More go bindings

- restorecon, getpidcon, setexeccon
2014-02-20 17:21:25 -05:00 · 2014-02-20 17:21:25 -05:00 · 820aece678
commit 820aece678
parent 2492943f41
2 changed files with 159 additions and 121 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -38,10 +38,10 @@ index 0000000..b75677b
 +relabel:
 diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go
 new file mode 100644
-index 0000000..6cee26a
+index 0000000..34bf6bb
 --- /dev/null
 +++ b/libselinux/golang/selinux.go
-@@ -0,0 +1,378 @@
+@@ -0,0 +1,412 @@
 +package selinux
 +
 +/*
@ -59,26 +59,28 @@ index 0000000..6cee26a
 +// #include <stdlib.h>
 +import "C"
 +import (
 +	"encoding/binary"
 +	"crypto/rand"
 +	"unsafe"
 +	"fmt"
 +	"bufio"
-+	"regexp"
+	"crypto/rand"
 +	"encoding/binary"
 +	"fmt"
 +	"io"
 +	"os"
 +	"path"
 +	"path/filepath"
 +	"regexp"
 +	"strings"
 +	"unsafe"
 +)
 +
 +var (
 +	assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
-+	mcs_list = make(map[string]bool)
+	mcsList     = make(map[string]bool)
 +)
 +
-+func Matchpathcon(path string, mode int) (string, error) {
+func Matchpathcon(path string, mode os.FileMode) (string, error) {
 +	var con C.security_context_t
 +	var scon string
-+	rc, err := C.matchpathcon(C.CString(path),C.mode_t(mode), &con)
+	rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con)
 +	if rc == 0 {
 +		scon = C.GoString(con)
 +		C.free(unsafe.Pointer(con))
@ -86,16 +88,16 @@ index 0000000..6cee26a
 +	return scon, err
 +}
 +
-+func Setfilecon(path,scon string) (int, error) {
+func Setfilecon(path, scon string) (int, error) {
-+        rc, err := C.lsetfilecon(C.CString(path),C.CString(scon))
+	rc, err := C.lsetfilecon(C.CString(path), C.CString(scon))
 +	return int(rc), err
 +}
 +
 +func Getfilecon(path string) (string, error) {
 +	var scon C.security_context_t
 +	var fcon string
-+        rc, err := C.lgetfilecon(C.CString(path),&scon)
+	rc, err := C.lgetfilecon(C.CString(path), &scon)
-+	if (rc >= 0) {
+	if rc >= 0 {
 +		fcon = C.GoString(scon)
 +		err = nil
 +	}
@ -107,7 +109,7 @@ index 0000000..6cee26a
 +		rc  C.int
 +		err error
 +	)
-+	if (scon != "") {
+	if scon != "" {
 +		rc, err = C.setfscreatecon(C.CString(scon))
 +	} else {
 +		rc, err = C.setfscreatecon(nil)
@ -119,7 +121,7 @@ index 0000000..6cee26a
 +	var scon C.security_context_t
 +	var fcon string
 +	rc, err := C.getfscreatecon(&scon)
-+	if (rc >= 0) {
+	if rc >= 0 {
 +		fcon = C.GoString(scon)
 +		err = nil
 +		C.freecon(scon)
@ -127,7 +129,7 @@ index 0000000..6cee26a
 +	return fcon, err
 +}
 +
-+func Getcon() (string) {
+func Getcon() string {
 +	var pcon C.security_context_t
 +	C.getcon(&pcon)
 +	scon := C.GoString(pcon)
@ -139,7 +141,7 @@ index 0000000..6cee26a
 +	var pcon C.security_context_t
 +	var scon string
 +	rc, err := C.getpidcon(C.pid_t(pid), &pcon)
-+	if (rc >= 0) {
+	if rc >= 0 {
 +		scon = C.GoString(pcon)
 +		C.freecon(pcon)
 +		err = nil
@ -151,7 +153,7 @@ index 0000000..6cee26a
 +	var pcon C.security_context_t
 +	var scon string
 +	rc, err := C.getpeercon(C.int(socket), &pcon)
-+	if (rc >= 0) {
