From 3ca8e8fea73899965c0bfcf17a5c7923f299aa1e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 12 Oct 2022 18:05:54 +0200
Subject: [PATCH] golangci: enable gosec linter

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .golangci.yml                 | 1 +
 go-selinux/selinux_linux.go   | 2 ++
 pkg/pwalk/pwalk_test.go       | 2 +-
 pkg/pwalkdir/pwalkdir_test.go | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 875893a..d5eca0f 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,6 +9,7 @@ linters:
     - exportloopref # Detects pointers to enclosing loop variables.
     - gocritic      # Metalinter; detects bugs, performance, and styling issues.
     - gofumpt       # Detects whether code was gofumpt-ed.
+    - gosec         # Detects security problems.
     - misspell      # Detects commonly misspelled English words in comments.
     - nilerr        # Detects code that returns nil even if it checks that the error is not nil.
     - nolintlint    # Detects ill-formed or insufficient nolint directives.
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
index bdad338..f8afa8e 100644
--- a/go-selinux/selinux_linux.go
+++ b/go-selinux/selinux_linux.go
@@ -839,6 +839,7 @@ func enforceMode() int {
 // setEnforceMode sets the current SELinux mode Enforcing, Permissive.
 // Disabled is not valid, since this needs to be set at boot time.
 func setEnforceMode(mode int) error {
+	//nolint:gosec // ignore G306: permissions to be 0600 or less.
 	return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
 }
 
@@ -1046,6 +1047,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
 
 // securityCheckContext validates that the SELinux label is understood by the kernel
 func securityCheckContext(val string) error {
+	//nolint:gosec // ignore G306: permissions to be 0600 or less.
 	return os.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
 }
 
diff --git a/pkg/pwalk/pwalk_test.go b/pkg/pwalk/pwalk_test.go
index 235b001..9553111 100644
--- a/pkg/pwalk/pwalk_test.go
+++ b/pkg/pwalk/pwalk_test.go
@@ -214,6 +214,6 @@ func cbReadFile(path string, info os.FileInfo, _ error) error {
 }
 
 func cbRandomSleep(_ string, _ os.FileInfo, _ error) error {
-	time.Sleep(time.Duration(rand.Intn(500)) * time.Microsecond)
+	time.Sleep(time.Duration(rand.Intn(500)) * time.Microsecond) //nolint:gosec // ignore G404: Use of weak random number generator
 	return nil
 }
diff --git a/pkg/pwalkdir/pwalkdir_test.go b/pkg/pwalkdir/pwalkdir_test.go
index 314fb3c..ce5547c 100644
--- a/pkg/pwalkdir/pwalkdir_test.go
+++ b/pkg/pwalkdir/pwalkdir_test.go
@@ -218,6 +218,6 @@ func cbReadFile(path string, e fs.DirEntry, _ error) error {
 }
 
 func cbRandomSleep(_ string, _ fs.DirEntry, _ error) error {
-	time.Sleep(time.Duration(rand.Intn(500)) * time.Microsecond)
+	time.Sleep(time.Duration(rand.Intn(500)) * time.Microsecond) //nolint:gosec // ignore G404: Use of weak random number generator
 	return nil
 }