From 3801300c9acfe6e5bc7f445503a810c0c9f5c659 Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Thu, 19 Dec 2024 09:31:03 +0100 Subject: [PATCH] feat(24.04): add iptables, sudo and add mutation script for pam-auth-update (#306) --------- Co-authored-by: Cristovao Cordeiro Co-authored-by: Rafid Bin Mostofa Co-authored-by: zhijie-yang --- slices/iptables.yaml | 204 ++++++++++++++++++ slices/libip4tc2.yaml | 15 ++ slices/libip6tc2.yaml | 15 ++ slices/libmnl0.yaml | 15 ++ slices/libnetfilter-conntrack3.yaml | 17 ++ slices/libnfnetlink0.yaml | 15 ++ slices/libnftnl11.yaml | 16 ++ slices/libpam-runtime.yaml | 127 +++++++++-- slices/libxtables12.yaml | 15 ++ slices/sudo.yaml | 56 +++++ tests/spread/integration/iptables/task.yaml | 23 ++ .../integration/libpam-runtime/task.yaml | 13 ++ tests/spread/integration/sudo/task.yaml | 12 ++ 13 files changed, 531 insertions(+), 12 deletions(-) create mode 100644 slices/iptables.yaml create mode 100644 slices/libip4tc2.yaml create mode 100644 slices/libip6tc2.yaml create mode 100644 slices/libmnl0.yaml create mode 100644 slices/libnetfilter-conntrack3.yaml create mode 100644 slices/libnfnetlink0.yaml create mode 100644 slices/libnftnl11.yaml create mode 100644 slices/libxtables12.yaml create mode 100644 slices/sudo.yaml create mode 100644 tests/spread/integration/iptables/task.yaml create mode 100644 tests/spread/integration/libpam-runtime/task.yaml create mode 100644 tests/spread/integration/sudo/task.yaml diff --git a/slices/iptables.yaml b/slices/iptables.yaml new file mode 100644 index 000000000..843340bb8 --- /dev/null +++ b/slices/iptables.yaml @@ -0,0 +1,204 @@ +package: iptables + +essential: + - iptables_copyright + +slices: + bins: + essential: + - iptables_libs + - iptables_links + - libc6_libs + - libip4tc2_libs + - libip6tc2_libs + - libmnl0_libs + - libnetfilter-conntrack3_libs + - libnfnetlink0_libs + - libnftnl11_libs + - libxtables12_libs + - netbase_default-hosts + - netbase_default-networks + contents: + /usr/sbin/arptables-nft: + /usr/sbin/arptables-nft-restore: + /usr/sbin/arptables-nft-save: + /usr/sbin/ebtables-nft: + /usr/sbin/ebtables-nft-restore: + /usr/sbin/ebtables-nft-save: + /usr/sbin/ebtables-translate: + /usr/sbin/ip6tables-apply: + /usr/sbin/ip6tables-legacy: + /usr/sbin/ip6tables-legacy-restore: + /usr/sbin/ip6tables-legacy-save: + /usr/sbin/ip6tables-nft: + /usr/sbin/ip6tables-nft-restore: + /usr/sbin/ip6tables-nft-save: + /usr/sbin/ip6tables-restore-translate: + /usr/sbin/ip6tables-translate: + /usr/sbin/iptables-apply: + /usr/sbin/iptables-legacy: + /usr/sbin/iptables-legacy-restore: + /usr/sbin/iptables-legacy-save: + /usr/sbin/iptables-nft: + /usr/sbin/iptables-nft-restore: + /usr/sbin/iptables-nft-save: + /usr/sbin/iptables-restore-translate: + /usr/sbin/iptables-translate: + /usr/sbin/nfnl_osf: + /usr/sbin/xtables-legacy-multi: + /usr/sbin/xtables-monitor: + /usr/sbin/xtables-nft-multi: + + # The xlst is used to convert XML configuration into something + # iptables can understand, and vice-versa. + converters: + contents: + /usr/bin/iptables-xml: + /usr/share/iptables/iptables.xslt: + + libs: + contents: + /usr/lib/*-linux-*/xtables/libarpt_mangle.so: + /usr/lib/*-linux-*/xtables/libebt_802_3.so: + /usr/lib/*-linux-*/xtables/libebt_among.so: + /usr/lib/*-linux-*/xtables/libebt_arp.so: + /usr/lib/*-linux-*/xtables/libebt_arpreply.so: + /usr/lib/*-linux-*/xtables/libebt_dnat.so: + /usr/lib/*-linux-*/xtables/libebt_ip.so: + /usr/lib/*-linux-*/xtables/libebt_ip6.so: + /usr/lib/*-linux-*/xtables/libebt_log.so: + /usr/lib/*-linux-*/xtables/libebt_mark.so: + /usr/lib/*-linux-*/xtables/libebt_mark_m.so: + /usr/lib/*-linux-*/xtables/libebt_nflog.so: + /usr/lib/*-linux-*/xtables/libebt_pkttype.so: + /usr/lib/*-linux-*/xtables/libebt_redirect.so: + /usr/lib/*-linux-*/xtables/libebt_snat.so: + /usr/lib/*-linux-*/xtables/libebt_stp.so: + /usr/lib/*-linux-*/xtables/libebt_vlan.so: + /usr/lib/*-linux-*/xtables/libip6t_DNPT.so: + /usr/lib/*-linux-*/xtables/libip6t_HL.so: + /usr/lib/*-linux-*/xtables/libip6t_NETMAP.so: + /usr/lib/*-linux-*/xtables/libip6t_REJECT.so: + /usr/lib/*-linux-*/xtables/libip6t_SNPT.so: + /usr/lib/*-linux-*/xtables/libip6t_ah.so: + /usr/lib/*-linux-*/xtables/libip6t_dst.so: + /usr/lib/*-linux-*/xtables/libip6t_eui64.so: + /usr/lib/*-linux-*/xtables/libip6t_frag.so: + /usr/lib/*-linux-*/xtables/libip6t_hbh.so: + /usr/lib/*-linux-*/xtables/libip6t_hl.so: + /usr/lib/*-linux-*/xtables/libip6t_icmp6.so: + /usr/lib/*-linux-*/xtables/libip6t_ipv6header.so: + /usr/lib/*-linux-*/xtables/libip6t_mh.so: + /usr/lib/*-linux-*/xtables/libip6t_rt.so: + /usr/lib/*-linux-*/xtables/libip6t_srh.so: + /usr/lib/*-linux-*/xtables/libipt_CLUSTERIP.so: + /usr/lib/*-linux-*/xtables/libipt_ECN.so: + /usr/lib/*-linux-*/xtables/libipt_NETMAP.so: + /usr/lib/*-linux-*/xtables/libipt_REJECT.so: + /usr/lib/*-linux-*/xtables/libipt_TTL.so: + /usr/lib/*-linux-*/xtables/libipt_ULOG.so: + /usr/lib/*-linux-*/xtables/libipt_ah.so: + /usr/lib/*-linux-*/xtables/libipt_icmp.so: + /usr/lib/*-linux-*/xtables/libipt_realm.so: + /usr/lib/*-linux-*/xtables/libipt_ttl.so: + /usr/lib/*-linux-*/xtables/libxt_AUDIT.so: + /usr/lib/*-linux-*/xtables/libxt_CHECKSUM.so: + /usr/lib/*-linux-*/xtables/libxt_CLASSIFY.so: + /usr/lib/*-linux-*/xtables/libxt_CONNMARK.so: + /usr/lib/*-linux-*/xtables/libxt_CONNSECMARK.so: + /usr/lib/*-linux-*/xtables/libxt_CT.so: + /usr/lib/*-linux-*/xtables/libxt_DNAT.so: + /usr/lib/*-linux-*/xtables/libxt_DSCP.so: + /usr/lib/*-linux-*/xtables/libxt_HMARK.so: + /usr/lib/*-linux-*/xtables/libxt_IDLETIMER.so: + /usr/lib/*-linux-*/xtables/libxt_LED.so: + /usr/lib/*-linux-*/xtables/libxt_LOG.so: + /usr/lib/*-linux-*/xtables/libxt_MARK.so: + /usr/lib/*-linux-*/xtables/libxt_MASQUERADE.so: + /usr/lib/*-linux-*/xtables/libxt_NAT.so: + /usr/lib/*-linux-*/xtables/libxt_NFLOG.so: + /usr/lib/*-linux-*/xtables/libxt_NFQUEUE.so: + /usr/lib/*-linux-*/xtables/libxt_NOTRACK.so: + /usr/lib/*-linux-*/xtables/libxt_RATEEST.so: + /usr/lib/*-linux-*/xtables/libxt_REDIRECT.so: + /usr/lib/*-linux-*/xtables/libxt_SECMARK.so: + /usr/lib/*-linux-*/xtables/libxt_SET.so: + /usr/lib/*-linux-*/xtables/libxt_SNAT.so: + /usr/lib/*-linux-*/xtables/libxt_SYNPROXY.so: + /usr/lib/*-linux-*/xtables/libxt_TCPMSS.so: + /usr/lib/*-linux-*/xtables/libxt_TCPOPTSTRIP.so: + /usr/lib/*-linux-*/xtables/libxt_TEE.so: + /usr/lib/*-linux-*/xtables/libxt_TOS.so: + /usr/lib/*-linux-*/xtables/libxt_TPROXY.so: + /usr/lib/*-linux-*/xtables/libxt_TRACE.so: + /usr/lib/*-linux-*/xtables/libxt_addrtype.so: + /usr/lib/*-linux-*/xtables/libxt_bpf.so: + /usr/lib/*-linux-*/xtables/libxt_cgroup.so: + /usr/lib/*-linux-*/xtables/libxt_cluster.so: + /usr/lib/*-linux-*/xtables/libxt_comment.so: + /usr/lib/*-linux-*/xtables/libxt_connbytes.so: + /usr/lib/*-linux-*/xtables/libxt_connlabel.so: + /usr/lib/*-linux-*/xtables/libxt_connlimit.so: + /usr/lib/*-linux-*/xtables/libxt_connmark.so: + /usr/lib/*-linux-*/xtables/libxt_conntrack.so: + /usr/lib/*-linux-*/xtables/libxt_cpu.so: + /usr/lib/*-linux-*/xtables/libxt_dccp.so: + /usr/lib/*-linux-*/xtables/libxt_devgroup.so: + /usr/lib/*-linux-*/xtables/libxt_dscp.so: + /usr/lib/*-linux-*/xtables/libxt_ecn.so: + /usr/lib/*-linux-*/xtables/libxt_esp.so: + /usr/lib/*-linux-*/xtables/libxt_hashlimit.so: + /usr/lib/*-linux-*/xtables/libxt_helper.so: + /usr/lib/*-linux-*/xtables/libxt_ipcomp.so: + /usr/lib/*-linux-*/xtables/libxt_iprange.so: + /usr/lib/*-linux-*/xtables/libxt_ipvs.so: + /usr/lib/*-linux-*/xtables/libxt_length.so: + /usr/lib/*-linux-*/xtables/libxt_limit.so: + /usr/lib/*-linux-*/xtables/libxt_mac.so: + /usr/lib/*-linux-*/xtables/libxt_mark.so: + /usr/lib/*-linux-*/xtables/libxt_multiport.so: + /usr/lib/*-linux-*/xtables/libxt_nfacct.so: + /usr/lib/*-linux-*/xtables/libxt_osf.so: + /usr/lib/*-linux-*/xtables/libxt_owner.so: + /usr/lib/*-linux-*/xtables/libxt_physdev.so: + /usr/lib/*-linux-*/xtables/libxt_pkttype.so: + /usr/lib/*-linux-*/xtables/libxt_policy.so: + /usr/lib/*-linux-*/xtables/libxt_quota.so: + /usr/lib/*-linux-*/xtables/libxt_rateest.so: + /usr/lib/*-linux-*/xtables/libxt_recent.so: + /usr/lib/*-linux-*/xtables/libxt_rpfilter.so: + /usr/lib/*-linux-*/xtables/libxt_sctp.so: + /usr/lib/*-linux-*/xtables/libxt_set.so: + /usr/lib/*-linux-*/xtables/libxt_socket.so: + /usr/lib/*-linux-*/xtables/libxt_standard.so: + /usr/lib/*-linux-*/xtables/libxt_state.so: + /usr/lib/*-linux-*/xtables/libxt_statistic.so: + /usr/lib/*-linux-*/xtables/libxt_string.so: + /usr/lib/*-linux-*/xtables/libxt_tcp.so: + /usr/lib/*-linux-*/xtables/libxt_tcpmss.so: + /usr/lib/*-linux-*/xtables/libxt_time.so: + /usr/lib/*-linux-*/xtables/libxt_tos.so: + /usr/lib/*-linux-*/xtables/libxt_u32.so: + /usr/lib/*-linux-*/xtables/libxt_udp.so: + + # These are created by the post-inst script and sets up + # defaults for some of the binaries. Emulate this by creating + # the expected symlinks. + links: + contents: + /usr/sbin/arptables: {symlink: /usr/sbin/arptables-nft} + /usr/sbin/arptables-restore: {symlink: /usr/sbin/arptables-nft-restore} + /usr/sbin/arptables-save: {symlink: /usr/sbin/arptables-nft-save} + /usr/sbin/ebtables: {symlink: /usr/sbin/ebtables-nft} + /usr/sbin/ebtables-restore: {symlink: /usr/sbin/ebtables-nft-restore} + /usr/sbin/ebtables-save: {symlink: /usr/sbin/ebtables-nft-save} + /usr/sbin/ip6tables: {symlink: /usr/sbin/ip6tables-nft} + /usr/sbin/ip6tables-restore: {symlink: /usr/sbin/ip6tables-nft-restore} + /usr/sbin/ip6tables-save: {symlink: /usr/sbin/ip6tables-nft-save} + /usr/sbin/iptables: {symlink: /usr/sbin/iptables-nft} + /usr/sbin/iptables-restore: {symlink: /usr/sbin/iptables-nft-restore} + /usr/sbin/iptables-save: {symlink: /usr/sbin/iptables-nft-save} + + copyright: + contents: + /usr/share/doc/iptables/copyright: diff --git a/slices/libip4tc2.yaml b/slices/libip4tc2.yaml new file mode 100644 index 000000000..d4eeb744c --- /dev/null +++ b/slices/libip4tc2.yaml @@ -0,0 +1,15 @@ +package: libip4tc2 + +essential: + - libip4tc2_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libip4tc.so.2*: + + copyright: + contents: + /usr/share/doc/libip4tc2/copyright: diff --git a/slices/libip6tc2.yaml b/slices/libip6tc2.yaml new file mode 100644 index 000000000..8fd178ef5 --- /dev/null +++ b/slices/libip6tc2.yaml @@ -0,0 +1,15 @@ +package: libip6tc2 + +essential: + - libip6tc2_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libip6tc.so.2*: + + copyright: + contents: + /usr/share/doc/libip6tc2/copyright: diff --git a/slices/libmnl0.yaml b/slices/libmnl0.yaml new file mode 100644 index 000000000..6a4a337fd --- /dev/null +++ b/slices/libmnl0.yaml @@ -0,0 +1,15 @@ +package: libmnl0 + +essential: + - libmnl0_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libmnl.so.0*: + + copyright: + contents: + /usr/share/doc/libmnl0/copyright: diff --git a/slices/libnetfilter-conntrack3.yaml b/slices/libnetfilter-conntrack3.yaml new file mode 100644 index 000000000..757f37619 --- /dev/null +++ b/slices/libnetfilter-conntrack3.yaml @@ -0,0 +1,17 @@ +package: libnetfilter-conntrack3 + +essential: + - libnetfilter-conntrack3_copyright + +slices: + libs: + essential: + - libc6_libs + - libmnl0_libs + - libnfnetlink0_libs + contents: + /usr/lib/*-linux-*/libnetfilter_conntrack.so.3*: + + copyright: + contents: + /usr/share/doc/libnetfilter-conntrack3/copyright: diff --git a/slices/libnfnetlink0.yaml b/slices/libnfnetlink0.yaml new file mode 100644 index 000000000..ecf4abda5 --- /dev/null +++ b/slices/libnfnetlink0.yaml @@ -0,0 +1,15 @@ +package: libnfnetlink0 + +essential: + - libnfnetlink0_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libnfnetlink.so.0*: + + copyright: + contents: + /usr/share/doc/libnfnetlink0/copyright: diff --git a/slices/libnftnl11.yaml b/slices/libnftnl11.yaml new file mode 100644 index 000000000..aa2a0620b --- /dev/null +++ b/slices/libnftnl11.yaml @@ -0,0 +1,16 @@ +package: libnftnl11 + +essential: + - libnftnl11_copyright + +slices: + libs: + essential: + - libc6_libs + - libmnl0_libs + contents: + /usr/lib/*-linux-*/libnftnl.so.11*: + + copyright: + contents: + /usr/share/doc/libnftnl11/copyright: diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 58562cea9..91f3943bd 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -18,28 +18,126 @@ slices: # pam-config and pam-defaults slices are only used for generation, and are useless # for anything else. - # Applications that need libpam for now should just rely on the config and