Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[opensuse] SUIDPermissionsCheck: support new /usr/share/permissions/packages.d dir #1190

Merged
merged 1 commit into from
Feb 13, 2024
Merged

[opensuse] SUIDPermissionsCheck: support new /usr/share/permissions/packages.d dir #1190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion configs/openSUSE/security.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ Locations = [
FollowSymlinks = false
Locations = [
"/etc/permissions.d/",
"/usr/share/permissions/permissions.d/"
"/usr/share/permissions/permissions.d/",
"/usr/share/permissions/packages.d/"
]

[FileDigestLocation.pam]
Expand Down
26 changes: 15 additions & 11 deletions rpmlint/checks/SUIDPermissionsCheck.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,15 @@
from rpmlint.checks.AbstractCheck import AbstractCheck
from rpmlint.permissions import PermissionsParser, VariablesHandler

SHARE_DIR = '/usr/share/permissions'


class SUIDPermissionsCheck(AbstractCheck):
def __init__(self, config, output):
super().__init__(config, output)
self.perms = {}

self.var_handler = VariablesHandler('/usr/share/permissions/variables.conf')
self.var_handler = VariablesHandler(f'{SHARE_DIR}/variables.conf')

for fname in self._paths_to('permissions', 'permissions.secure'):
if not os.path.exists(fname):
Expand Down Expand Up @@ -100,38 +102,40 @@ def _paths_to(*file_names):
# return the new path first.
# chkstat prefers the new paths over the old ones, so callers that only care about the
# first matching file must mimic that.
yield '/usr/share/permissions/' + name
yield '/etc/' + name
yield f'{SHARE_DIR}/{name}'
yield f'/etc/{name}'

def check(self, pkg):
if pkg.is_source:
return

permfiles = set()
# first pass, find and parse permissions.d files
# first pass, find and parse per-package drop-in files
for f in pkg.files.keys():
for prefix in self._paths_to('permissions.d/'):
for prefix in list(self._paths_to('permissions.d/')) + [f'{SHARE_DIR}/packages.d/']:
if f.startswith(prefix):
if f in pkg.ghost_files:
continue

dropin_dir = prefix.rstrip('/').split('/')[-1]

# Attention: We require the FileDigestLocation config to
# mark all permissions.d paths as "blacklisted" paths.
# mark all packages.d paths as "blacklisted" paths.
# e.g. [FileDigestLocation.permissions] with Locations
# /etc/permissions.d/ and /usr/share/permissions/permissions.d/
# This ensures that an file-unauthorized error is thrown when a permissions.d
# package is not whitelisted.
# This ensures that an file-unauthorized error is thrown when an
# entry is not whitelisted.
#
# To whitelist a permissions.d file after a successful review,
# To whitelist a drop-in file after a successful review,
# the path and its digest need to be added as FileDigestCheck config
# having respective FileDigestLocation type (e.g.
# "permissions").
#
# Here we add *all* files in a package's permissions.d directory to our
# Here we add *all* files a package has in a dropin.d directory to our
# valid permissions files *without* checking if they belong
# to a whitelist as we assume it will be checked by
# FileDigestCheck and FileDigestLocation.
bn = 'permissions.d/' + f[len(prefix):].split('.')[0]
bn = f'{dropin_dir}/' + f[len(prefix):].split('.')[0]
if bn not in permfiles:
permfiles.add(bn)

Expand Down
Loading