Merge pull request #38 from rhatdan/socketlabel

Add label.SetSocketCreate method

Makefile

@@ -8,6 +8,7 @@ endif
 .PHONY: test
 test: check-gopath
 	go test -timeout 3m -tags "${BUILDTAGS}" ${TESTFLAGS} -v ./...
+	go test -timeout 3m ${TESTFLAGS} -v ./...
 
 .PHONY:
 lint:

go-selinux/label/label.go

@@ -9,7 +9,7 @@ func InitLabels(options []string) (string, string, error) {
 	return "", "", nil
 }
 
-func GetROMountLabel() string {
+func ROMountLabel() string {
 	return ""
 }
 
@@ -25,7 +25,19 @@ func SetProcessLabel(processLabel string) error {
 	return nil
 }
 
-func GetFileLabel(path string) (string, error) {
+func ProcessLabel() (string, error) {
+	return "", nil
+}
+
+func SetSocketLabel(processLabel string) error {
+	return nil
+}
+
+func SocketLabel() (string, error) {
+	return "", nil
+}
+
+func FileLabel(path string) (string, error) {
 	return "", nil
 }
 
@@ -41,7 +53,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
 	return nil
 }
 
-func GetPidLabel(pid int) (string, error) {
+func PidLabel(pid int) (string, error) {
 	return "", nil
 }
 

go-selinux/label/label_selinux.go

@@ -95,14 +95,25 @@ func SetProcessLabel(processLabel string) error {
 	return selinux.SetExecLabel(processLabel)
 }
 
+// SetSocketLabel takes a process label and tells the kernel to assign the
+// label to the next socket that gets created
+func SetSocketLabel(processLabel string) error {
+	return selinux.SetSocketLabel(processLabel)
+}
+
+// SocketLabel retrieves the current default socket label setting
+func SocketLabel() (string, error) {
+	return selinux.SocketLabel()
+}
+
 // ProcessLabel returns the process label that the kernel will assign
 // to the next program executed by the current process.  If "" is returned
 // this indicates that the default labeling will happen for the process.
 func ProcessLabel() (string, error) {
 	return selinux.ExecLabel()
 }
 
-// GetFileLabel returns the label for specified path
+// FileLabel returns the label for specified path
 func FileLabel(path string) (string, error) {
 	return selinux.FileLabel(path)
 }

go-selinux/label/label_selinux_stub_test.go

@@ -0,0 +1,121 @@
+// +build !selinux !linux
+
+package label
+
+import (
+	"os"
+	"testing"
+)
+
+func TestInit(t *testing.T) {
+	var testNull []string
+	_, _, err := InitLabels(testNull)
+	if err != nil {
+		t.Log("InitLabels Failed")
+		t.Fatal(err)
+	}
+	testDisabled := []string{"disable"}
+	roMountLabel := ROMountLabel()
+	if roMountLabel != "" {
+		t.Errorf("ROMountLabel Failed")
+	}
+	plabel, _, err := InitLabels(testDisabled)
+	if err != nil {
+		t.Log("InitLabels Disabled Failed")
+		t.Fatal(err)
+	}
+	if plabel != "" {
+		t.Log("InitLabels Disabled Failed")
+		t.FailNow()
+	}
+	testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}
+	plabel, _, err = InitLabels(testUser)
+	if err != nil {
+		t.Log("InitLabels User Failed")
+		t.Fatal(err)
+	}
+}
+
+func TestRelabel(t *testing.T) {
+	testdir := "/tmp/test"
+	if err := os.Mkdir(testdir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testdir)
+	label := "system_u:object_r:container_file_t:s0:c1,c2"
+	if err := Relabel("/etc", label, false); err != nil {
+		t.Fatalf("Relabel /etc succeeded")
+	}
+}
+
+func TestSocketLabel(t *testing.T) {
+	label := "system_u:object_r:container_t:s0:c1,c2"
+	if err := SetSocketLabel(label); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := SocketLabel(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestProcessLabel(t *testing.T) {
+	label := "system_u:object_r:container_t:s0:c1,c2"
+	if err := SetProcessLabel(label); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := ProcessLabel(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func CheckLabelCompile(t *testing.T) {
+	if _, _, err := GenLabels(""); err != nil {
+		t.Fatal(err)
+	}
+	if test := FormatMountLabel("", ""); test != "" {
+		t.Fatal("Format failed")
+	}
+
+	if test := FormatMountLabel("", ""); test != "" {
+		t.Fatal("Format failed")
+	}
+
+	if _, err := FileLabel("/etc"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := SetFileLabel("/etc", "foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := SetFileCreateLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := PidLabel(0); err != nil {
+		t.Fatal(err)
+	}
+
+	ClearLabels()
+
+	if err := ReserveLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := ReleaseLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	DupSecOpt("foobar")
+	DisableSecOpt()
+
+	if err := Validate("foobar"); err != nil {
+		t.Fatal(err)
+	}
+	if relabel := RelabelNeeded("foobar"); relabel {
+		t.Fatal("Relabel failed")
+	}
+	if shared := IsShared("foobar"); shared {
+		t.Fatal("isshared failed")
+	}
+}

