Server IP : 103.119.228.120 / Your IP : 18.191.97.229 Web Server : Apache System : Linux v8.techscape8.com 3.10.0-1160.119.1.el7.tuxcare.els2.x86_64 #1 SMP Mon Jul 15 12:09:18 UTC 2024 x86_64 User : nobody ( 99) PHP Version : 5.6.40 Disable Function : shell_exec,symlink,system,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinum cols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,parse_ini_filepopen,fpassthru,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/local/ssl/lib64/golang/src/pkg/github.com/selinux/ |
Upload File : |
package selinux /* The selinux package is a go bindings to libselinux required to add selinux support to docker. Author Dan Walsh <dwalsh@redhat.com> Used some ideas/code from the go-ini packages https://github.com/vaughan0 By Vaughan Newton */ // #cgo pkg-config: libselinux // #include <selinux/selinux.h> // #include <stdlib.h> import "C" import ( "bufio" "crypto/rand" "encoding/binary" "fmt" "io" "os" "path" "path/filepath" "regexp" "strings" "unsafe" ) var ( assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) mcsList = make(map[string]bool) ) func Matchpathcon(path string, mode os.FileMode) (string, error) { var con C.security_context_t var scon string rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con) if rc == 0 { scon = C.GoString(con) C.free(unsafe.Pointer(con)) } return scon, err } func Setfilecon(path, scon string) (int, error) { rc, err := C.lsetfilecon(C.CString(path), C.CString(scon)) return int(rc), err } func Getfilecon(path string) (string, error) { var scon C.security_context_t var fcon string rc, err := C.lgetfilecon(C.CString(path), &scon) if rc >= 0 { fcon = C.GoString(scon) err = nil } return fcon, err } func Setfscreatecon(scon string) (int, error) { var ( rc C.int err error ) if scon != "" { rc, err = C.setfscreatecon(C.CString(scon)) } else { rc, err = C.setfscreatecon(nil) } return int(rc), err } func Getfscreatecon() (string, error) { var scon C.security_context_t var fcon string rc, err := C.getfscreatecon(&scon) if rc >= 0 { fcon = C.GoString(scon) err = nil C.freecon(scon) } return fcon, err } func Getcon() string { var pcon C.security_context_t C.getcon(&pcon) scon := C.GoString(pcon) C.freecon(pcon) return scon } func Getpidcon(pid int) (string, error) { var pcon C.security_context_t var scon string rc, err := C.getpidcon(C.pid_t(pid), &pcon) if rc >= 0 { scon = C.GoString(pcon) C.freecon(pcon) err = nil } return scon, err } func Getpeercon(socket int) (string, error) { var pcon C.security_context_t var scon string rc, err := C.getpeercon(C.int(socket), &pcon) if rc >= 0 { scon = C.GoString(pcon) C.freecon(pcon) err = nil } return scon, err } func Setexeccon(scon string) error { var val *C.char if !SelinuxEnabled() { return nil } if scon != "" { val = C.CString(scon) } else { val = nil } _, err := C.setexeccon(val) return err } type Context struct { con []string } func (c *Context) SetUser(user string) { c.con[0] = user } func (c *Context) GetUser() string { return c.con[0] } func (c *Context) SetRole(role string) { c.con[1] = role } func (c *Context) GetRole() string { return c.con[1] } func (c *Context) SetType(setype string) { c.con[2] = setype } func (c *Context) GetType() string { return c.con[2] } func (c *Context) SetLevel(mls string) { c.con[3] = mls } func (c *Context) GetLevel() string { return c.con[3] } func (c *Context) Get() string { return strings.Join(c.con, ":") } func (c *Context) Set(scon string) { c.con = strings.SplitN(scon, ":", 4) } func NewContext(scon string) Context { var con Context con.Set(scon) return con } func SelinuxEnabled() bool { b := C.is_selinux_enabled() if b > 0 { return true } return false } const ( Enforcing = 1 Permissive = 0 Disabled = -1 ) func SelinuxGetEnforce() int { return int(C.security_getenforce()) } func SelinuxGetEnforceMode() int { var enforce C.int C.selinux_getenforcemode(&enforce) return int(enforce) } func mcsAdd(mcs string) { mcsList[mcs] = true } func mcsDelete(mcs string) { mcsList[mcs] = false } func mcsExists(mcs string) bool { return mcsList[mcs] } func