github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/sandbox/selinux/selinux_linux_test.go

github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/sandbox/selinux/selinux_linux_test.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package selinux_test
    21  
    22  import (
    23  	"fmt"
    24  	"io/ioutil"
    25  	"path/filepath"
    26  	"testing"
    27  
    28  	"gopkg.in/check.v1"
    29  
    30  	"github.com/snapcore/snapd/osutil"
    31  	"github.com/snapcore/snapd/sandbox/selinux"
    32  )
    33  
    34  func Test(t *testing.T) { check.TestingT(t) }
    35  
    36  type selinuxSuite struct{}
    37  
    38  var _ = check.Suite(&selinuxSuite{})
    39  
    40  const selinuxMountInfo = `90 0 252:1 / / rw,relatime shared:1 - ext4 /dev/vda1 rw,seclabel
    41  41 19 0:18 / /sys/fs/selinux rw,relatime shared:20 - selinuxfs selinuxfs rw
    42  42 21 0:17 / /dev/mqueue rw,relatime shared:26 - mqueue mqueue rw,seclabel
    43  `
    44  
    45  func (s *selinuxSuite) TestGetMount(c *check.C) {
    46  	restore := osutil.MockMountInfo(selinuxMountInfo)
    47  	defer restore()
    48  
    49  	mnt, err := selinux.GetSELinuxMount()
    50  	c.Assert(err, check.IsNil)
    51  	c.Assert(mnt, check.Equals, "/sys/fs/selinux")
    52  }
    53  
    54  func (s *selinuxSuite) TestIsEnabledHappyEnabled(c *check.C) {
    55  	restore := osutil.MockMountInfo(selinuxMountInfo)
    56  	defer restore()
    57  
    58  	enabled, err := selinux.IsEnabled()
    59  	c.Assert(err, check.IsNil)
    60  	c.Assert(enabled, check.Equals, true)
    61  }
    62  
    63  func (s *selinuxSuite) TestIsEnabledHappyNoSelinux(c *check.C) {
    64  	restore := osutil.MockMountInfo("")
    65  	defer restore()
    66  
    67  	enabled, err := selinux.IsEnabled()
    68  	c.Assert(err, check.IsNil)
    69  	c.Assert(enabled, check.Equals, false)
    70  }
    71  
    72  func (s *selinuxSuite) TestIsEnabledFailGarbage(c *check.C) {
    73  	restore := osutil.MockMountInfo("garbage")
    74  	defer restore()
    75  
    76  	enabled, err := selinux.IsEnabled()
    77  	c.Assert(err, check.ErrorMatches, `failed to obtain SELinux mount path: .*`)
    78  	c.Assert(enabled, check.Equals, false)
    79  }
    80  
    81  func (s *selinuxSuite) TestIsEnforcingHappy(c *check.C) {
    82  	dir := c.MkDir()
    83  	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
    84  	restore := osutil.MockMountInfo(miLine)
    85  	defer restore()
    86  
    87  	enforcePath := filepath.Join(dir, "enforce")
    88  
    89  	err := ioutil.WriteFile(enforcePath, []byte("1"), 0644)
    90  	c.Assert(err, check.IsNil)
    91  
    92  	enforcing, err := selinux.IsEnforcing()
    93  	c.Assert(err, check.IsNil)
    94  	c.Assert(enforcing, check.Equals, true)
    95  
    96  	err = ioutil.WriteFile(enforcePath, []byte("0"), 0644)
    97  	c.Assert(err, check.IsNil)
    98  
    99  	enforcing, err = selinux.IsEnforcing()
   100  	c.Assert(err, check.IsNil)
   101  	c.Assert(enforcing, check.Equals, false)
   102  }
   103  
   104  func (s *selinuxSuite) TestIsEnforcingNoSELinux(c *check.C) {
   105  	restore := osutil.MockMountInfo("")
   106  	defer restore()
   107  
   108  	enforcing, err := selinux.IsEnforcing()
   109  	c.Assert(err, check.IsNil)
   110  	c.Assert(enforcing, check.Equals, false)
   111  }
   112  
   113  func (s *selinuxSuite) TestIsEnforcingFailGarbage(c *check.C) {
   114  	dir := c.MkDir()
   115  	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
   116  	restore := osutil.MockMountInfo(miLine)
   117  	defer restore()
   118  
   119  	enforcePath := filepath.Join(dir, "enforce")
   120  
   121  	err := ioutil.WriteFile(enforcePath, []byte("garbage"), 0644)
   122  	c.Assert(err, check.IsNil)
   123  
   124  	enforcing, err := selinux.IsEnforcing()
   125  	c.Assert(err, check.ErrorMatches, "unknown SELinux status: garbage")
   126  	c.Assert(enforcing, check.Equals, false)
   127  }
   128  
   129  func (s *selinuxSuite) TestIsEnforcingFailOther(c *check.C) {
   130  	dir := c.MkDir()
   131  	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
   132  	restore := osutil.MockMountInfo(miLine)
   133  	defer restore()
   134  
   135  	enforcePath := filepath.Join(dir, "enforce")
   136  
   137  	err := ioutil.WriteFile(enforcePath, []byte("not-readable"), 0000)
   138  	c.Assert(err, check.IsNil)
   139  
   140  	enforcing, err := selinux.IsEnforcing()
   141  	c.Assert(err, check.ErrorMatches, "open .*: permission denied")
   142  	c.Assert(enforcing, check.Equals, false)
   143  }