selabel: Use pcre2 for regex

[orowith2os]

SELinux uses pcre2 for its regex library, and there's a Rust crate for it available, so might as well use it for compatibility. Using the regular regex crate also doesn't support look-arounds, so better to move away from it anyways.

Fixes #317 (hopefully). cargo test passes, so I think we're good. I don't quite know how to shimmy this into bootc so I can test it properly.

oro@stitch ~/P/bootc (main) [1]> sudo target/debug/bootc container compute-composefs-digest /ostree/boot.1.0/default/40ad2cc41a58917bee1e7defa7fd9fcdbbd92c688b51d26c64ee4ea4f6970f79/0/
[sudo] password for oro: 
023b605e0227172fb48471575536519368372ebbee3af7b8e41668708c26cee5a4ad5b66d04c77c4eee438b0cd72a75f438477fbfb3a198db4966d2b641e8e44

oro@stitch ~/P/bootc (main)> sudo bootc container compute-composefs-digest /ostree/boot.1.0/default/40ad2cc41a58917bee1e7defa7fd9fcdbbd92c688b51d26c64ee4ea4f6970f79/0/
error: Computing composefs digest: Preparing for boot: Applying SELinux labels to filesystem: Building SELinux policy: error building NFA: error parsing regex: regex parse error:
    ^(/var/run/waydroid-(?!lxc).*).$
                        ^^^
error: look-around, including look-ahead and look-behind, is not supported

[scarletquasar]

aproved

[Johan-Liebert1]

Looks good. We require sign-offs in commits and there seems to be a lint error

[orowith2os]

Should be good now. Apparently I added a reference where one wasn't needed so I threw that out, and I added the signed-off-by.

[orowith2os]

Also, fwiw, if it ever turns out to be a problem, you can enable the JIT by using pcre2::bytes::RegexBuilder, and that might help a bit. I don't have the means to test performance for that at the current moment, sadly.

[orowith2os]

Nevermind. Looks like no JIT wins, at least on my system.

oro@stitch ~/P/bootc (main)> sudo time nojit/bootc container compute-composefs-digest /ostree/boot.1.0/default/40ad2cc41a58917bee1e7defa7fd9fcdbbd92c688b51d26c64ee4ea4f6970f79/0/
237659eea59d9e772facb57f4692e58a05b97060f9ad2e917a86a75a7c9f8de246a33cbc498196b226de0d0690f62183cfedd384c3a9896adf0f3de7da4cd619
178.14user 37.68system 2:56.28elapsed 122%CPU (0avgtext+0avgdata 474688maxresident)k
27276584inputs+39629336outputs (4major+132246minor)pagefaults 0swaps

oro@stitch ~/P/bootc (main)> sudo time yesjit/bootc container compute-composefs-digest /ostree/boot.1.0/default/40ad2cc41a58917bee1e7defa7fd9fcdbbd92c688b51d26c64ee4ea4f6970f79/0/
237659eea59d9e772facb57f4692e58a05b97060f9ad2e917a86a75a7c9f8de246a33cbc498196b226de0d0690f62183cfedd384c3a9896adf0f3de7da4cd619
237.78user 37.09system 3:58.73elapsed 115%CPU (0avgtext+0avgdata 470172maxresident)k
29144232inputs+37867800outputs (10major+133356minor)pagefaults 0swaps

[travier]

This removes some optimizations that may or may not matter (I don't know) so we should be careful about this and try to verify that the hit is not too important.

[orowith2os]

Figured it out; I pulled the secureblue/silverblue image and extracted it, then ran the bootc shipped by my distribution (Fedora) and a patched bootc from bootc-dev/bootc#2262:

oro@stitch ~> time sudo bootc container compute-composefs-digest scb-rootfs/
08ed265ec132aefacd211f44127007e4276833d2b5d38c696c81e07fdec470382e3a6800b7302b85600d96fd40df462470306eefeb357abfe1be8595b3f73085

________________________________________________________
Executed in   40.65 secs      fish           external
   usr time    6.09 millis    0.30 millis    5.79 millis
   sys time   12.25 millis    1.15 millis   11.10 millis

oro@stitch ~> time sudo Projects/bootc/target/release/bootc container compute-composefs-digest scb-rootfs/
08ed265ec132aefacd211f44127007e4276833d2b5d38c696c81e07fdec470382e3a6800b7302b85600d96fd40df462470306eefeb357abfe1be8595b3f73085

________________________________________________________
Executed in   73.12 secs      fish           external
   usr time    7.16 millis    0.06 millis    7.10 millis
   sys time   11.35 millis    1.02 millis   10.33 millis

JIT enabled is worse:

oro@stitch ~> time sudo Projects/bootc/target/release/bootc container compute-composefs-digest scb-rootfs/
08ed265ec132aefacd211f44127007e4276833d2b5d38c696c81e07fdec470382e3a6800b7302b85600d96fd40df462470306eefeb357abfe1be8595b3f73085

________________________________________________________
Executed in   80.30 secs      fish           external
   usr time    8.25 millis    0.00 micros    8.25 millis
   sys time    8.42 millis  719.00 micros    7.70 millis

[orowith2os]

I'm not sure if there's another library out there that's compatible with the PCRE2 regex flavor that SELinux uses. I've also tried hyperscan and regexr, but hyperscan is slower than pcre2, and regexr likes to error out:

invalid escape sequence '\_' at position 21
  pattern: ^(/usr/kerberos/sbin/\_kadmind)-$
                                ^^

[cgwalters]

Thanks, this looks sane.

That said, it may make sense instead at some point to cut over to using https://docs.rs/selinux/latest/selinux/label/struct.Labeler.html#method.look_up_by_path instead