Bugfixes & tests

LeChatP · May 4, 2024 · 75585fe · 75585fe
1 parent d9d886f
commit 75585fe
Show file tree

Hide file tree

Showing 15 changed files with 2,031 additions and 110 deletions.
diff --git a/Makefile b/Makefile
@@ -23,6 +23,8 @@ build: $(BINS)
 
 install: build
 	cp -f $(BINS) /usr/bin
+	chown root:root /usr/bin/sr /usr/bin/chsr /usr/bin/capable
+	chmod 0555 /usr/bin/sr /usr/bin/chsr /usr/bin/capable
 	setcap "=p" /usr/bin/sr
 	setcap cap_dac_override,cap_sys_admin,cap_sys_ptrace+ep /usr/bin/capable
 

diff --git a/configure.sh b/configure.sh
@@ -18,6 +18,23 @@ if [ $(capsh --has-p=CAP_DAC_OVERRIDE; echo $?) != 0 ] || [ $(capsh --has-p=CAP_
     exit 1
 fi
 
+export $(grep -h '^ID' /etc/*-release)
+
+echo "Configuration files installation"
+echo "id : ${ID}"
+if [ "${ID}" == "arch" ]; then
+    cp resources/arch_sr_pam.conf /etc/pam.d/sr || exit;
+elif [ "${ID}" == "ubuntu" ] || [ "${ID}" == "debian" ]; then
+    cp resources/deb_sr_pam.conf /etc/pam.d/sr || exit;
+elif [ "${ID}" == "centos" ] || [ "${ID}" == "fedora" ] || [[ "${ID}" == *"rhel"* ]]; then
+    cp resources/rh_sr_pam.conf /etc/pam.d/sr || exit;
+else
+    echo "Unable to find a supported distribution, exiting..."
+    exit 3
+fi
+
+
+
 if [ -e "/etc/security/rootasrole.json" ];then
 	if [ $INSTALL_USER == "0" ]; then
 		echo "Warning: You run this script as real root, so the administator role is defined for the root user"
@@ -42,4 +59,6 @@ chmod 0644 /etc/pam.d/sr || exit
 chmod 0640 /etc/security/rootasrole.json || exit
 if [  $DOCKER -eq 0 ]; then
 	chattr +i /etc/security/rootasrole.json || exit
-fi
+fi
+
+echo "Configuration done, Ready to compile."
diff --git a/dependencies.sh b/dependencies.sh
@@ -26,6 +26,7 @@ fi
 
 if [ ! -f "/usr/bin/cargo" ]; then
 	cp ~/.cargo/bin/cargo /usr/bin
+    ln -s /usr/local/bin/cargo /bin/cargo
 	echo "as $HOME/.cargo/bin/cargo cargo program is copied to /usr/bin"
 fi
 
@@ -59,19 +60,6 @@ else
     exit 2
 fi
 
-echo "Install Rust Cargo compiler"
-if [ "$(which cargo &>/dev/null ; echo $?)" -eq "0" ]; then
-    echo "Cargo is installed"
-else
-    curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain nightly ${YES}
-fi
-
-if [ ! -f "/usr/bin/cargo" ]; then
-    mv -f ~/.cargo/bin/cargo /usr/local/bin
-    ln -s /usr/local/bin/cargo /bin/cargo
-    echo "$HOME/.cargo/bin/cargo program is copied to /usr/local/bin"
-fi
-
 # ask for user to install bpf-linker
 if [ "${YES}" == "-y" ]; then
     echo "cargo install bpf-linker into /usr/local/bin"
@@ -90,21 +78,4 @@ else
     esac
 fi
 
