feat: add tests and docs for yama sub package

Author: rogercoll

lsm.go

@@ -23,7 +23,7 @@ func GetLoadedModules() map[string]bool {
 	modules["selinux"] = selinux.IsSelinuxEnabled()
 	appArmorEnabled, _ := apparmor.IsAppArmorEnabled()
 	modules["apparmor"] = appArmorEnabled
-	yamaEnabled, _ := yama.IsYamaEnabled()
+	yamaEnabled, _ := yama.IsEnabled()
 	modules["yama"] = yamaEnabled
 	return modules
 }

yama/yama.go

@@ -2,22 +2,63 @@ package yama
 
 import (
 	"io/ioutil"
+	"os"
+	"strconv"
 	"strings"
 )
 
-const (
+var (
 	ptrace_scope_file = "/proc/sys/kernel/yama/ptrace_scope"
 )
 
-func IsYamaEnabled() (bool, error) {
-	body, err := ioutil.ReadFile(ptrace_scope_file)
+func parsePtraceScopeFile(path string) (string, error) {
+	if body, err := ioutil.ReadFile(path); err == nil {
+		//Scope: from 0 (classic/disabled) to 4
+		return strings.TrimSuffix(string(body), "\n"), nil
+	} else if os.IsNotExist(err) {
+		return "0", nil
+	} else {
+		return "", err
+	}
+}
+
+// IsEnabled checks whether YAMA is enabled or not
+func IsEnabled() (bool, error) {
+	scope, err := parsePtraceScopeFile(ptrace_scope_file)
 	if err != nil {
 		return false, err
 	}
 	//Scope: from 0 (classic/disabled) to 4
-	scope := strings.TrimSuffix(string(body), "\n")
 	if scope == "1" || scope == "2" || scope == "3" {
 		return true, nil
 	}
 	return false, nil
 }
+
+// Scope gets the current YAMA scope of the system
+func Scope() (int, error) {
+	scope, err := parsePtraceScopeFile(ptrace_scope_file)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.Atoi(scope)
+}
+
+// ScopeDecription describes a given scope
+//
+// Kernel docs:
+// https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html
+func ScopeDescription(scope string) string {
+	switch scope {
+	case "0":
+		return "classic ptrace permissions"
+	case "1":
+		return "restricted ptrace"
+	case "2":
+		return "admin-only attach"
+	case "3":
+		return "no attach"
+	default:
+		return "unknown"
+	}
+}

yama/yama_test.go

@@ -0,0 +1,34 @@
+package yama
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+func TestIsEnabled(t *testing.T) {
+	var yamaFileTest = []struct {
+		name        string
+		fileContent string
+		out         bool
+	}{
+		{"Not enabled, with default value", "0\n", false},
+		{"Enabled, restricted", "1\n", true},
+	}
+	for _, tt := range yamaFileTest {
+		t.Run(tt.name, func(t *testing.T) {
+			f, err := ioutil.TempFile("", "testyamafile")
+			if err != nil {
+				t.Error(err)
+			}
+			ioutil.WriteFile(f.Name(), []byte(tt.fileContent), 0644)
+			ptrace_scope_file = f.Name()
+			enabled, err := IsEnabled()
+			if err != nil {
+				t.Error(err)
+			}
+			if enabled != tt.out {
+				t.Errorf("got %t, want %t", enabled, tt.out)
+			}
+		})
+	}
+}