selinux

package
v0.0.0-...-683b059 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2022 License: BSD-3-Clause Imports: 12 Imported by: 0

Documentation

Overview

Package selinux contains shared logic for security tests that verify SELinux configuration.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckAll 

func CheckAll(_ string, _ os.FileInfo) (FilterResult, FilterResult)

CheckAll returns (Check, Check) to let the test to check all files

func CheckContext 

func CheckContext(ctx context.Context, s *testing.State, req *CheckContextReq)

CheckContext checks path to have selinux label match expected. Errors are passed through s.

func CheckHomeDirectory 

func CheckHomeDirectory(ctx context.Context, s *testing.State)

CheckHomeDirectory checks files contexts under /home. This contains functionality shared between security.SELinuxFilesARC and security.SELinuxFilesNonARC tests.

func FileContextRegexp 

func FileContextRegexp(context string) (*regexp.Regexp, error)

FileContextRegexp returns a regex to wrap given context with "^u:object_r:xxx:s0$".

func FilesTestInternal 

func FilesTestInternal(ctx context.Context, s *testing.State, testCases []FileTestCase)

FilesTestInternal runs the test suite for SELinuxFilesSystem(Informational)?

func GpuDevices 

func GpuDevices() ([]string, error)

GpuDevices returns the folder for gpuDevices, for testcases for non-sysfs files.

func IIOSensorDevices 

func IIOSensorDevices() ([]string, error)

IIOSensorDevices returns the folder for cros-ec related iio devices. even with err, devices without errors are still returned.

func ProcessContextRegexp 

func ProcessContextRegexp(context string) (*regexp.Regexp, error)

ProcessContextRegexp returns a regexp from context, by wrapping it like "^u:r:xxx:.*$".

func ProcessesTestInternal 

func ProcessesTestInternal(ctx context.Context, s *testing.State, testSelector []ProcessTestCaseSelector)

ProcessesTestInternal runs the test suite for SELinuxProcesses(Experimental|Informational)?

Types

type CheckContextReq 

type CheckContextReq struct {
	// Path is a file path to check.
	Path string

	// Expected is a regexp that should match with the SELinux context of files.
	Expected *regexp.Regexp

	// Recursive indicates whether to check child files recursively.
	Recursive bool

	// Filter is a function to filter files to check. It may not be nil.
	Filter FileLabelCheckFilter

	// IgnoreErrors indicates whether system call errors for Path should be
	// ignored. If Recursive is true, IgnoreError is set to true for all child
	// files recursively checked. This behavior is intentional to avoid typical
	// race conditions on special file systems (like sysfs and procfs).
	//
	// IgnoreErrors ignores all errors, not only "harmless" ones like ENOENT and
	// ENOTDIR. When accessing files in special file systems, they can return
	// arbitrary error code such as EIO. It does not make sense to make SELinux
	// tests fail by such errors since they are not directly related to what we
	// want to test.
	IgnoreErrors bool

	// Log indicates whether to log successful checks.
	Log bool
}

CheckContextReq holds parameters given to CheckContext.

type FileLabelCheckFilter 

type FileLabelCheckFilter func(path string, fi os.FileInfo) (skipFile, skipSubdir FilterResult)

FileLabelCheckFilter returns true if the file described by path and fi should be skipped. fi is never nil.

func IgnorePathButNotContents 

func IgnorePathButNotContents(pathToIgnore string) FileLabelCheckFilter

IgnorePathButNotContents returns a FileLabelCheckFilter which allows the test to skip files matching pathsToIgnore, but not its subdirectory.

func IgnorePaths 

func IgnorePaths(pathsToIgnore []string) FileLabelCheckFilter

IgnorePaths returns a FileLabelCheckFilter which allows the test to skip files or directories matching pathsToIgnore, including its subdirectory.

func IgnorePathsButNotContents 

func IgnorePathsButNotContents(pathsToIgnore []string) FileLabelCheckFilter

IgnorePathsButNotContents returns a FileLabelCheckFilter which allows the test to skip files matching pathsToIgnore, but not its subdirectory.

func IgnorePathsRegex 

func IgnorePathsRegex(pathsToIgnore []string) FileLabelCheckFilter

IgnorePathsRegex returns a FileLabelCheckFilter which allows the test to skip files or directories matching pathsToIgnore, including its subdirectory.

func InvertFilterSkipFile 

func InvertFilterSkipFile(filter FileLabelCheckFilter) FileLabelCheckFilter

InvertFilterSkipFile takes one filter and return a FileLabelCheckFilter which reverses the boolean value for skipFile.

type FileTestCase 

type FileTestCase struct {
	Path         string // absolute file path
	Context      string // expected SELinux file context
	Recursive    bool
	Filter       FileLabelCheckFilter
	IgnoreErrors bool
	Log          bool
}

FileTestCase specifies a single test case for files to test for SELinux labels Files should have been labeled by platform2/sepolicy/file_contexts/ or platform2/sepolicy/policy/*/genfs_contexts with a few exceptions. Exceptions include:

  • type_transition rule to default assign a label for files created

under some condition.

  • mv/cp files without preserving original labels but inheriting

labels from new parent directory (e.g. /var/log/mount-encrypted.log)

type FilterResult 

type FilterResult int

FilterResult is returned by a FileLabelCheckFilter indicating how a file should be handled. 

const (
	// Skip indicates that the file should be skipped.
	Skip FilterResult = iota

	// Check indicates that the file's SELinux context should be checked.
	Check
)

func IIOSensorFilter 

func IIOSensorFilter(p string, fi os.FileInfo) (skipFile, skipSubdir FilterResult)

IIOSensorFilter returns pairs of FilterResult to check only files that should have cros_sensor_hal_sysfs labeled.

func SkipCoreutilsFile 

func SkipCoreutilsFile(p string, fi os.FileInfo) (skipFile, skipSubdir FilterResult)

SkipCoreutilsFile is a FileLabelCheckFilter that returns (Skip, Check) if the given file belongs to the coreutils package.

type Process 

type Process struct {
	PID       int
	Cmdline   string
	Exe       string
	Comm      string
	SEContext string
}

Process represents a running process with an SELinux context.

func FindProcessesByCmdline 

func FindProcessesByCmdline(ps []Process, cmdlineRegex string, reverse bool) ([]Process, error)

FindProcessesByCmdline returns processes from ps with Cmdline fields matching(reverse=false) or not matching(reverse=true) partial regular expression cmdlineRegex.

func FindProcessesByExe 

func FindProcessesByExe(ps []Process, exeRegex string, revese bool) ([]Process, error)

FindProcessesByExe returns processes from ps with Exe fields matching exeRegex.

func GetProcesses 

func GetProcesses() ([]Process, error)

GetProcesses returns currently-running processes.

func (Process) String 

func (p Process) String() string

String returns a human-readable string representation for struct Process.

type ProcessTestCaseSelector 

type ProcessTestCaseSelector int

ProcessTestCaseSelector specifies what kind of test cases will be run. 

const (
	// Stable to run test cases proven to be stable.
	Stable ProcessTestCaseSelector = iota
	// Unstable to run newly introduced test cases or flaky cases.
	Unstable
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.