Add package to perform path lookups and validations for commands

.golangci.yml

@@ -15,6 +15,7 @@ linters:
     - sqlclosecheck
     - unconvert
     - paralleltest
+    - forbidigo
     - sloglint
     - revive
   disable:
@@ -34,6 +35,10 @@ linters-settings:
     ignore: github.com/go-kit/kit/log:Log
   gofmt:
     simplify: false
+  forbidigo:
+    forbid:
+      - p: ^exec\.Command.*$
+        msg: use pkg/allowedcmd functions instead
   sloglint:
     kv-only: true
     context-only: true

cmd/launcher/uninstall_darwin.go

@@ -7,9 +7,10 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/exec"
 	"strings"
 	"time"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 func removeLauncher(ctx context.Context, identifier string) error {
@@ -19,12 +20,15 @@ func removeLauncher(ctx context.Context, identifier string) error {
 	}
 
 	launchDaemonPList := fmt.Sprintf("/Library/LaunchDaemons/com.%s.launcher.plist", identifier)
-	launchCtlPath := "/bin/launchctl"
 	launchCtlArgs := []string{"unload", launchDaemonPList}
 
 	launchctlCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
-	cmd := exec.CommandContext(launchctlCtx, launchCtlPath, launchCtlArgs...)
+	cmd, err := allowedcmd.Launchctl(launchctlCtx, launchCtlArgs...)
+	if err != nil {
+		fmt.Printf("could not find launchctl: %s\n", err)
+		return err
+	}
 	if out, err := cmd.Output(); err != nil {
 		fmt.Printf("error occurred while unloading launcher daemon, launchctl output %s: err: %s\n", out, err)
 		return err
@@ -55,7 +59,11 @@ func removeLauncher(ctx context.Context, identifier string) error {
 
 	pkgutiltCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
-	pkgUtilcmd := exec.CommandContext(pkgutiltCtx, "/usr/sbin/pkgutil", "--forget", fmt.Sprintf("com.%s.launcher", identifier))
+	pkgUtilcmd, err := allowedcmd.Pkgutil(pkgutiltCtx, "--forget", fmt.Sprintf("com.%s.launcher", identifier))
+	if err != nil {
+		fmt.Printf("could not find pkgutil: %s\n", err)
+		return err
+	}
 
 	if out, err := pkgUtilcmd.Output(); err != nil {
 		fmt.Printf("error occurred while forgetting package: output %s: err: %s\n", out, err)

cmd/launcher/uninstall_linux.go

@@ -5,10 +5,12 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
-	"os/exec"
 	"strings"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 func removeLauncher(ctx context.Context, identifier string) error {
@@ -21,33 +23,27 @@ func removeLauncher(ctx context.Context, identifier string) error {
 	packageName := fmt.Sprintf("launcher-%s", identifier)
 
 	// Stop and disable launcher service
-	cmd := exec.CommandContext(ctx, "systemctl", []string{"disable", "--now", serviceName}...)
+	cmd, err := allowedcmd.Systemctl(ctx, []string{"disable", "--now", serviceName}...)
+	if err != nil {
+		fmt.Printf("could not find systemctl: %s\n", err)
+		return err
+	}
 	if out, err := cmd.CombinedOutput(); err != nil {
 		// Don't exit. Log and move on to the next uninstall command
 		fmt.Printf("error occurred while stopping/disabling launcher service, systemctl output %s: err: %s\n", string(out), err)
 	}
 
-	fileExists := func(f string) bool {
-		if _, err := os.Stat(f); err == nil {
-			return true
-		}
-		return false
-	}
-
 	// Tell the appropriate package manager to remove launcher
-	switch {
-	case fileExists("/usr/bin/dpkg"):
-		cmd = exec.CommandContext(ctx, "/usr/bin/dpkg", []string{"--purge", packageName}...)
+	if cmd, err := allowedcmd.Dpkg(ctx, []string{"--purge", packageName}...); err == nil {
 		if out, err := cmd.CombinedOutput(); err != nil {
 			fmt.Printf("error occurred while running dpkg --purge, output %s: err: %s\n", string(out), err)
 		}
-	case fileExists("/bin/rpm"):
-		cmd = exec.CommandContext(ctx, "/bin/rpm", []string{"-e", packageName}...)
+	} else if cmd, err := allowedcmd.Rpm(ctx, []string{"-e", packageName}...); err == nil {
 		if out, err := cmd.CombinedOutput(); err != nil {
 			fmt.Printf("error occurred while running rpm -e, output %s: err: %s\n", string(out), err)
 		}
-	default:
-		return fmt.Errorf("unsupported package manager")
+	} else {
+		return errors.New("unsupported package manager")
 	}
 