+	if rc >= 0 {
 +		scon = C.GoString(pcon)
 +		C.freecon(pcon)
 +		err = nil
@ -159,71 +161,64 @@ index 0000000..6cee26a
 +	return scon, err
 +}
 +
-+func Setexeccon(scon string) (int, error) {
+func Setexeccon(scon string) error {
 +	var val *C.char
-+	if ! Selinux_enabled() {
+	if !SelinuxEnabled() {
-+		return 0, nil
+		return nil
 +	}
 +	if scon != "" {
 +		val = C.CString(scon)
 +	} else {
 +		val = nil
 +	}
-+        rc, err := C.setexeccon(val)
+	_, err := C.setexeccon(val)
-+	return int(rc), err
+	return err
 +}
 +
 +type Context struct {
 +	con []string
 +}
-+func (c *Context) Set_user(user string) {
+
-+	c.con[0]=user
+func (c *Context) SetUser(user string) {
 +	c.con[0] = user
 +}
-+func (c *Context) Get_user() string {
+func (c *Context) GetUser() string {
 +	return c.con[0]
 +}
-+func (c *Context) Set_role(role string) {
+func (c *Context) SetRole(role string) {
-+	c.con[1]=role
+	c.con[1] = role
 +}
-+func (c *Context) Get_role() string {
+func (c *Context) GetRole() string {
 +	return c.con[1]
 +}
-+func (c *Context) Set_type(setype string) {
+func (c *Context) SetType(setype string) {
-+	c.con[2]=setype
+	c.con[2] = setype
 +}
-+func (c *Context) Get_type() string {
+func (c *Context) GetType() string {
 +	return c.con[2]
 +}
-+func (c *Context) Set_level(mls string) {
+func (c *Context) SetLevel(mls string) {
-+	c.con[3]=mls
+	c.con[3] = mls
 +}
-+func (c *Context) Get_level() string {
+func (c *Context) GetLevel() string {
 +	return c.con[3]
 +}
-+func (c *Context) Get() string{
+func (c *Context) Get() string {
-+	return strings.Join(c.con,":")
+	return strings.Join(c.con, ":")
 +}
 +func (c *Context) Set(scon string) {
-+	c.con = strings.SplitN(scon,":",4)
+	c.con = strings.SplitN(scon, ":", 4)
 +}
-+func New_context(scon string) Context {
+func NewContext(scon string) Context {
 +	var con Context
 +	con.Set(scon)
 +	return con
 +}
 +
-+func Is_selinux_enabled() bool {
+func SelinuxEnabled() bool {
 +	b := C.is_selinux_enabled()
 +	if b > 0 {
-+		return true;
+		return true
 +	}
 +	return false
 +}
 +
 +func Selinux_enabled() bool {
 +	b := C.is_selinux_enabled()
 +	if b > 0 {
 +		return true;
 +	}
 +	return false
 +}
@ -234,51 +229,51 @@ index 0000000..6cee26a
 +	Disabled   = -1
 +)
 +
-+func Selinux_getenforce() int {
+func SelinuxGetEnforce() int {
 +	return int(C.security_getenforce())
 +}
 +
-+func Selinux_getenforcemode() (int) {
+func SelinuxGetEnforceMode() int {
 +	var enforce C.int
 +	C.selinux_getenforcemode(&enforce)
 +	return int(enforce)
 +}
 +
-+func mcs_add(mcs string) {
+func mcsAdd(mcs string) {
-+	mcs_list[mcs] = true
+	mcsList[mcs] = true
 +}
 +
-+func mcs_delete(mcs string) {
+func mcsDelete(mcs string) {
-+	mcs_list[mcs] = false
+	mcsList[mcs] = false
 +}
 +
-+func mcs_exists(mcs string) bool {
+func mcsExists(mcs string) bool {
-+	return mcs_list[mcs] 
+	return mcsList[mcs]
 +}
 +
-+func Int_to_mcs(id int, catRange uint32) string {
+func IntToMcs(id int, catRange uint32) string {
-+        if ((id < 1) || (id >523776)) {
+	if (id < 1) || (id > 523776) {
