feat: report SELinux labels

This will be useful for debugging SELinux implementation. Make API report other xattrs for further development like IMA/EVM Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Aug 26, 2024 · 4834a61 · 4834a61
1 parent 8fe39ea
commit 4834a61
Show file tree

Hide file tree

Showing 8 changed files with 2,517 additions and 2,095 deletions.
diff --git a/api/machine/machine.proto b/api/machine/machine.proto
@@ -452,6 +452,8 @@ message ListRequest {
   // Types indicates what file type should be returned. If not indicated,
   // all files will be returned.
   repeated Type types = 4;
+  // Report xattrs
+  bool report_xattrs = 5;
 }
 
 // DiskUsageRequest describes a request to list disk usage of directories and regular files
@@ -492,6 +494,13 @@ message FileInfo {
   uint32 uid = 10;
   // Owner gid
   uint32 gid = 11;
+  // Extended attributes (if present and requested)
+  repeated Xattr xattrs = 12;
+}
+
+message Xattr {
+  string name = 1;
+  bytes data = 2;
 }
 
 // DiskUsageInfo describes a file or directory's information for du command

diff --git a/cmd/talosctl/cmd/talos/list.go b/cmd/talosctl/cmd/talos/list.go
@@ -85,6 +85,7 @@ var lsCmd = &cobra.Command{
 				Recurse:        recursionDepth > 1 || recurse,
 				RecursionDepth: recursionDepth,
 				Types:          reqTypes,
+				ReportXattrs:   long,
 			})
 			if err != nil {
 				return fmt.Errorf("error fetching logs: %s", err)
@@ -117,7 +118,7 @@ var lsCmd = &cobra.Command{
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 3, ' ', 0)
 			defer w.Flush() //nolint:errcheck
 
-			fmt.Fprintln(w, "NODE\tMODE\tUID\tGID\tSIZE(B)\tLASTMOD\tNAME")
+			fmt.Fprintln(w, "NODE\tMODE\tUID\tGID\tSIZE(B)\tLASTMOD\tLABEL\tNAME")
 
 			return helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
 				if info.Error != "" {
@@ -148,13 +149,25 @@ var lsCmd = &cobra.Command{
 					}
 				}
 
-				fmt.Fprintf(w, "%s\t%s\t%d\t%d\t%s\t%s\t%s\n",
+				label := ""
+				if info.Xattrs != nil {
+					for _, l := range info.Xattrs {
+						if l.Name == "security.selinux" {
+							label = string(l.Data)
+
+							break
+						}
+					}
+				}
+
+				fmt.Fprintf(w, "%s\t%s\t%d\t%d\t%s\t%s\t%s\t%s\n",
 					node,
 					os.FileMode(info.Mode).String(),
 					info.Uid,
 					info.Gid,
 					size,
 					timestampFormatted,
+					label,
 					display,
 				)
 

diff --git a/go.mod b/go.mod
@@ -117,6 +117,7 @@ require (
 	github.com/packethost/packngo v0.31.0
 	github.com/pelletier/go-toml/v2 v2.2.2
 	github.com/pin/tftp/v3 v3.1.0
+	github.com/pkg/xattr v0.4.9
 	github.com/pmorjan/kmod v1.1.1
 	github.com/prometheus/procfs v0.15.1
 	github.com/rivo/tview v0.0.0-20240807095714-a8dd8799d63b

diff --git a/go.sum b/go.sum
@@ -526,6 +526,8 @@ github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjL
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
+github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/planetscale/vtprotobuf v0.6.0 h1:nBeETjudeJ5ZgBHUz1fVHvbqUKnYOXNhsIEabROxmNA=
 github.com/planetscale/vtprotobuf v0.6.0/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -871,6 +873,7 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

diff --git a/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go b/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go
@@ -31,6 +31,7 @@ import (
 	"github.com/gopacket/gopacket/afpacket"
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/nberlee/go-netstat/netstat"
+	"github.com/pkg/xattr"
 	"github.com/prometheus/procfs"
 	"github.com/rs/xid"
 	"github.com/siderolabs/gen/xslices"
@@ -831,11 +832,24 @@ func (s *Server) List(req *machine.ListRequest, obj machine.MachineService_ListS
 	}
 
 	for fi := range files {
+		xattrs := []*machine.Xattr{}
+
+		if req.ReportXattrs {
+			if list, err := xattr.List(fi.FullPath); err == nil {
+				for _, attr := range list {
+					if data, err := xattr.Get(fi.FullPath, attr); err == nil {
+						xattrs = append(xattrs, &machine.Xattr{Name: attr, Data: data})
+					}
+				}
+			}
+		}
+
 		if fi.Error != nil {
 			err = obj.Send(&machine.FileInfo{
 				Name:         fi.FullPath,
 				RelativeName: fi.RelPath,
 				Error:        fi.Error.Error(),
+				Xattrs:       xattrs,
 			})
 		} else {
 			err = obj.Send(&machine.FileInfo{
@@ -848,6 +862,7 @@ func (s *Server) List(req *machine.ListRequest, obj machine.MachineService_ListS
 				Link:         fi.Link,
 				Uid:          fi.FileInfo.Sys().(*syscall.Stat_t).Uid,
 				Gid:          fi.FileInfo.Sys().(*syscall.Stat_t).Gid,
+				Xattrs:       xattrs,
 			})
 		}