-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
selinux.go
110 lines (96 loc) · 3.15 KB
/
selinux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package main
import (
"bytes"
"fmt"
"os"
"path/filepath"
"github.com/spf13/cobra"
"golang.org/x/sys/unix"
"kubevirt.io/kubevirt/pkg/safepath"
)
const xattrNameSelinux = "security.selinux"
var root string
// NewGetEnforceCommand determines if selinux is enabled in the kernel (enforced or permissive)
func NewGetEnforceCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "getenforce",
Short: "determine if selinux is present",
Args: cobra.ExactArgs(0),
RunE: func(cmd *cobra.Command, args []string) error {
enforcing, err := os.ReadFile("/sys/fs/selinux/enforce")
if err != nil {
fmt.Println("disabled")
} else if bytes.Compare(enforcing, []byte("1")) == 0 {
fmt.Println("enforcing")
} else {
fmt.Println("permissive")
}
return nil
},
}
return cmd
}
func RelabelCommand() *cobra.Command {
relabelCommad := &cobra.Command{
Use: "relabel",
Short: "relabel a file with the given selinux label, if the path is not labeled like this already",
Example: "virt-chroot selinux relabel <new-label> <file-path>",
ValidArgs: nil,
Args: cobra.ExactArgs(2),
RunE: func(cmd *cobra.Command, args []string) error {
label := args[0]
if root == "" {
root = "/"
}
rootPath, err := safepath.JoinAndResolveWithRelativeRoot(root)
if err != nil {
return fmt.Errorf("failed to open root path %v: %v", rootPath, err)
}
safePath, err := safepath.JoinNoFollow(rootPath, args[1])
if err != nil {
return fmt.Errorf("failed to open final path %v: %v", filepath.Join(root, args[1]), err)
}
fd, err := safepath.OpenAtNoFollow(safePath)
if err != nil {
return fmt.Errorf("could not open file %v. Reason: %v", safePath, err)
}
defer fd.Close()
filePath := fd.SafePath()
writeableFD, err := os.OpenFile(filePath, os.O_APPEND|unix.S_IWRITE, os.ModePerm)
if err != nil {
return fmt.Errorf("error reopening file %s to write label %s. Reason: %v", filePath, label, err)
}
defer writeableFD.Close()
currentFileLabel, err := getLabel(writeableFD)
if err != nil {
return fmt.Errorf("faild to get selinux label for file %v: %v", filePath, err)
}
if currentFileLabel != label {
if err := unix.Fsetxattr(int(writeableFD.Fd()), xattrNameSelinux, []byte(label), 0); err != nil {
return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", filePath, label, err)
}
}
return nil
},
}
relabelCommad.Flags().StringVar(&root, "root", "/", "safe root path which will be prepended to passed in files")
return relabelCommad
}
func getLabel(file *os.File) (string, error) {
// let's first find out the actual buffer size
var buffer []byte
labelLength, err := unix.Fgetxattr(int(file.Fd()), xattrNameSelinux, buffer)
if err != nil {
return "", fmt.Errorf("error reading fgetxattr: %v", err)
}
// now ask with the needed size
buffer = make([]byte, labelLength)
labelLength, err = unix.Fgetxattr(int(file.Fd()), xattrNameSelinux, buffer)
if err != nil {
return "", fmt.Errorf("error reading fgetxattr: %v", err)
}
if labelLength > 0 && buffer[labelLength-1] == '\x00' {
labelLength = labelLength - 1
}
return string(buffer[:labelLength]), nil
}