-+          return "";
+		return ""
 +	}
 +
-+	SETSIZE := int(catRange);
+	SETSIZE := int(catRange)
-+	TIER := SETSIZE;
+	TIER := SETSIZE
 +
-+	ORD := id;
+	ORD := id
-+	for ;ORD > TIER; {
+	for ORD > TIER {
-+		ORD = ORD - TIER;
+		ORD = ORD - TIER
-+		TIER -= 1;
+		TIER -= 1
 +	}
-+	TIER = SETSIZE - TIER;
+	TIER = SETSIZE - TIER
-+	ORD = ORD + TIER;
+	ORD = ORD + TIER
-+	return fmt.Sprintf("s0:c%d,c%d", TIER, ORD);
+	return fmt.Sprintf("s0:c%d,c%d", TIER, ORD)
 +}
 +
-+func uniq_mcs(catRange uint32) string {
+func uniqMcs(catRange uint32) string {
 +	var n uint32
-+	var c1,c2 uint32
+	var c1, c2 uint32
 +	var mcs string
-+	for ;; {
+	for {
 +		binary.Read(rand.Reader, binary.LittleEndian, &n)
 +		c1 = n % catRange
 +		binary.Read(rand.Reader, binary.LittleEndian, &n)
@ -293,31 +288,31 @@ index 0000000..6cee26a
 +			}
 +		}
 +		mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
-+		if mcs_exists(mcs) {
+		if mcsExists(mcs) {
 +			continue
 +		}
-+		mcs_add(mcs)
+		mcsAdd(mcs)
 +		break
 +	}
 +	return mcs
 +}
-+func free_context(process_label string) {
+func freeContext(processLabel string) {
 +	var scon Context
-+	scon = New_context(process_label)
+	scon = NewContext(processLabel)
-+	mcs_delete(scon.Get_level())
+	mcsDelete(scon.GetLevel())
 +}
 +
-+func Get_lxc_contexts() (process_label string, file_label string) {
+func GetLxcContexts() (processLabel string, fileLabel string) {
 +	var val, key string
 +	var bufin *bufio.Reader
-+	if ! Selinux_enabled() {
+	if !SelinuxEnabled() {
 +		return
 +	}
-+	lxc_path := C.GoString(C.selinux_lxc_contexts_path())
+	lxcPath := C.GoString(C.selinux_lxc_contexts_path())
-+	file_label = "system_u:object_r:svirt_sandbox_file_t:s0"
+	fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0"
-+	process_label = "system_u:system_r:svirt_lxc_net_t:s0"
+	processLabel = "system_u:system_r:svirt_lxc_net_t:s0"
 +
-+	in, err := os.Open(lxc_path)
+	in, err := os.Open(lxcPath)
 +	if err != nil {
 +		goto exit
 +	}
@ -346,27 +341,27 @@ index 0000000..6cee26a
 +		if groups := assignRegex.FindStringSubmatch(line); groups != nil {
 +			key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
 +			if key == "process" {
-+				process_label = strings.Trim(val,"\"")
+				processLabel = strings.Trim(val, "\"")
 +			}
 +			if key == "file" {
-+				file_label = strings.Trim(val,"\"")
+				fileLabel = strings.Trim(val, "\"")
 +			}
 +		}
 +	}
 +exit:
 +	var scon Context
-+	mcs := Int_to_mcs(os.Getpid(), 1024)
+	mcs := IntToMcs(os.Getpid(), 1024)
-+	scon = New_context(process_label)
+	scon = NewContext(processLabel)
-+	scon.Set_level(mcs)
+	scon.SetLevel(mcs)
-+	process_label = scon.Get()
+	processLabel = scon.Get()
-+	scon = New_context(file_label)
+	scon = NewContext(fileLabel)
-+	scon.Set_level(mcs)
+	scon.SetLevel(mcs)
-+	file_label = scon.Get()
+	fileLabel = scon.Get()
-+	return process_label, file_label
+	return processLabel, fileLabel
 +}
 +
-+func CopyLevel (src, dest string) (string, error) {
+func CopyLevel(src, dest string) (string, error) {
-+	if ! Selinux_enabled() {