IntToMcs(id int, catRange uint32) string { if (id < 1) || (id > 523776) { return "" } SETSIZE := int(catRange) TIER := SETSIZE ORD := id for ORD > TIER { ORD = ORD - TIER TIER -= 1 } TIER = SETSIZE - TIER ORD = ORD + TIER return fmt.Sprintf("s0:c%d,c%d", TIER, ORD) } func uniqMcs(catRange uint32) string { var n uint32 var c1, c2 uint32 var mcs string for { binary.Read(rand.Reader, binary.LittleEndian, &n) c1 = n % catRange binary.Read(rand.Reader, binary.LittleEndian, &n) c2 = n % catRange if c1 == c2 { continue } else { if c1 > c2 { t := c1 c1 = c2 c2 = t } } mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2) if mcsExists(mcs) { continue } mcsAdd(mcs) break } return mcs } func freeContext(processLabel string) { var scon Context scon = NewContext(processLabel) mcsDelete(scon.GetLevel()) } func GetLxcContexts() (processLabel string, fileLabel string) { var val, key string var bufin *bufio.Reader if !SelinuxEnabled() { return } lxcPath := C.GoString(C.selinux_lxc_contexts_path()) fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0" processLabel = "system_u:system_r:svirt_lxc_net_t:s0" in, err := os.Open(lxcPath) if err != nil { goto exit } defer in.Close() bufin = bufio.NewReader(in) for done := false; !done; { var line string if line, err = bufin.ReadString('\n'); err != nil { if err == io.EOF { done = true } else { goto exit } } line = strings.TrimSpace(line) if len(line) == 0 { // Skip blank lines continue } if line[0] == ';' || line[0] == '#' { // Skip comments continue } if groups := assignRegex.FindStringSubmatch(line); groups != nil { key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2]) if key == "process" { processLabel = strings.Trim(val, "\"") } if key == "file" { fileLabel = strings.Trim(val, "\"") } } } exit: var scon Context mcs := IntToMcs(os.Getpid(), 1024) scon = NewContext(processLabel) scon.SetLevel(mcs) processLabel = scon.Get() scon = NewContext(fileLabel) scon.SetLevel(mcs) fileLabel = scon.Get() return processLabel, fileLabel } func CopyLevel(src, dest string) (string, error) { if !SelinuxEnabled() { return "", nil } if src == "" { return "", nil } rc, err := C.security_check_context(C.CString(src)) if rc != 0 { return "", err } rc, err = C.security_check_context(C.CString(dest)) if rc != 0 { return "", err } scon := NewContext(src) tcon := NewContext(dest) tcon.SetLevel(scon.GetLevel()) return tcon.Get(), nil } func RestoreCon(fpath string, recurse bool) error { var flabel string var err error var fs os.FileInfo if !SelinuxEnabled() { return nil } if recurse { var paths []string var err error if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil { return fmt.Errorf("Unable to find directory %v: %v", fpath, err) } for _, fpath := range paths { if err = RestoreCon(fpath, false); err != nil { return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err) } } return nil } if fs, err = os.Stat(fpath); err != nil { return fmt.Errorf("Unable stat %v: %v", fpath, err) } if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" { return fmt.Errorf("Unable to get context for %v: %v", fpath, err) } if rc, err := Setfilecon(fpath, flabel); rc != 0 { return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err) } return nil } func Test() { var plabel, flabel string if !SelinuxEnabled() { return } plabel, flabel = GetLxcContexts() fmt.Println(plabel) fmt.Println(flabel) freeContext(plabel) plabel, flabel = GetLxcContexts() fmt.Println(plabel) fmt.Println(flabel) freeContext(plabel) if SelinuxEnabled() { fmt.Println("Enabled") } else { fmt.Println("Disabled") } fmt.Println("getenforce ", SelinuxGetEnforce()) fmt.Println("getenforcemode ", SelinuxGetEnforceMode()) flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0) fmt.Println(flabel) pid := os.Getpid() fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023)) fmt.Println(Getcon()) fmt.Println(Getfilecon("/etc/passwd")) fmt.Println(Getpidcon(1)) Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0") fmt.Println(Getfscreatecon()) Setfscreatecon("") fmt.Println(Getfscreatecon()) fmt.Println(Getpidcon(1)) }