Add selinux collector (#2205)

Add selinux collector Signed-off-by: Jonathan Davies <jpds@protonmail.com>
prometheus · Jun 28, 2022 · 88f1811 · 88f1811
1 parent d64766f
commit 88f1811
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -120,6 +120,7 @@ powersupplyclass | Exposes Power Supply statistics from `/sys/class/power_supply
 pressure | Exposes pressure stall statistics from `/proc/pressure/`. | Linux (kernel 4.20+ and/or [CONFIG\_PSI](https://www.kernel.org/doc/html/latest/accounting/psi.html))
 rapl | Exposes various statistics from `/sys/class/powercap`. | Linux
 schedstat | Exposes task scheduler statistics from `/proc/schedstat`. | Linux
+selinux | Exposes SELinux statistics. | Linux
 sockstat | Exposes various statistics from `/proc/net/sockstat`. | Linux
 softnet | Exposes statistics from `/proc/net/softnet_stat`. | Linux
 stat | Exposes various statistics from `/proc/stat`. This includes boot time, forks and interrupts. | Linux

diff --git a/collector/fixtures/e2e-64k-page-output.txt b/collector/fixtures/e2e-64k-page-output.txt
@@ -3012,6 +3012,7 @@ node_scrape_collector_success{collector="processes"} 1
 node_scrape_collector_success{collector="qdisc"} 1
 node_scrape_collector_success{collector="rapl"} 1
 node_scrape_collector_success{collector="schedstat"} 1
+node_scrape_collector_success{collector="selinux"} 1
 node_scrape_collector_success{collector="sockstat"} 1
 node_scrape_collector_success{collector="softnet"} 1
 node_scrape_collector_success{collector="stat"} 1
@@ -3025,6 +3026,9 @@ node_scrape_collector_success{collector="wifi"} 1
 node_scrape_collector_success{collector="xfs"} 1
 node_scrape_collector_success{collector="zfs"} 1
 node_scrape_collector_success{collector="zoneinfo"} 1
+# HELP node_selinux_enabled SELinux is enabled, 1 is true, 0 is false
+# TYPE node_selinux_enabled gauge
+node_selinux_enabled 0
 # HELP node_sockstat_FRAG6_inuse Number of FRAG6 sockets in state inuse.
 # TYPE node_sockstat_FRAG6_inuse gauge
 node_sockstat_FRAG6_inuse 0

diff --git a/collector/fixtures/e2e-output.txt b/collector/fixtures/e2e-output.txt
@@ -3034,6 +3034,7 @@ node_scrape_collector_success{collector="processes"} 1
 node_scrape_collector_success{collector="qdisc"} 1
 node_scrape_collector_success{collector="rapl"} 1
 node_scrape_collector_success{collector="schedstat"} 1
+node_scrape_collector_success{collector="selinux"} 1
 node_scrape_collector_success{collector="sockstat"} 1
 node_scrape_collector_success{collector="softnet"} 1
 node_scrape_collector_success{collector="stat"} 1
@@ -3047,6 +3048,9 @@ node_scrape_collector_success{collector="wifi"} 1
 node_scrape_collector_success{collector="xfs"} 1
 node_scrape_collector_success{collector="zfs"} 1
 node_scrape_collector_success{collector="zoneinfo"} 1
+# HELP node_selinux_enabled SELinux is enabled, 1 is true, 0 is false
+# TYPE node_selinux_enabled gauge
+node_selinux_enabled 0
 # HELP node_sockstat_FRAG6_inuse Number of FRAG6 sockets in state inuse.
 # TYPE node_sockstat_FRAG6_inuse gauge
 node_sockstat_FRAG6_inuse 0

diff --git a/collector/selinux_linux.go b/collector/selinux_linux.go
@@ -0,0 +1,78 @@
+// Copyright 2022 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux && !noselinux
+// +build linux,!noselinux
+
+package collector
+
+import (
+	"github.com/go-kit/log"
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+type selinuxCollector struct {
+	configMode  *prometheus.Desc
+	currentMode *prometheus.Desc
+	enabled     *prometheus.Desc
+	logger      log.Logger
+}
+
+func init() {
+	registerCollector("selinux", defaultEnabled, NewSelinuxCollector)
+}
+
+// NewSelinuxCollector returns a new Collector exposing SELinux statistics.
+func NewSelinuxCollector(logger log.Logger) (Collector, error) {
+	const subsystem = "selinux"
+
+	return &selinuxCollector{
+		configMode: prometheus.NewDesc(
+			prometheus.BuildFQName(namespace, subsystem, "config_mode"),
+			"Configured SELinux enforcement mode",
+			nil, nil,
+		),
+		currentMode: prometheus.NewDesc(
+			prometheus.BuildFQName(namespace, subsystem, "current_mode"),
+			"Current SELinux enforcement mode",
+			nil, nil,
+		),
+		enabled: prometheus.NewDesc(
+			prometheus.BuildFQName(namespace, subsystem, "enabled"),
+			"SELinux is enabled, 1 is true, 0 is false",
+			nil, nil,
+		),
+		logger: logger,
+	}, nil
+}
+
+func (c *selinuxCollector) Update(ch chan<- prometheus.Metric) error {
+	if !selinux.GetEnabled() {
+		ch <- prometheus.MustNewConstMetric(
+			c.enabled, prometheus.GaugeValue, 0)
+
+		return nil
+	}
+
+	ch <- prometheus.MustNewConstMetric(
+		c.enabled, prometheus.GaugeValue, 1)
+
+	ch <- prometheus.MustNewConstMetric(
+		c.configMode, prometheus.GaugeValue, float64(selinux.DefaultEnforceMode()))
+
+	ch <- prometheus.MustNewConstMetric(
+		c.currentMode, prometheus.GaugeValue, float64(selinux.EnforceMode()))
+
+	return nil
+}
diff --git a/end-to-end-test.sh b/end-to-end-test.sh
@@ -37,6 +37,7 @@ enabled_collectors=$(cat << COLLECTORS
   qdisc
   rapl
   schedstat
+  selinux
   sockstat
   stat
   thermal_zone

diff --git a/go.mod b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/mattn/go-xmlrpc v0.0.3
 	github.com/mdlayher/netlink v1.6.0
 	github.com/mdlayher/wifi v0.0.0-20220320220353-954ff73a19a5
+	github.com/opencontainers/selinux v1.10.1
 	github.com/prometheus/client_golang v1.12.2
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.35.0

diff --git a/go.sum b/go.sum
@@ -205,6 +205,8 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w=
+github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -379,6 +381,7 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190902133755-9109b7679e13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=