBufferString(goodFailsafeBuff),
+			user:  "bob",
+			level: "SystemLow-SystemHigh",
+			scon:  "system_u:staff_r:staff_t:s0",
+			openUserRdr: func() (io.ReadCloser, error) {
+				return io.NopCloser(bytes.NewBufferString(badUserBuff)), nil
+			},
+			openDefaultRdr: func() (io.ReadCloser, error) {
+				return io.NopCloser(bytes.NewBufferString(badDefaultBuff)), nil
+			},
+			openFailsafeRdr: func() (io.ReadCloser, error) {
+				return io.NopCloser(bytes.NewBufferString(goodFailsafeBuff)), nil
+			},
 			verifier: func(s string) error {
 				return nil
 			},
