sbctl: setup debug logging

Signed-off-by: Morten Linderud <[email protected]>

cmd/sbctl/main.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"log/slog"
 	"os"
 	"strings"
 
@@ -23,6 +24,7 @@ type CmdOptions struct {
 	QuietOutput     bool
 	Config          string
 	DisableLandlock bool
+	Debug           bool
 }
 
 type cliCommand struct {
@@ -59,6 +61,7 @@ func baseFlags(cmd *cobra.Command) {
 	flags.BoolVar(&cmdOptions.JsonOutput, "json", false, "Output as json")
 	flags.BoolVar(&cmdOptions.QuietOutput, "quiet", false, "Mute info from logging")
 	flags.BoolVar(&cmdOptions.DisableLandlock, "disable-landlock", false, "disable landlock")
+	flags.BoolVar(&cmdOptions.Debug, "debug", false, "debug logging")
 	flags.StringVarP(&cmdOptions.Config, "config", "", "", "Path to configuration file")
 
 	cmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
@@ -124,6 +127,16 @@ func main() {
 		if cmdOptions.DisableLandlock {
 			state.Config.Landlock = false
 		}
+
+		// Setup debug logging
+		opts := &slog.HandlerOptions{
+			Level: slog.LevelInfo,
+		}
+		if cmdOptions.Debug {
+			opts.Level = slog.LevelDebug
+		}
+		logger := slog.New(slog.NewTextHandler(os.Stdout, opts))
+		slog.SetDefault(logger)
 	}
 
 	ctx := context.WithValue(context.Background(), stateDataKey{}, state)

cmd/sbctl/status.go

@@ -2,10 +2,13 @@ package main
 
 import (
 	"fmt"
+	"log/slog"
 	"os"
 	"strings"
 
+	"github.com/foxboron/go-uefi/efi/signature"
 	"github.com/foxboron/sbctl"
+	"github.com/foxboron/sbctl/backend"
 	"github.com/foxboron/sbctl/certs"
 	"github.com/foxboron/sbctl/config"
 	"github.com/foxboron/sbctl/logging"
@@ -80,6 +83,37 @@ func PrintStatus(s *Status) {
 	}
 }
 
+func RunDebug(state *config.State) error {
+	kh, err := backend.GetKeyHierarchy(state.Fs, state.Config)
+	if err != nil {
+		return err
+	}
+
+	efistate, err := sbctl.SystemEFIVariables(state.Efivarfs)
+	if err != nil {
+		return err
+	}
+
+	guid, err := state.Config.GetGUID(state.Fs)
+	if err != nil {
+		return err
+	}
+
+	if efistate.PK.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: kh.PK.Certificate().Raw}) {
+		slog.Debug("PK is fine")
+	}
+
+	if efistate.KEK.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: kh.KEK.Certificate().Raw}) {
+		slog.Debug("KEK is fine")
+	}
+
+	if efistate.Db.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: kh.Db.Certificate().Raw}) {
+		slog.Debug("db is fine")
+	}
+
+	return nil
+}
+
 func RunStatus(cmd *cobra.Command, args []string) error {
 	state := cmd.Context().Value(stateDataKey{}).(*config.State)
 
@@ -89,6 +123,10 @@ func RunStatus(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if cmdOptions.Debug {
+		RunDebug(state)
+	}
+
 	stat := NewStatus()
 	if _, err := state.Fs.Stat("/sys/firmware/efi/efivars"); os.IsNotExist(err) {
 		return fmt.Errorf("system is not booted with UEFI")

docs/sbctl.8.txt

@@ -317,6 +317,9 @@ Options
         +
         See linkman:landlock[7].
 
+**--debug**::
+        Enable verbose debug logging. This will break the pretty printed text.
+
 
 Bundles
 -------

lsm/lsm.go

@@ -1,6 +1,7 @@
 package lsm
 
 import (
+	"log/slog"
 	"path/filepath"
 
 	"github.com/foxboron/sbctl/config"
@@ -36,10 +37,9 @@ func RestrictAdditionalPaths(r ...landlock.Rule) {
 }
 
 func Restrict() error {
-	// TODO: For debug logging
-	// for _, r := range rules {
-	// 	fmt.Println(r)
-	// }
+	for _, r := range rules {
+		slog.Debug("landlock", slog.Any("rule", r))
+	}
 	landlock.V5.BestEffort().RestrictNet()
 	return landlock.V5.BestEffort().RestrictPaths(rules...)
 }