-export $(grep -h '^ID' /etc/*-release)
-
-echo "Configuration files installation"
-echo "id : ${ID}"
-if [ "${ID}" == "arch" ]; then
-    cp resources/arch_sr_pam.conf /etc/pam.d/sr || exit;
-    elif [ "${ID}" == "ubuntu" ] || [ "${ID}" == "debian" ]; then
-    cp resources/deb_sr_pam.conf /etc/pam.d/sr || exit;
-    elif [ "${ID}" == "centos" ] || [ "${ID}" == "fedora" ] || [[ "${ID}" == *"rhel"* ]]; then
-    cp resources/rh_sr_pam.conf /etc/pam.d/sr || exit;
-else
-    echo "Unable to find a supported distribution, exiting..."
-    exit 3
-fi
-
-
-
-echo "configuration done. Ready to compile."
+echo "dependencies installed. Ready to compile."
diff --git a/resources/rootasrole.json b/resources/rootasrole.json
@@ -51,13 +51,13 @@
                 "TZ"
             ]
         },
-        "allow-root": false,
-        "allow-bounding": false,
+        "root": "user",
+        "bounding": "strict",
         "wildcard-denied": ";&|"
     },
     "roles": [
         {
-            "name": "t_root",
+            "name": "r_root",
             "actors": [
                 {
                     "type": "user",
@@ -72,12 +72,31 @@
                         "setuid": "root",
                         "setgid": "root",
                         "capabilities": {
-                            "default": "all"
+                            "default": "all",
+                            "sub": ["CAP_LINUX_IMMUTABLE"]
                         }
                     },
                     "commands": {
                         "default": "all"
                     }
+                },
+                {
+                    "name": "t_chsr",
+                    "purpose": "Configure RootAsRole",
+                    "cred": {
+                        "setuid": "root",
+                        "setgid": "root",
+                        "capabilities": {
+                            "default": "none",
+                            "add": ["CAP_LINUX_IMMUTABLE"]
+                        }
+                    },
+                    "commands": {
+                        "default": "none",
+                        "add": [
+                            "/usr/bin/chsr .*"
+                        ]
+                    }
                 }
             ]
         }

diff --git a/src/api.rs b/src/api.rs
@@ -134,15 +134,16 @@ impl PluginManager {
     ) -> PluginResultAction {
         debug!("Notifying role matchers");
         let api = API.lock().unwrap();
+        let mut result = PluginResultAction::Ignore;
         for plugin in api.role_matcher_plugins.iter() {
             debug!("Calling role matcher plugin");
             match plugin(role, user, command, matcher) {
                 PluginResultAction::Override => return PluginResultAction::Override,
-                PluginResultAction::Edit => continue,
+                PluginResultAction::Edit => result = PluginResultAction::Edit,
                 PluginResultAction::Ignore => continue,
             }
         }
-        PluginResultAction::Ignore
+        result
     }
 
     pub fn notify_task_matcher(

diff --git a/src/chsr/cli.pest b/src/chsr/cli.pest
@@ -5,7 +5,7 @@ chsr      = _{ name }
 list      = { ("show" | "list" | "l") }
 set       = { "set" | "s" }
 add       = { "add" | "create" }
-del       = { "del" | "delete" | "unset" | "d" | "rm"}
+del       = { "delete" | "del" | "unset" | "d" | "rm"}
 purge     = { "purge" }
 grant     = { "grant" }
 revoke    = { "revoke" }
@@ -141,18 +141,18 @@ options_operations  = { ("options" | "o") ~ opt_args }
 opt_args = _{ opt_show | opt_path | opt_env | opt_root | opt_bounding | opt_wildcard | opt_timeout }
 
 opt_show     = _{ list ~ opt_show_arg? }
-opt_show_arg = { "all" | "cmd" | "cred" | "env" | "root" | "bounding" | "wildcard-denied" | "timeout" }
+opt_show_arg = { "all" | "cmd" | "cred" | "path" | "env" | "root" | "bounding" | "wildcard-denied" | "timeout" }
 
 opt_path           = { "path" ~ (opt_path_args | help) }
-opt_path_args      = _{ opt_path_set | opt_path_setpolicy | opt_path_listing }
+opt_path_args      = _{ opt_path_setpolicy | opt_path_set | opt_path_listing }
 opt_path_set       = _{ set ~ path }
 opt_path_setpolicy = _{ setpolicy ~ path_policy }
 path_policy        =  { "delete-all" | "keep-safe" | "keep-unsafe" | "inherit" }
 opt_path_listing   =  { (whitelist | blacklist) ~ (((add | del | set) ~ path) | purge) }
 path               =  @{ name }
 
 opt_env         = { "env" ~ (opt_env_args | help) }
-opt_env_args    = _{ opt_env_set | opt_env_setpolicy | opt_env_listing }
+opt_env_args    = _{ opt_env_setpolicy | opt_env_set | opt_env_listing }
 opt_env_setpolicy = { setpolicy ~ env_policy }
 env_policy      =  { "delete-all" | "keep-all" | "inherit" }
 opt_env_listing =  { (whitelist | blacklist | checklist) ~ (((add | del | set) ~ env_list) | purge) }