selinux

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 8, 2023 License: Apache-2.0 Imports: 17 Imported by: 383

Documentation

Overview

Package selinux provides a high-level interface for interacting with selinux.

Usage: 

import "github.com/opencontainers/selinux/go-selinux"

// Ensure that selinux is enforcing mode.
if selinux.EnforceMode() != selinux.Enforcing {
	selinux.SetEnforceMode(selinux.Enforcing)
}

Index

Constants

View Source 
const (
	// Enforcing constant indicate SELinux is in enforcing mode
	Enforcing = 1
	// Permissive constant to indicate SELinux is in permissive mode
	Permissive = 0
	// Disabled constant to indicate SELinux is disabled
	Disabled = -1

	// DefaultCategoryRange is the upper bound on the category range
	DefaultCategoryRange = uint32(maxCategory)
)

Variables

View Source 
var (
	// ErrMCSAlreadyExists is returned when trying to allocate a duplicate MCS.
	ErrMCSAlreadyExists = errors.New("MCS label already exists")
	// ErrEmptyPath is returned when an empty path has been specified.
	ErrEmptyPath = errors.New("empty path")

	// ErrInvalidLabel is returned when an invalid label is specified.
	ErrInvalidLabel = errors.New("invalid Label")

	// InvalidLabel is returned when an invalid label is specified.
	//
	// Deprecated: use [ErrInvalidLabel].
	InvalidLabel = ErrInvalidLabel

	// ErrIncomparable is returned two levels are not comparable
	ErrIncomparable = errors.New("incomparable levels")
	// ErrLevelSyntax is returned when a sensitivity or category do not have correct syntax in a level
	ErrLevelSyntax = errors.New("invalid level syntax")

	// ErrContextMissing is returned if a requested context is not found in a file.
	ErrContextMissing = errors.New("context does not have a match")
	// ErrVerifierNil is returned when a context verifier function is nil.
	ErrVerifierNil = errors.New("verifier function is nil")

	// CategoryRange allows the upper bound on the category range to be adjusted
	CategoryRange = DefaultCategoryRange
)

Functions

func CalculateGlbLub added in v1.6.0 

func CalculateGlbLub(sourceRange, targetRange string) (string, error)

CalculateGlbLub computes the glb (greatest lower bound) and lub (least upper bound) of a source and target range. The glblub is calculated as the greater of the low sensitivities and the lower of the high sensitivities and the and of each category bitset.

func CanonicalizeContext 

func CanonicalizeContext(val string) (string, error)

CanonicalizeContext takes a context string and writes it to the kernel the function then returns the context that the kernel will use. Use this function to check if two contexts are equivalent

func Chcon 

func Chcon(fpath string, label string, recurse bool) error

Chcon changes the fpath file object to the SELinux label. If fpath is a directory and recurse is true, then Chcon walks the directory tree setting the label.

The fpath itself is guaranteed to be relabeled last.

func ClassIndex added in v1.4.0 

func ClassIndex(class string) (int, error)

ClassIndex returns the int index for an object class in the loaded policy, or -1 and an error

func ClearLabels 

func ClearLabels()

ClearLabels clears all reserved labels

func ComputeCreateContext added in v1.4.0 

func ComputeCreateContext(source string, target string, class string) (string, error)

ComputeCreateContext requests the type transition from source to target for class from the kernel.

func ContainerLabels 

func ContainerLabels() (processLabel string, fileLabel string)

ContainerLabels returns an allocated processLabel and fileLabel to be used for container labeling by the calling process.

func CopyLevel 

func CopyLevel(src, dest string) (string, error)

CopyLevel returns a label with the MLS/MCS level from src label replaced on the dest label.

func CurrentLabel 

func CurrentLabel() (string, error)

CurrentLabel returns the SELinux label of the current process thread, or an error.

func DefaultEnforceMode 

func DefaultEnforceMode() int

DefaultEnforceMode returns the systems default SELinux mode Enforcing, Permissive or Disabled. Note this is just the default at boot time. EnforceMode tells you the systems current mode.

func DisableSecOpt 

func DisableSecOpt() []string

DisableSecOpt returns a security opt that can be used to disable SELinux labeling support for future container processes.

func DupSecOpt 

func DupSecOpt(src string) ([]string, error)

DupSecOpt takes an SELinux process label and returns security options that can be used to set the SELinux Type and Level for future container processes.

func EnforceMode 

func EnforceMode() int

EnforceMode returns the current SELinux mode Enforcing, Permissive, Disabled

func ExecLabel 

func ExecLabel() (string, error)

ExecLabel returns the SELinux label that the kernel will use for any programs that are executed by the current process thread, or an error.

func FSCreateLabel 

func FSCreateLabel() (string, error)

FSCreateLabel returns the default label the kernel which the kernel is using for file system objects created by this task. "" indicates default.

func FileLabel 

func FileLabel(fpath string) (string, error)