 	pathsToRemove := []string{

ee/consoleuser/consoleuser_darwin.go

@@ -8,9 +8,10 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"os/exec"
 	"strconv"
 	"strings"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 // example scutil output
@@ -90,7 +91,10 @@ const (
 )
 
 func CurrentUids(ctx context.Context) ([]string, error) {
-	cmd := exec.CommandContext(ctx, "scutil")
+	cmd, err := allowedcmd.Scutil(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("creating scutil command: %w", err)
+	}
 	cmd.Stdin = strings.NewReader("show State:/Users/ConsoleUser")
 
 	output, err := cmd.CombinedOutput()

ee/consoleuser/consoleuser_linux.go

@@ -7,8 +7,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"os/exec"
 	"strings"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 type listSessionsResult []struct {
@@ -18,7 +19,11 @@ type listSessionsResult []struct {
 }
 
 func CurrentUids(ctx context.Context) ([]string, error) {
-	output, err := exec.CommandContext(ctx, "loginctl", "list-sessions", "--no-legend", "--no-pager", "--output=json").Output()
+	cmd, err := allowedcmd.Loginctl(ctx, "list-sessions", "--no-legend", "--no-pager", "--output=json")
+	if err != nil {
+		return nil, fmt.Errorf("creating loginctl command: %w", err)
+	}
+	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("loginctl list-sessions: %w", err)
 	}
@@ -36,13 +41,16 @@ func CurrentUids(ctx context.Context) ([]string, error) {
 			continue
 		}
 
-		output, err := exec.CommandContext(ctx,
-			"loginctl",
+		cmd, err := allowedcmd.Loginctl(ctx,
 			"show-session", s.Session,
 			"--property=Remote",
 			"--property=Active",
-		).Output()
+		)
+		if err != nil {
+			return nil, fmt.Errorf("creating loginctl command: %w", err)
+		}
 
+		output, err := cmd.Output()
 		if err != nil {
 			return nil, fmt.Errorf("loginctl show-session (for sessionId %s): %w", s.Session, err)
 		}

ee/desktop/runner/runner.go

@@ -755,7 +755,7 @@ func (r *DesktopUsersProcessesRunner) menuTemplatePath() string {
 
 // desktopCommand invokes the launcher desktop executable with the appropriate env vars
 func (r *DesktopUsersProcessesRunner) desktopCommand(executablePath, uid, socketPath, menuPath string) (*exec.Cmd, error) {
-	cmd := exec.Command(executablePath, "desktop")
+	cmd := exec.Command(executablePath, "desktop") //nolint:forbidigo // We trust that the launcher executable path is correct, so we don't need to use allowedcmd
 
 	cmd.Env = []string{
 		// When we set cmd.Env (as we're doing here/below), cmd will no longer include the default cmd.Environ()

ee/desktop/runner/runner_linux.go

@@ -16,6 +16,7 @@ import (
 	"syscall"
 
 	"github.com/go-kit/kit/log/level"
+	"github.com/kolide/launcher/pkg/allowedcmd"
 	"github.com/kolide/launcher/pkg/traces"
 	"github.com/shirou/gopsutil/v3/process"
 )
@@ -90,7 +91,16 @@ func (r *DesktopUsersProcessesRunner) userEnvVars(ctx context.Context, uid strin
 	}
 
 	// Get the user's session so we can get their display (needed for opening notification action URLs in browser)
-	sessionOutput, err := exec.CommandContext(ctx, "loginctl", "show-user", uid, "--value", "--property=Sessions").Output()
+	cmd, err := allowedcmd.Loginctl(ctx, "show-user", uid, "--value", "--property=Sessions")
+	if err != nil {
+		level.Debug(r.logger).Log(
+			"msg", "could not create loginctl command",
+			"uid", uid,
+			"err", err,
+		)
+		return envVars
+	}
+	sessionOutput, err := cmd.Output()
 	if err != nil {
 		level.Debug(r.logger).Log(
 			"msg", "could not get user session",
@@ -108,7 +118,16 @@ func (r *DesktopUsersProcessesRunner) userEnvVars(ctx context.Context, uid strin
 	sessionList := strings.Split(sessions, " ")
 	for _, session := range sessionList {
 		// Figure out what type of graphical session the user has -- x11, wayland?
-		typeOutput, err := exec.CommandContext(ctx, "loginctl", "show-session", session, "--value", "--property=Type").Output()
+		cmd, err := allowedcmd.Loginctl(ctx, "show-session", session, "--value", "--property=Type")
+		if err != nil {
+			level.Debug(r.logger).Log(
+				"msg", "could not create loginctl command to get session type",
+				"uid", uid,
+				"err", err,
+			)
+			continue
+		}
+		typeOutput, err := cmd.Output()
 		if err != nil {
 			level.Debug(r.logger).Log(
 				"msg", "could not get session type",
@@ -147,7 +166,15 @@ func (r *DesktopUsersProcessesRunner) userEnvVars(ctx context.Context, uid strin
 
