Add the container_signull() interface

[zpytela]

Summary by Sourcery

Introduce the new container_signull() interface in the container.if policy interface file.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a new container_signull() interface to the container.if policy interface file, likely exposing a new permission or helper macro for signaling with null or checking signal permissions.

File-Level Changes

Change	Details	Files
Introduce the container_signull() interface in the container.if policy interface file.	Add a new interface definition named container_signull() to container.if Wire the new interface into any existing containers or macros that need signull-related behavior Update or align comments/documentation within container.if to describe the new interface semantics if included in the patch	container.if

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @zpytela, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the SELinux policy by adding a new interface, container_signull. This interface provides a controlled and secure mechanism for other domains to query the existence and accessibility of container processes, without impacting their runtime operations. It ensures that interactions with containers are properly mediated by the security policy.

Highlights

• New SELinux Interface: Introduced a new SELinux interface named container_signull.
• Signal Permission: This interface grants a specified domain the ability to send signull (signal 0) to processes with the container_t type.
• Purpose of signull: The signull signal is typically used to check if a process exists and if the sender has permission to send it signals, without actually affecting the process's state.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new SELinux interface, container_signull, which allows a specified domain to send null signals to container processes. The implementation is correct, but the documentation for the new interface contains a misleading parameter name. My feedback includes a suggestion to correct this for better clarity and maintainability.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Tests failed. @containers/packit-build please check.

[lsm5]

Is there any issue that could be referenced here?

Requesting changes for DCO.

[zpytela]

Needed for fedora-selinux/selinux-policy#3007

[lsm5]

LGTM pending sign-off for DCO.

[lsm5]

@zpytela kinda-sorta related, would a container-selinux-devel subpackage that ships container.if be useful for selinux-policy?

[zpytela]

That's a part of the current workflow, we use the latest container.if during selinux-policy build.

[lsm5]

That's a part of the current workflow, we use the latest container.if during selinux-policy build.

right, so I mean instead of this step, you could just install container-selinux-devel. And if you want the latest from upstream shipped as an rpm, you could install from this copr

[zpytela]

That's a part of the current workflow, we use the latest container.if during selinux-policy build.

right, so I mean instead of this step, you could just install container-selinux-devel. And if you want the latest from upstream shipped as an rpm, you could install from this copr

That would be an option if container-selinux-devel existed - do you really plan to split the package? It's size is 70K.
In other words: I don't think it's worth the effort, we'd rather adjust selinux-policy workflow for the current state with 20 independent-policy packages.

[lsm5]

LGTM

@haircommander @rhatdan PTAL

[lsm5]

That would be an option if container-selinux-devel existed - do you really plan to split the package?

Shouldn't be a big deal either way. Right now container-selinux doesn't ship any source files in rpm.

It's size is 70K. In other words: I don't think it's worth the effort, we'd rather adjust selinux-policy workflow for the current state with 20 independent-policy packages.

Alright, I'll leave this be for now in that case.

[zpytela]

That would be an option if container-selinux-devel existed - do you really plan to split the package?

Shouldn't be a big deal either way. Right now container-selinux doesn't ship any source files in rpm.
Except for

Makefile:       install -D -pm 644 container.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/container.if

since 581898d

It's size is 70K. In other words: I don't think it's worth the effort, we'd rather adjust selinux-policy workflow for the current state with 20 independent-policy packages.

Alright, I'll leave this be for now in that case.

OK, thanks.