go-firewalld/lockdown.go
2026-07-02 14:08:37 -05:00

101 lines
4.1 KiB
Go

package firewalld
import "context"
// Lockdown controls firewalld's lockdown feature and its whitelist. Lockdown, when
// enabled, restricts which applications may change the firewall; the whitelist
// names the commands, contexts, users, and uids that remain allowed. These live on
// the main object's .policies interface (distinct from zone-to-zone policies).
type Lockdown struct{ c *Conn }
// Lockdown returns the lockdown namespace.
func (c *Conn) Lockdown() *Lockdown { return &Lockdown{c: c} }
// Enable turns lockdown on.
func (l *Lockdown) Enable(ctx context.Context) error {
return l.c.call(ctx, basePath, ifaceLockdown, "enableLockdown", nil)
}
// Disable turns lockdown off.
func (l *Lockdown) Disable(ctx context.Context) error {
return l.c.call(ctx, basePath, ifaceLockdown, "disableLockdown", nil)
}
// Query reports whether lockdown is currently enabled.
func (l *Lockdown) Query(ctx context.Context) (bool, error) {
var on bool
err := l.c.call(ctx, basePath, ifaceLockdown, "queryLockdown", []any{&on})
return on, err
}
// Whitelist command operations. A command entry may end in "*" to match a prefix.
func (l *Lockdown) AddCommand(ctx context.Context, command string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "addLockdownWhitelistCommand", nil, command)
}
func (l *Lockdown) RemoveCommand(ctx context.Context, command string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "removeLockdownWhitelistCommand", nil, command)
}
func (l *Lockdown) QueryCommand(ctx context.Context, command string) (bool, error) {
var ok bool
err := l.c.call(ctx, basePath, ifaceLockdown, "queryLockdownWhitelistCommand", []any{&ok}, command)
return ok, err
}
func (l *Lockdown) Commands(ctx context.Context) ([]string, error) {
var xs []string
err := l.c.call(ctx, basePath, ifaceLockdown, "getLockdownWhitelistCommands", []any{&xs})
return xs, err
}
// Whitelist context (SELinux) operations.
func (l *Lockdown) AddContext(ctx context.Context, selinuxContext string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "addLockdownWhitelistContext", nil, selinuxContext)
}
func (l *Lockdown) RemoveContext(ctx context.Context, selinuxContext string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "removeLockdownWhitelistContext", nil, selinuxContext)
}
func (l *Lockdown) QueryContext(ctx context.Context, selinuxContext string) (bool, error) {
var ok bool
err := l.c.call(ctx, basePath, ifaceLockdown, "queryLockdownWhitelistContext", []any{&ok}, selinuxContext)
return ok, err
}
func (l *Lockdown) Contexts(ctx context.Context) ([]string, error) {
var xs []string
err := l.c.call(ctx, basePath, ifaceLockdown, "getLockdownWhitelistContexts", []any{&xs})
return xs, err
}
// Whitelist user operations (by user name).
func (l *Lockdown) AddUser(ctx context.Context, user string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "addLockdownWhitelistUser", nil, user)
}
func (l *Lockdown) RemoveUser(ctx context.Context, user string) error {
return l.c.call(ctx, basePath, ifaceLockdown, "removeLockdownWhitelistUser", nil, user)
}
func (l *Lockdown) QueryUser(ctx context.Context, user string) (bool, error) {
var ok bool
err := l.c.call(ctx, basePath, ifaceLockdown, "queryLockdownWhitelistUser", []any{&ok}, user)
return ok, err
}
func (l *Lockdown) Users(ctx context.Context) ([]string, error) {
var xs []string
err := l.c.call(ctx, basePath, ifaceLockdown, "getLockdownWhitelistUsers", []any{&xs})
return xs, err
}
// Whitelist uid operations (by numeric uid).
func (l *Lockdown) AddUID(ctx context.Context, uid int32) error {
return l.c.call(ctx, basePath, ifaceLockdown, "addLockdownWhitelistUid", nil, uid)
}
func (l *Lockdown) RemoveUID(ctx context.Context, uid int32) error {
return l.c.call(ctx, basePath, ifaceLockdown, "removeLockdownWhitelistUid", nil, uid)
}
func (l *Lockdown) QueryUID(ctx context.Context, uid int32) (bool, error) {
var ok bool
err := l.c.call(ctx, basePath, ifaceLockdown, "queryLockdownWhitelistUid", []any{&ok}, uid)
return ok, err
}
func (l *Lockdown) UIDs(ctx context.Context) ([]int32, error) {
var xs []int32
err := l.c.call(ctx, basePath, ifaceLockdown, "getLockdownWhitelistUids", []any{&xs})
return xs, err
}