Build tag to not include `crypto/rand`

[espadolini]

Would you consider the inclusion of a PR that adds a build tag (tentative name opencontainers_selinux.nocrypto, perhaps) that elides uniqMcs and its call tree from the build? Our usecase is a minimal binary to spawn shells for users (including transitioning to the user's context via SetExecLabel, if selinux is enabled), and since this is the last source of inclusion of any package in crypto/..., getting rid of it would mean not having to care about FIPS compliance at all (as well as losing us a tiny bit of binary size, but that's a very minor thing).

[kolyshkin]

Rather than adding a build tag, I'd move the functionality which uses uniqMcs into a separate sub-package (looks like this is doable). The issue is the naming (we already have "label").

@rhatdan what do you think?

[espadolini]

Wouldn't that be a compatibility break? That's why I didn't suggest that in the first place.

[rhatdan]

I am fine with the change. As long as we don't break compatibility.

[kolyshkin]

Yet another alternative is to use math/rand. I might miss something but I fail to see how a predictable MCS label can affect security at all (IOW usnig math/rand should be fine)

[espadolini]

That'd be math/rand rather than math/rand/v2 to maintain support for go 1.19, right?

If that's ok with everyone I'll open a PR that swaps out crypto/rand for math/rand then.

[kolyshkin]

That'd be math/rand rather than math/rand/v2 to maintain support for go 1.19, right?

If that's ok with everyone I'll open a PR that swaps out crypto/rand for math/rand then.

Let's wait until #256 is merged