forked from snapcore/snapd
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request snapcore#6286 from bboozzoo/bboozzoo/selinux-relea…
…se-info release: support probing SELinux state
- Loading branch information
Showing
3 changed files
with
198 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
// -*- Mode: Go; indent-tabs-mode: t -*- | ||
|
||
/* | ||
* Copyright (C) 2014-2018 Canonical Ltd | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License version 3 as | ||
* published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
package release | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/snapcore/snapd/selinux" | ||
) | ||
|
||
// SELinuxLevelType encodes the state of SELinux support found on this system. | ||
type SELinuxLevelType int | ||
|
||
const ( | ||
// NoSELinux indicates that SELinux is not enabled | ||
NoSELinux SELinuxLevelType = iota | ||
// SELinux is supported and in permissive mode | ||
SELinuxPermissive | ||
// SELinux is supported and in enforcing mode | ||
SELinuxEnforcing | ||
) | ||
|
||
var ( | ||
selinuxIsEnabled = selinux.IsEnabled | ||
selinuxIsEnforcing = selinux.IsEnforcing | ||
) | ||
|
||
// SELinuxLevel tells what level of SELinux enforcement is currently used | ||
func SELinuxLevel() SELinuxLevelType { | ||
level, _ := probeSELinux() | ||
return level | ||
} | ||
|
||
// SELinuxSummary describes SELinux status | ||
func SELinuxSummary() string { | ||
_, summary := probeSELinux() | ||
return summary | ||
} | ||
|
||
// SELinuxStatus returns the current level of SELinux support and a descriptive | ||
// summary | ||
func SELinuxStatus() (level SELinuxLevelType, summary string) { | ||
return probeSELinux() | ||
} | ||
|
||
func probeSELinux() (SELinuxLevelType, string) { | ||
enabled, err := selinuxIsEnabled() | ||
if err != nil { | ||
return NoSELinux, err.Error() | ||
} | ||
if !enabled { | ||
return NoSELinux, "" | ||
} | ||
|
||
enforcing, err := selinuxIsEnforcing() | ||
if err != nil { | ||
return NoSELinux, fmt.Sprintf("SELinux is enabled, but status cannot be determined: %v", err) | ||
} | ||
if !enforcing { | ||
return SELinuxPermissive, "SELinux is enabled but in permissive mode" | ||
} | ||
return SELinuxEnforcing, "SELinux is enabled and in enforcing mode" | ||
} | ||
|
||
// MockSELinuxIsEnabled makes the system believe a certain SELinux state is | ||
// currently true | ||
func MockSELinuxIsEnabled(isEnabled func() (bool, error)) (restore func()) { | ||
old := selinuxIsEnabled | ||
selinuxIsEnabled = isEnabled | ||
return func() { | ||
selinuxIsEnabled = old | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
// -*- Mode: Go; indent-tabs-mode: t -*- | ||
|
||
/* | ||
* Copyright (C) 2014-2018 Canonical Ltd | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License version 3 as | ||
* published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
package release_test | ||
|
||
import ( | ||
"errors" | ||
|
||
. "gopkg.in/check.v1" | ||
|
||
"github.com/snapcore/snapd/release" | ||
) | ||
|
||
type selinuxSuite struct{} | ||
|
||
var _ = Suite(&selinuxSuite{}) | ||
|
||
func (s *selinuxSuite) TestProbeNone(c *C) { | ||
restore := release.MockSELinuxIsEnabled(func() (bool, error) { return false, nil }) | ||
defer restore() | ||
|
||
level, status := release.ProbeSELinux() | ||
c.Assert(level, Equals, release.NoSELinux) | ||
c.Assert(status, Equals, "") | ||
|
||
c.Assert(release.SELinuxLevel(), Equals, level) | ||
c.Assert(release.SELinuxSummary(), Equals, status) | ||
} | ||
|
||
func (s *selinuxSuite) TestProbeEnforcingHappy(c *C) { | ||
restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil }) | ||
defer restore() | ||
restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return true, nil }) | ||
defer restore() | ||
|
||
level, status := release.ProbeSELinux() | ||
c.Assert(level, Equals, release.SELinuxEnforcing) | ||
c.Assert(status, Equals, "SELinux is enabled and in enforcing mode") | ||
|
||
c.Assert(release.SELinuxLevel(), Equals, level) | ||
c.Assert(release.SELinuxSummary(), Equals, status) | ||
} | ||
|
||
func (s *selinuxSuite) TestProbeEnabledError(c *C) { | ||
restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, errors.New("so much fail") }) | ||
defer restore() | ||
|
||
level, status := release.ProbeSELinux() | ||
c.Assert(level, Equals, release.NoSELinux) | ||
c.Assert(status, Equals, "so much fail") | ||
|
||
c.Assert(release.SELinuxLevel(), Equals, level) | ||
c.Assert(release.SELinuxSummary(), Equals, status) | ||
} | ||
|
||
func (s *selinuxSuite) TestProbeEnforcingError(c *C) { | ||
restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil }) | ||
defer restore() | ||
restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return true, errors.New("so much fail") }) | ||
defer restore() | ||
|
||
level, status := release.ProbeSELinux() | ||
c.Assert(level, Equals, release.NoSELinux) | ||
c.Assert(status, Equals, "SELinux is enabled, but status cannot be determined: so much fail") | ||
|
||
c.Assert(release.SELinuxLevel(), Equals, level) | ||
c.Assert(release.SELinuxSummary(), Equals, status) | ||
} | ||
|
||
func (s *selinuxSuite) TestProbePermissive(c *C) { | ||
restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil }) | ||
defer restore() | ||
restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return false, nil }) | ||
defer restore() | ||
|
||
level, status := release.ProbeSELinux() | ||
c.Assert(level, Equals, release.SELinuxPermissive) | ||
c.Assert(status, Equals, "SELinux is enabled but in permissive mode") | ||
|
||
c.Assert(release.SELinuxLevel(), Equals, level) | ||
c.Assert(release.SELinuxSummary(), Equals, status) | ||
} |