From 88f1811eb1abf0e9a0551ffefba08509e93d7a8e Mon Sep 17 00:00:00 2001 From: Jonathan Davies Date: Tue, 28 Jun 2022 04:54:05 +0100 Subject: [PATCH] Add selinux collector (#2205) Add selinux collector Signed-off-by: Jonathan Davies --- README.md | 1 + collector/fixtures/e2e-64k-page-output.txt | 4 ++ collector/fixtures/e2e-output.txt | 4 ++ collector/selinux_linux.go | 78 ++++++++++++++++++++++ end-to-end-test.sh | 1 + go.mod | 1 + go.sum | 3 + 7 files changed, 92 insertions(+) create mode 100644 collector/selinux_linux.go diff --git a/README.md b/README.md index 0b7d643f..2fd364ed 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ powersupplyclass | Exposes Power Supply statistics from `/sys/class/power_supply pressure | Exposes pressure stall statistics from `/proc/pressure/`. | Linux (kernel 4.20+ and/or [CONFIG\_PSI](https://www.kernel.org/doc/html/latest/accounting/psi.html)) rapl | Exposes various statistics from `/sys/class/powercap`. | Linux schedstat | Exposes task scheduler statistics from `/proc/schedstat`. | Linux +selinux | Exposes SELinux statistics. | Linux sockstat | Exposes various statistics from `/proc/net/sockstat`. | Linux softnet | Exposes statistics from `/proc/net/softnet_stat`. | Linux stat | Exposes various statistics from `/proc/stat`. This includes boot time, forks and interrupts. | Linux diff --git a/collector/fixtures/e2e-64k-page-output.txt b/collector/fixtures/e2e-64k-page-output.txt index ab643904..4477c970 100644 --- a/collector/fixtures/e2e-64k-page-output.txt +++ b/collector/fixtures/e2e-64k-page-output.txt @@ -3012,6 +3012,7 @@ node_scrape_collector_success{collector="processes"} 1 node_scrape_collector_success{collector="qdisc"} 1 node_scrape_collector_success{collector="rapl"} 1 node_scrape_collector_success{collector="schedstat"} 1 +node_scrape_collector_success{collector="selinux"} 1 node_scrape_collector_success{collector="sockstat"} 1 node_scrape_collector_success{collector="softnet"} 1 node_scrape_collector_success{collector="stat"} 1 @@ -3025,6 +3026,9 @@ node_scrape_collector_success{collector="wifi"} 1 node_scrape_collector_success{collector="xfs"} 1 node_scrape_collector_success{collector="zfs"} 1 node_scrape_collector_success{collector="zoneinfo"} 1 +# HELP node_selinux_enabled SELinux is enabled, 1 is true, 0 is false +# TYPE node_selinux_enabled gauge +node_selinux_enabled 0 # HELP node_sockstat_FRAG6_inuse Number of FRAG6 sockets in state inuse. # TYPE node_sockstat_FRAG6_inuse gauge node_sockstat_FRAG6_inuse 0 diff --git a/collector/fixtures/e2e-output.txt b/collector/fixtures/e2e-output.txt index 7716e6ca..73d4bfc9 100644 --- a/collector/fixtures/e2e-output.txt +++ b/collector/fixtures/e2e-output.txt @@ -3034,6 +3034,7 @@ node_scrape_collector_success{collector="processes"} 1 node_scrape_collector_success{collector="qdisc"} 1 node_scrape_collector_success{collector="rapl"} 1 node_scrape_collector_success{collector="schedstat"} 1 +node_scrape_collector_success{collector="selinux"} 1 node_scrape_collector_success{collector="sockstat"} 1 node_scrape_collector_success{collector="softnet"} 1 node_scrape_collector_success{collector="stat"} 1 @@ -3047,6 +3048,9 @@ node_scrape_collector_success{collector="wifi"} 1 node_scrape_collector_success{collector="xfs"} 1 node_scrape_collector_success{collector="zfs"} 1 node_scrape_collector_success{collector="zoneinfo"} 1 +# HELP node_selinux_enabled SELinux is enabled, 1 is true, 0 is false +# TYPE node_selinux_enabled gauge +node_selinux_enabled 0 # HELP node_sockstat_FRAG6_inuse Number of FRAG6 sockets in state inuse. # TYPE node_sockstat_FRAG6_inuse gauge node_sockstat_FRAG6_inuse 0 diff --git a/collector/selinux_linux.go b/collector/selinux_linux.go new file mode 100644 index 00000000..71a3c021 --- /dev/null +++ b/collector/selinux_linux.go @@ -0,0 +1,78 @@ +// Copyright 2022 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build linux && !noselinux +// +build linux,!noselinux + +package collector + +import ( + "github.com/go-kit/log" + "github.com/opencontainers/selinux/go-selinux" + "github.com/prometheus/client_golang/prometheus" +) + +type selinuxCollector struct { + configMode *prometheus.Desc + currentMode *prometheus.Desc + enabled *prometheus.Desc + logger log.Logger +} + +func init() { + registerCollector("selinux", defaultEnabled, NewSelinuxCollector) +} + +// NewSelinuxCollector returns a new Collector exposing SELinux statistics. +func NewSelinuxCollector(logger log.Logger) (Collector, error) { + const subsystem = "selinux" + + return &selinuxCollector{ + configMode: prometheus.NewDesc( + prometheus.BuildFQName(namespace, subsystem, "config_mode"), + "Configured SELinux enforcement mode", + nil, nil, + ), + currentMode: prometheus.NewDesc( + prometheus.BuildFQName(namespace, subsystem, "current_mode"), + "Current SELinux enforcement mode", + nil, nil, + ), + enabled: prometheus.NewDesc( + prometheus.BuildFQName(namespace, subsystem, "enabled"), + "SELinux is enabled, 1 is true, 0 is false", + nil, nil, + ), + logger: logger, + }, nil +} + +func (c *selinuxCollector) Update(ch chan<- prometheus.Metric) error { + if !selinux.GetEnabled() { + ch <- prometheus.MustNewConstMetric( + c.enabled, prometheus.GaugeValue, 0) + + return nil + } + + ch <- prometheus.MustNewConstMetric( + c.enabled, prometheus.GaugeValue, 1) + + ch <- prometheus.MustNewConstMetric( + c.configMode, prometheus.GaugeValue, float64(selinux.DefaultEnforceMode())) + + ch <- prometheus.MustNewConstMetric( + c.currentMode, prometheus.GaugeValue, float64(selinux.EnforceMode())) + + return nil +} diff --git a/end-to-end-test.sh b/end-to-end-test.sh index d69da6ed..ca677759 100755 --- a/end-to-end-test.sh +++ b/end-to-end-test.sh @@ -37,6 +37,7 @@ enabled_collectors=$(cat << COLLECTORS qdisc rapl schedstat + selinux sockstat stat thermal_zone diff --git a/go.mod b/go.mod index a29cee92..8ccb37b2 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( github.com/mattn/go-xmlrpc v0.0.3 github.com/mdlayher/netlink v1.6.0 github.com/mdlayher/wifi v0.0.0-20220320220353-954ff73a19a5 + github.com/opencontainers/selinux v1.10.1 github.com/prometheus/client_golang v1.12.2 github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.35.0 diff --git a/go.sum b/go.sum index 6efed1ed..9905031e 100644 --- a/go.sum +++ b/go.sum @@ -205,6 +205,8 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w= +github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -379,6 +381,7 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190902133755-9109b7679e13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=