go-selinux/label/label_selinux_test.go

@@ -159,3 +159,20 @@ func TestSELinuxNoLevel(t *testing.T) {
 		t.Errorf("NewContaxt and con.Get() Failed on non mls label")
 	}
 }
+
+func TestSocketLabel(t *testing.T) {
+	if !selinux.GetEnabled() {
+		return
+	}
+	label := "system_u:object_r:container_t:s0:c1,c2"
+	if err := selinux.SetSocketLabel(label); err != nil {
+		t.Fatal(err)
+	}
+	nlabel, err := selinux.SocketLabel()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if label != nlabel {
+		t.Errorf("SocketLabel %s != %s", nlabel, label)
+	}
+}

go-selinux/selinux_linux.go

@@ -385,6 +385,17 @@ func SetExecLabel(label string) error {
 	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
 }
 
+// SetSocketLabel takes a process label and tells the kernel to assign the
+// label to the next socket that gets created
+func SetSocketLabel(label string) error {
+	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label)
+}
+
+// SocketLabel retrieves the current socket label setting
+func SocketLabel() (string, error) {
+	return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
+}
+
 // Get returns the Context as a string
 func (c Context) Get() string {
 	if c["level"] != "" {

go-selinux/selinux_stub.go

@@ -96,6 +96,19 @@ func SetExecLabel(label string) error {
 	return nil
 }
 
+/*
+SetSocketLabel sets the SELinux label that the kernel will use for any programs
+that are executed by the current process thread, or an error.
+*/
+func SetSocketLabel(label string) error {
+	return nil
+}
+
+// SocketLabel retrieves the current socket label setting
+func SocketLabel() (string, error) {
+	return "", nil
+}
+
 // Get returns the Context as a string
 func (c Context) Get() string {
 	return ""

go-selinux/selinux_stub_test.go

@@ -10,4 +10,68 @@ func TestSELinux(t *testing.T) {
 	if GetEnabled() {
 		t.Fatal("SELinux enabled with build-tag !selinux.")
 	}
+
+	if _, err := FileLabel("/etc"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := SetFileLabel("/etc", "foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := SetFSCreateLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := FSCreateLabel(); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := CurrentLabel(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := PidLabel(0); err != nil {
+		t.Fatal(err)
+	}
+
+	ClearLabels()
+
+	ReserveLabel("foobar")
+	ReleaseLabel("foobar")
+	DupSecOpt("foobar")
+	DisableSecOpt()
+	SetDisabled()
+	if enabled := GetEnabled(); enabled {
+		t.Fatal("Should not be enabled")
+	}
+	if err := SetExecLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := ExecLabel(); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := CanonicalizeContext("foobar"); err != nil {
+		t.Fatal(err)
+	}
+	if err := SetSocketLabel("foobar"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := SocketLabel(); err != nil {
+		t.Fatal(err)
+	}
+	con := NewContext("foobar")
+	con.Get()
+	if err := SetEnforceMode(1); err != nil {
+		t.Fatal(err)
+	}
+	DefaultEnforceMode()
+	EnforceMode()
+	ROFileLabel()
+	ContainerLabels()
+	if err := SecurityCheckContext("foobar"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := CopyLevel("foo", "bar"); err != nil {
+		t.Fatal(err)
+	}
 }