FileLabel returns the SELinux label for this path, following symlinks, or returns an error.

func GetDefaultContextWithLevel added in v1.7.0 

func GetDefaultContextWithLevel(user, level, scon string) (string, error)

GetDefaultContextWithLevel gets a single context for the specified SELinux user identity that is reachable from the specified scon context. The context is based on the per-user /etc/selinux/{SELINUXTYPE}/contexts/users/<username> if it exists, and falls back to the global /etc/selinux/{SELINUXTYPE}/contexts/default_contexts file.

func GetEnabled 

func GetEnabled() bool

GetEnabled returns whether SELinux is currently enabled.

func InitContainerLabels added in v1.5.1 

func InitContainerLabels() (string, string)

InitContainerLabels returns the default processLabel and file labels to be used for containers running an init system like systemd by the calling process.

func KVMContainerLabels added in v1.5.1 

func KVMContainerLabels() (string, string)

KVMContainerLabels returns the default processLabel and mountLabel to be used for kvm containers by the calling process.

func KeyLabel added in v1.2.1 

func KeyLabel() (string, error)

KeyLabel retrieves the current kernel keyring label setting

func LfileLabel added in v1.10.0 

func LfileLabel(fpath string) (string, error)

LfileLabel returns the SELinux label for this path, not following symlinks, or returns an error.

func LsetFileLabel added in v1.10.0 

func LsetFileLabel(fpath string, label string) error

LsetFileLabel sets the SELinux label for this path, not following symlinks, or returns an error.

func MLSEnabled added in v1.11.0 

func MLSEnabled() bool

MLSEnabled checks if MLS is enabled.

func PeerLabel added in v1.3.0 

func PeerLabel(fd uintptr) (string, error)

PeerLabel retrieves the label of the client on the other side of a socket

func PidLabel 

func PidLabel(pid int) (string, error)

PidLabel returns the SELinux label of the given pid, or an error.

func PrivContainerMountLabel added in v1.8.1 

func PrivContainerMountLabel() string

PrivContainerMountLabel returns mount label for privileged containers

func ROFileLabel 

func ROFileLabel() string

ROFileLabel returns the specified SELinux readonly file label

func ReleaseLabel 

func ReleaseLabel(label string)

ReleaseLabel un-reserves the MLS/MCS Level field of the specified label, allowing it to be used by another process.

func ReserveLabel 

func ReserveLabel(label string)

ReserveLabel reserves the MLS/MCS level component of the specified label

func SecurityCheckContext 

func SecurityCheckContext(val string) error

SecurityCheckContext validates that the SELinux label is understood by the kernel

func SetDisabled 

func SetDisabled()

SetDisabled disables SELinux support for the package

func SetEnforceMode 

func SetEnforceMode(mode int) error

SetEnforceMode sets the current SELinux mode Enforcing, Permissive. Disabled is not valid, since this needs to be set at boot time.

func SetExecLabel 

func SetExecLabel(label string) error

SetExecLabel sets the SELinux label that the kernel will use for any programs that are executed by the current process thread, or an error. Calls to SetExecLabel should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until execution of the program is finished to guarantee another goroutine does not migrate to the current thread before execution is complete.

func SetFSCreateLabel 

func SetFSCreateLabel(label string) error

SetFSCreateLabel tells the kernel what label to use for all file system objects created by this task. Set the label to an empty string to return to the default label. Calls to SetFSCreateLabel should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until file system objects created by this task are finished to guarantee another goroutine does not migrate to the current thread before execution is complete.

func SetFileLabel 

func SetFileLabel(fpath string, label string) error

SetFileLabel sets the SELinux label for this path, following symlinks, or returns an error.

func SetKeyLabel added in v1.2.1 

func SetKeyLabel(label string) error

SetKeyLabel takes a process label and tells the kernel to assign the label to the next kernel keyring that gets created. Calls to SetKeyLabel should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until the kernel keyring is created to guarantee another goroutine does not migrate to the current thread before execution is complete.

func SetSocketLabel 

func SetSocketLabel(label string) error

SetSocketLabel takes a process label and tells the kernel to assign the label to the next socket that gets created. Calls to SetSocketLabel should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until the socket is created to guarantee another goroutine does not migrate to the current thread before execution is complete.

func SetTaskLabel added in v1.3.0 

func SetTaskLabel(label string) error

SetTaskLabel sets the SELinux label for the current thread, or an error. This requires the dyntransition permission. Calls to SetTaskLabel should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() to guarantee the current thread does not run in a new mislabeled thread.

func SocketLabel 

func SocketLabel() (string, error)

SocketLabel retrieves the current socket label setting

Types

type Context 

type Context map[string]string

Context is a representation of the SELinux label broken into 4 parts

func NewContext 

func NewContext(label string) (Context, error)

NewContext creates a new Context struct from the specified label

func (Context) Get 

func (c Context) Get() string

Get returns the Context as a string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.