+	if !SelinuxEnabled() {
 +		return "", nil
 +	}
 +	if src == "" {
@ -380,37 +375,76 @@ index 0000000..6cee26a
 +	if rc != 0 {
 +		return "", err
 +	}
-+	scon := New_context(src)
+	scon := NewContext(src)
-+	tcon := New_context(dest)
+	tcon := NewContext(dest)
-+	tcon.Set_level(scon.Get_level())
+	tcon.SetLevel(scon.GetLevel())
 +	return tcon.Get(), nil
 +}
 +
 +func RestoreCon(fpath string, recurse bool) error {
 +	var flabel string
 +	var err error
 +	var fs os.FileInfo
 +
 +	if !SelinuxEnabled() {
 +		return nil
 +	}
 +
 +	if recurse {
 +		var paths []string
 +		var err error
 +
 +		if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil {
 +			return fmt.Errorf("Unable to find directory %v: %v", fpath, err)
 +		}
 +
 +		for _, fpath := range paths {
 +			if err = RestoreCon(fpath, false); err != nil {
 +				return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err)
 +			}
 +		}
 +		return nil
 +	}
 +	if fs, err = os.Stat(fpath); err != nil {
 +		return fmt.Errorf("Unable stat %v: %v", fpath, err)
 +	}
 +
 +	if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" {
 +		return fmt.Errorf("Unable to get context for %v: %v", fpath, err)
 +	}
 +
 +	if rc, err := Setfilecon(fpath, flabel); rc != 0 {
 +		return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err)
 +	}
 +
 +	return nil
 +}
 +
 +func Test() {
-+	var plabel,flabel string
+	var plabel, flabel string
-+	if ! Selinux_enabled() {
+	if !SelinuxEnabled() {
 +		return
 +	}
 +
-+	plabel, flabel = Get_lxc_contexts()
+	plabel, flabel = GetLxcContexts()
 +	fmt.Println(plabel)
 +	fmt.Println(flabel)
-+	free_context(plabel)
+	freeContext(plabel)
-+	plabel, flabel = Get_lxc_contexts()
+	plabel, flabel = GetLxcContexts()
 +	fmt.Println(plabel)
 +	fmt.Println(flabel)
-+	free_context(plabel)
+	freeContext(plabel)
-+	if Selinux_enabled() {
+	if SelinuxEnabled() {
 +		fmt.Println("Enabled")
 +	} else {
 +		fmt.Println("Disabled")
 +	}
-+	fmt.Println("getenforce ", Selinux_getenforce())
+	fmt.Println("getenforce ", SelinuxGetEnforce())
-+	fmt.Println("getenforcemode ", Selinux_getenforcemode())
+	fmt.Println("getenforcemode ", SelinuxGetEnforceMode())
-+	flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0)
+	flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0)
 +	fmt.Println(flabel)
 +	pid := os.Getpid()
-+	fmt.Printf("PID:%d MCS:%s\n", pid, Int_to_mcs(pid, 1023))
+	fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023))
 +	fmt.Println(Getcon())
 +	fmt.Println(Getfilecon("/etc/passwd"))
 +	fmt.Println(Getpidcon(1))
--- a/libselinux.spec
+++ b/libselinux.spec
@ -10,7 +10,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.2.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@ -243,6 +243,10 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 %changelog
 * Thu Feb 20 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-5
 - More go bindings
 -   restorecon, getpidcon, setexeccon
 * Fri Feb 14 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-4
 - Add additional go bindings for get*con calls
 - Add go bindings test command