var slices for now - - # until appropriate solution for emulating what pam-auth-update can do (or maybe something else). + # Emulate in part what pam-auth-update does. There is a short coming right now, we + # cannot include other files from other slices that install into + # /usr/share/pam-configs/* + # since this mutation script wont be able to access them as of writing. config: + essential: + - libpam-runtime_var contents: /etc/pam.conf: + /etc/pam.d/common-account: { text: "", mutable: true } + /etc/pam.d/common-auth: { text: "", mutable: true } + /etc/pam.d/common-password: { text: "", mutable: true } + /etc/pam.d/common-session: { text: "", mutable: true } + /etc/pam.d/common-session-noninteractive: { text: "", mutable: true } /etc/pam.d/other: + /usr/share/pam-configs/unix: { until: mutate } + /usr/share/pam/common-account: { until: mutate } + /usr/share/pam/common-auth: { until: mutate } + /usr/share/pam/common-password: { until: mutate } + /usr/share/pam/common-session: { until: mutate } + /usr/share/pam/common-session-noninteractive: { until: mutate } + mutate: | + def parse_type(t): + strippedValue = t[1].strip() + if t[0] == "Auth-Type": + return ["auth", strippedValue] + elif t[0] == "Account-Type": + return ["account", strippedValue] + elif t[0] == "Session-Type": + return ["session-noninteractive", strippedValue] + elif t[0] == "Password-Type": + return ["password", strippedValue] + return [] - # folders expected by libpam to exist - var: - contents: - /var/lib/pam/: + confs_dir = "/usr/share/pam-configs/" + confs = content.list(confs_dir) + confdata = {} + for x in confs: + conf = content.read(confs_dir + x) + lines = conf.splitlines() + + m = "" + p = "" + t = "" + for i in range(len(lines)): + vals = lines[i].split(":") + if vals[0] == "Priority": + p = vals[1].strip() + elif vals[0] in ["Auth-Type", "Account-Type", "Session-Type", "Password-Type"]: + m, t = parse_type(vals) + elif vals[0] == "Session-Interactive-Only": + if vals[1].strip() == "yes": + m = "session" + elif vals[0] in ["Auth-Initial", "Account-Initial", + "Session-Initial", "Password-Initial"]: + d = [] + for j in range(i + 1, len(lines)): + if ":" in lines[j]: + break + d.append(lines[j]) + confdata[m] = {t: {p: d}} + + def reconfigure_data_line(section, line, i): + res = "" + upd = line.replace("success=end", "success=" + str(i)) + if section == "session-noninteractive": + res += "session" + upd + "\n" + else: + res += section + upd + "\n" + return res + + def build_block(data, section, block, existing): + si = 1 + res = existing + if section in data: + types = data[section] + if block in types: + # get the keys (which are the priorities) and + # then reverse sort them to get the highest priority + # first + itemsByPriority = types[block] + keys = itemsByPriority.keys() + keys = sorted(keys, reverse=True) + for p in keys: + for d in itemsByPriority[p]: + res = reconfigure_data_line(section, d, si) + "\n" + si += 1 + + # no primary block, so output a stock pam_permit line + # to keep the stack intact + if res == "" and block == "Primary": + return