 func (r *DesktopUsersProcessesRunner) displayFromX11(ctx context.Context, session string) string {
 	// We can read $DISPLAY from the session properties
-	xDisplayOutput, err := exec.CommandContext(ctx, "loginctl", "show-session", session, "--value", "--property=Display").Output()
+	cmd, err := allowedcmd.Loginctl(ctx, "show-session", session, "--value", "--property=Display")
+	if err != nil {
+		level.Debug(r.logger).Log(
+			"msg", "could not create command to get Display from user session",
+			"err", err,
+		)
+		return defaultDisplay
+	}
+	xDisplayOutput, err := cmd.Output()
 	if err != nil {
 		level.Debug(r.logger).Log(
 			"msg", "could not get Display from user session",

ee/desktop/runner/runner_test.go

@@ -33,7 +33,7 @@ func TestDesktopUserProcessRunner_Execute(t *testing.T) {
 	// CPU consumption go way up.
 
 	// To get around the issue mentioned above, build the binary first and set its path as the executable path on the runner.
-	executablePath := filepath.Join(t.TempDir(), "desktop-test")
+	executablePath := filepath.Join(t.TempDir(), "desktop-test", "launcher")
 
 	if runtime.GOOS == "windows" {
 		executablePath = fmt.Sprintf("%s.exe", executablePath)
@@ -44,7 +44,7 @@ func TestDesktopUserProcessRunner_Execute(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	cmd := exec.CommandContext(ctx, "go", "build", "-o", executablePath, "../../../cmd/launcher")
+	cmd := exec.CommandContext(ctx, "go", "build", "-o", executablePath, "../../../cmd/launcher") //nolint:forbidigo // Fine to use exec.CommandContext in test
 	buildStartTime := time.Now()
 	out, err := cmd.CombinedOutput()
 	if err != nil {

ee/desktop/user/menu/action_open_url_darwin.go

@@ -4,11 +4,19 @@
 package menu
 
 import (
-	"os/exec"
+	"context"
+	"fmt"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 // open opens the specified URL in the default browser of the user
 // See https://stackoverflow.com/a/39324149/1705598
 func open(url string) error {
-	return exec.Command("/usr/bin/open", url).Start()
+	cmd, err := allowedcmd.Open(context.TODO(), url)
+	if err != nil {
+		return fmt.Errorf("creating command: %w", err)
+	}
+
+	return cmd.Start()
 }

ee/desktop/user/menu/action_open_url_linux.go

@@ -4,11 +4,19 @@
 package menu
 
 import (
-	"os/exec"
+	"context"
+	"fmt"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 // open opens the specified URL in the default browser of the user
 // See https://stackoverflow.com/a/39324149/1705598
 func open(url string) error {
-	return exec.Command("xdg-open", url).Start()
+	cmd, err := allowedcmd.XdgOpen(context.TODO(), url)
+	if err != nil {
+		return fmt.Errorf("creating command: %w", err)
+	}
+
+	return cmd.Start()
 }

ee/desktop/user/menu/action_open_url_windows.go

@@ -4,14 +4,21 @@
 package menu
 
 import (
-	"os/exec"
+	"context"
+	"fmt"
 	"syscall"
+
+	"github.com/kolide/launcher/pkg/allowedcmd"
 )
 
 // open opens the specified URL in the default browser of the user
 // See https://stackoverflow.com/a/39324149/1705598
 func open(url string) error {
-	cmd := exec.Command("cmd", "/C", "start", url)
+	cmd, err := allowedcmd.CommandPrompt(context.TODO(), "/C", "start", url)
+	if err != nil {
+		return fmt.Errorf("creating command: %w", err)
+	}
+
 	// https://stackoverflow.com/questions/42500570/how-to-hide-command-prompt-window-when-using-exec-in-golang
 	// Otherwise the cmd window will appear briefly
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}