Go-wrapper around Linux Security Modules basic operations.
- AppArmor
- Lockdown
- LoadPin
- SELinux
- Smack
- TOMOYO
- Yama
In order to intercat with SELinux we need the selinux.h header file in our system.
Debian:
apt install libselinux1-dev
import "github.com/rogercoll/go-lsm"Construct a new LSM config, then use the various methods to access different parts of the system Linux Security modules configuration. For example, to get all loaded security modules:
l, err := lsm.NewDefaultConfig()
if err != nil {
log.Fatalf("Failed to create default config: %v", err)
}
modules, err := l.GetLoadedModules()Multiple linux security modules can loaded in a system, but they can not be enabled. With the default configuration some of the modules would be loaded but not actually securing the system, as they might need a more restrictive configuration.
For example, lockdown can be loaded but with no additional configuration no security tasks are performed, thus it is not active.
A function is provided for each covered lsm to check whether it is active with at least the less restrictive mode (but still restrictive!) or not, for example:
yactive, err := l.IsYamaActive()
if err != nil {
log.Fatalf("Failed to check whether yama is securing the system or not: %v", err)
}
lactive, err := l.IsLockdownActive()
...