reconfigure_data_line(section, "\t[default=1]\t\t\tpam_permit.so\n", 1); + return res + + fnames = ["account", "auth", "password", "session", "session-noninteractive"] + idnames = ["$account", "$auth", "$password", "$session", "$session_nonint"] - # Used by pam-auth-update to generate the pam.d/ config - # files inside etc. However pam-auth-update relies on - # debconf to actually work and discover these packages. + for i in range(len(fnames)): + fn = fnames[i] + template = content.read("/usr/share/pam/common-" + fn) + pb = build_block(confdata, fn, "Primary", "") + ab = build_block(confdata, fn, "Additional", "") + + # session also includes settings from the session-noninteractive, + # but not the other way around + if fn == "session": + pb = build_block(confdata, "session-noninteractive", "Primary", pb) + ab = build_block(confdata, "session-noninteractive", "Additional", ab) + + template = template.replace(idnames[i] + "_primary", pb) + template = template.replace(idnames[i] + "_additional", ab) + content.write("/etc/pam.d/common-" + fn, template) + + # The following two slices are kept for backwards compatibility. + # However, the pam-defaults have been modified to deliver correct + # files instead of templates. pam-config: contents: /usr/share/pam-configs/unix: - # default templates for the /etc/pam.d files that are used by - # pam-auth-update to generate the /etc/pam.d versions based on - # additional plugs in /usr/share/pam-configs/*. pam-defaults: contents: /usr/share/pam/common-account: @@ -53,6 +151,11 @@ slices: /usr/share/pam/common-session-noninteractive.md5sums: /usr/share/pam/common-session.md5sums: + # folders expected by libpam to exist + var: + contents: + /var/lib/pam/: + copyright: contents: /usr/share/doc/libpam-runtime/copyright: diff --git a/slices/libxtables12.yaml b/slices/libxtables12.yaml new file mode 100644 index 000000000..bd8d1d699 --- /dev/null +++ b/slices/libxtables12.yaml @@ -0,0 +1,15 @@ +package: libxtables12 + +essential: + - libxtables12_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libxtables.so.12*: + + copyright: + contents: + /usr/share/doc/libxtables12/copyright: diff --git a/slices/sudo.yaml b/slices/sudo.yaml new file mode 100644 index 000000000..6e9507472 --- /dev/null +++ b/slices/sudo.yaml @@ -0,0 +1,56 @@ +package: sudo + +essential: + - sudo_copyright + +slices: + bins: + essential: + - libapparmor1_libs + - libaudit1_libs + - libc6_libs + - libpam-modules_libs + - libpam0g_libs + - libselinux1_libs + - libssl3t64_libs + - sudo_config + - sudo_libs + - zlib1g_libs + contents: + /usr/bin/cvtsudoers: + /usr/bin/sudo: + /usr/bin/sudoedit: + /usr/bin/sudoreplay: + /usr/libexec/sudo/sesh: + /usr/sbin/sudo_logsrvd: + /usr/sbin/sudo_sendlog: + /usr/sbin/visudo: + + config: + contents: + /etc/pam.d/sudo: + /etc/pam.d/sudo-i: + /etc/sudo.conf: + /etc/sudo_logsrvd.conf: + /etc/sudoers: + /usr/lib/tmpfiles.d/sudo.conf: + + services: + essential: + - sudo_bins + contents: + /usr/lib/systemd/system/sudo.service: + + libs: + contents: + /usr/libexec/sudo/audit_json.so: + /usr/libexec/sudo/group_file.so: + /usr/libexec/sudo/libsudo_util.so*: + /usr/libexec/sudo/sudo_intercept.so: + /usr/libexec/sudo/sudo_noexec.so: + /usr/libexec/sudo/sudoers.so: + /usr/libexec/sudo/system_group.so: + + copyright: + contents: + /usr/share/doc/sudo/copyright: diff --git a/tests/spread/integration/iptables/task.yaml b/tests/spread/integration/iptables/task.yaml new file mode 100644 index 000000000..f89381d1a --- /dev/null +++ b/tests/spread/integration/iptables/task.yaml @@ -0,0 +1,23 @@ +summary: Integration tests for iptables + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts sudo_bins iptables_bins)" + host=$(hostname) + + # setup /etc/hosts for the current hostname, otherwise + # sudo will be confused + sed -i "/127.0.0.1\slocalhost/a 127.0.0.1\s$host" "$rootfs"/etc/hosts + + mkdir "$rootfs"/run + + # ensure the command spits something out we can recognize + chroot "$rootfs" sudo iptables-legacy -t filter --list | grep "Chain INPUT" + + # try to check if there is an input rule for this random IP + chroot "$rootfs" sudo iptables-legacy -t filter --check INPUT -s 192.168.1.123 -j DROP 2>&1 | grep "Bad rule" + + # append a random rule + chroot "$rootfs" sudo iptables-legacy -t filter -A INPUT -s 192.168.1.230 -j ACCEPT + + # check it appears + chroot "$rootfs" sudo iptables-legacy --list | grep "192.168.1.230" diff --git a/tests/spread/integration/libpam-runtime/task.yaml b/tests/spread/integration/libpam-runtime/task.yaml new file mode 100644 index 000000000..a49243338 --- /dev/null +++ b/tests/spread/integration/libpam-runtime/task.yaml @@ -0,0 +1,13 @@ +summary: Integration tests for libpam-runtime + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts coreutils_bins sudo_bins)" + + # test that libpam correctly generated things + cat "$rootfs"/etc/pam.d/common-account | grep -E "account\s+\[success=1 new_authtok_reqd=done default=ignore\]\s+pam_unix\.so" + cat "$rootfs"/etc/pam.d/common-auth | grep -E "auth\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+nullok" + cat "$rootfs"/etc/pam.d/common-password | grep -E "password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+yescrypt" + cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+\[default=1\]\s+pam_permit\.so" + cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+required\s+pam_unix\.so" + cat "$rootfs"/etc/pam.d/common-session-noninteractive | grep -E "session\s+\[default=1\]\s+pam_permit\.so" + cat "$rootfs"/etc/pam.d/common-session-noninteractive | grep -E "session\s+required\s+pam_unix\.so" diff --git a/tests/spread/integration/sudo/task.yaml b/tests/spread/integration/sudo/task.yaml new file mode 100644 index 000000000..92b7c30bf --- /dev/null +++ b/tests/spread/integration/sudo/task.yaml @@ -0,0 +1,12 @@ +summary: Integration tests for sudo + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts coreutils_bins sudo_bins)" + host=$(hostname) + + # setup /etc/hosts for the current hostname, otherwise + # sudo will be confused + sed -i "/127.0.0.1\tlocalhost/a 127.0.0.1\t$host" "$rootfs"/etc/hosts + + # ensure sudo correctly runs and provides the output "root" + chroot "$rootfs" sudo whoami | grep "root"