const minSensLen … const contextFile … const selinuxDir … const selinuxUsersDir … const defaultContexts … const selinuxConfig … const selinuxfsMount … const selinuxTypeTag … const selinuxTag … const xattrNameSelinux … type selinuxState … type level … type mlsRange … type defaultSECtx … type levelItem … const sensitivity … const category … var readOnlyFileLabel … var state … var attrPathOnce … var haveThreadSelf … var policyRootOnce … var policyRootVal … var loadLabelsOnce … var labels … func policyRoot() string { … } func (s *selinuxState) setEnable(enabled bool) bool { … } func (s *selinuxState) getEnabled() bool { … } // setDisabled disables SELinux support for the package func setDisabled() { … } func verifySELinuxfsMount(mnt string) bool { … } func findSELinuxfs() string { … } // findSELinuxfsMount returns a next selinuxfs mount point found, // if there is one, or an empty string in case of EOF or error. func findSELinuxfsMount(s *bufio.Scanner) string { … } func (s *selinuxState) getSELinuxfs() string { … } // getSelinuxMountPoint returns the path to the mountpoint of an selinuxfs // filesystem or an empty string if no mountpoint is found. Selinuxfs is // a proc-like pseudo-filesystem that exposes the SELinux policy API to // processes. The existence of an selinuxfs mount is used to determine // whether SELinux is currently enabled or not. func getSelinuxMountPoint() string { … } // getEnabled returns whether SELinux is currently enabled. func getEnabled() bool { … } func readConfig(target string) string { … } func isProcHandle(fh *os.File) error { … } func readCon(fpath string) (string, error) { … } func readConFd(in *os.File) (string, error) { … } // classIndex returns the int index for an object class in the loaded policy, // or -1 and an error func classIndex(class string) (int, error) { … } // lSetFileLabel sets the SELinux label for this path, not following symlinks, // or returns an error. func lSetFileLabel(fpath string, label string) error { … } // setFileLabel sets the SELinux label for this path, following symlinks, // or returns an error. func setFileLabel(fpath string, label string) error { … } // fileLabel returns the SELinux label for this path, following symlinks, // or returns an error. func fileLabel(fpath string) (string, error) { … } // lFileLabel returns the SELinux label for this path, not following symlinks, // or returns an error. func lFileLabel(fpath string) (string, error) { … } func setFSCreateLabel(label string) error { … } // fsCreateLabel returns the default label the kernel which the kernel is using // for file system objects created by this task. "" indicates default. func fsCreateLabel() (string, error) { … } // currentLabel returns the SELinux label of the current process thread, or an error. func currentLabel() (string, error) { … } // pidLabel returns the SELinux label of the given pid, or an error. func pidLabel(pid int) (string, error) { … } // ExecLabel returns the SELinux label that the kernel will use for any programs // that are executed by the current process thread, or an error. func execLabel() (string, error) { … } func writeCon(fpath, val string) error { … } func attrPath(attr string) string { … } // canonicalizeContext takes a context string and writes it to the kernel // the function then returns the context that the kernel will use. Use this // function to check if two contexts are equivalent func canonicalizeContext(val string) (string, error) { … } // computeCreateContext requests the type transition from source to target for // class from the kernel. func computeCreateContext(source string, target string, class string) (string, error) { … } // catsToBitset stores categories in a bitset. func catsToBitset(cats string) (*big.Int, error) { … } // parseLevelItem parses and verifies that a sensitivity or category are valid func parseLevelItem(s string, sep levelItem) (uint, error) { … } // parseLevel fills a level from a string that contains // a sensitivity and categories func (l *level) parseLevel(levelStr string) error { … } // rangeStrToMLSRange marshals a string representation of a range. func rangeStrToMLSRange(rangeStr string) (*mlsRange, error) { … } // bitsetToStr takes a category bitset and returns it in the // canonical selinux syntax func bitsetToStr(c *big.Int) string { … } func (l *level) equal(l2 *level) bool { … } // String returns an mlsRange as a string. func (m mlsRange) String() string { … } func max(a, b uint) uint { … } func min(a, b uint) uint { … } // calculateGlbLub computes the glb (greatest lower bound) and lub (least upper bound) // of a source and target range. // The glblub is calculated as the greater of the low sensitivities and // the lower of the high sensitivities and the and of each category bitset. func calculateGlbLub(sourceRange, targetRange string) (string, error) { … } func readWriteCon(fpath string, val string) (string, error) { … } // peerLabel retrieves the label of the client on the other side of a socket func peerLabel(fd uintptr) (string, error) { … } // setKeyLabel takes a process label and tells the kernel to assign the // label to the next kernel keyring that gets created func setKeyLabel(label string) error { … } // get returns the Context as a string func (c Context) get() string { … } // newContext creates a new Context struct from the specified label func newContext(label string) (Context, error) { … } // clearLabels clears all reserved labels func clearLabels() { … } // reserveLabel reserves the MLS/MCS level component of the specified label func reserveLabel(label string) { … } func selinuxEnforcePath() string { … } // isMLSEnabled checks if MLS is enabled. func isMLSEnabled() bool { … } // enforceMode returns the current SELinux mode Enforcing, Permissive, Disabled func enforceMode() int { … } // setEnforceMode sets the current SELinux mode Enforcing, Permissive. // Disabled is not valid, since this needs to be set at boot time. func setEnforceMode(mode int) error { … } // defaultEnforceMode returns the systems default SELinux mode Enforcing, // Permissive or Disabled. Note this is just the default at boot time. // EnforceMode tells you the systems current mode. func defaultEnforceMode() int { … } func mcsAdd(mcs string) error { … } func mcsDelete(mcs string) { … } func intToMcs(id int, catRange uint32) string { … } func uniqMcs(catRange uint32) string { … } // releaseLabel un-reserves the MLS/MCS Level field of the specified label, // allowing it to be used by another process. func releaseLabel(label string) { … } // roFileLabel returns the specified SELinux readonly file label func roFileLabel() string { … } func openContextFile() (*os.File, error) { … } func loadLabels() { … } func label(key string) string { … } // kvmContainerLabels returns the default processLabel and mountLabel to be used // for kvm containers by the calling process. func kvmContainerLabels() (string, string) { … } // initContainerLabels returns the default processLabel and file labels to be // used for containers running an init system like systemd by the calling process. func initContainerLabels() (string, string) { … } // containerLabels returns an allocated processLabel and fileLabel to be used for // container labeling by the calling process. func containerLabels() (processLabel string, fileLabel string) { … } func addMcs(processLabel, fileLabel string) (string, string) { … } // securityCheckContext validates that the SELinux label is understood by the kernel func securityCheckContext(val string) error { … } // copyLevel returns a label with the MLS/MCS level from src label replaced on // the dest label. func copyLevel(src, dest string) (string, error) { … } // chcon changes the fpath file object to the SELinux label. // If fpath is a directory and recurse is true, then chcon walks the // directory tree setting the label. func chcon(fpath string, label string, recurse bool) error { … } func rchcon(fpath, label string) error { … } // dupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. func dupSecOpt(src string) ([]string, error) { … } // findUserInContext scans the reader for a valid SELinux context // match that is verified with the verifier. Invalid contexts are // skipped. It returns a matched context or an empty string if no // match is found. If a scanner error occurs, it is returned. func findUserInContext(context Context, r io.Reader, verifier func(string) error) (string, error) { … } func getDefaultContextFromReaders(c *defaultSECtx) (string, error) { … } func getDefaultContextWithLevel(user, level, scon string) (string, error) { … }
Codebase Browser
kubernetes