From aaf916a24d27f102392fa5e2033435efba8bb620 Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Fri, 2 Aug 2024 15:00:39 +0200 Subject: [PATCH 01/11] slices: add iptables, sudo and implement a start of a pam-auth-update generator --- slices/iptables.yaml | 204 ++++++++++++++++++ slices/libip4tc2.yaml | 15 ++ slices/libip6tc2.yaml | 15 ++ slices/libmnl0.yaml | 15 ++ slices/libnetfilter-conntrack3.yaml | 17 ++ slices/libnfnetlink0.yaml | 15 ++ slices/libnftnl11.yaml | 16 ++ slices/libpam-runtime.yaml | 132 +++++++++--- slices/libxtables12.yaml | 15 ++ slices/sudo.yaml | 54 +++++ spread.yaml | 3 +- tests/spread/integration/iptables/task.yaml | 23 ++ .../integration/libpam-runtime/task.yaml | 13 ++ tests/spread/integration/sudo/task.yaml | 12 ++ 14 files changed, 523 insertions(+), 26 deletions(-) create mode 100644 slices/iptables.yaml create mode 100644 slices/libip4tc2.yaml create mode 100644 slices/libip6tc2.yaml create mode 100644 slices/libmnl0.yaml create mode 100644 slices/libnetfilter-conntrack3.yaml create mode 100644 slices/libnfnetlink0.yaml create mode 100644 slices/libnftnl11.yaml create mode 100644 slices/libxtables12.yaml create mode 100644 slices/sudo.yaml create mode 100644 tests/spread/integration/iptables/task.yaml create mode 100644 tests/spread/integration/libpam-runtime/task.yaml create mode 100644 tests/spread/integration/sudo/task.yaml diff --git a/slices/iptables.yaml b/slices/iptables.yaml new file mode 100644 index 000000000..28fc0ad8e --- /dev/null +++ b/slices/iptables.yaml @@ -0,0 +1,204 @@ +package: iptables + +essential: + - iptables_copyright + +slices: + bins: + essential: + - iptables_libs + - iptables_links + - libc6_libs + - libip4tc2_libs + - libip6tc2_libs + - libmnl0_libs + - libnetfilter-conntrack3_libs + - libnfnetlink0_libs + - libnftnl11_libs + - libxtables12_libs + - netbase_default-hosts + - netbase_default-networks + contents: + /usr/sbin/arptables-nft: + /usr/sbin/arptables-nft-restore: + /usr/sbin/arptables-nft-save: + /usr/sbin/ebtables-nft: + /usr/sbin/ebtables-nft-restore: + /usr/sbin/ebtables-nft-save: + /usr/sbin/ebtables-translate: + /usr/sbin/ip6tables-apply: + /usr/sbin/ip6tables-legacy: + /usr/sbin/ip6tables-legacy-restore: + /usr/sbin/ip6tables-legacy-save: + /usr/sbin/ip6tables-nft: + /usr/sbin/ip6tables-nft-restore: + /usr/sbin/ip6tables-nft-save: + /usr/sbin/ip6tables-restore-translate: + /usr/sbin/ip6tables-translate: + /usr/sbin/iptables-apply: + /usr/sbin/iptables-legacy: + /usr/sbin/iptables-legacy-restore: + /usr/sbin/iptables-legacy-save: + /usr/sbin/iptables-nft: + /usr/sbin/iptables-nft-restore: + /usr/sbin/iptables-nft-save: + /usr/sbin/iptables-restore-translate: + /usr/sbin/iptables-translate: + /usr/sbin/nfnl_osf: + /usr/sbin/xtables-legacy-multi: + /usr/sbin/xtables-monitor: + /usr/sbin/xtables-nft-multi: + + # The xlst is used to convert XML configuration into something + # iptables can understand, and vice-versa. + extras: + contents: + /usr/bin/iptables-xml: + /usr/share/iptables/iptables.xslt: + + libs: + contents: + /usr/lib/*-linux-*/xtables/libarpt_mangle.so: + /usr/lib/*-linux-*/xtables/libebt_802_3.so: + /usr/lib/*-linux-*/xtables/libebt_among.so: + /usr/lib/*-linux-*/xtables/libebt_arp.so: + /usr/lib/*-linux-*/xtables/libebt_arpreply.so: + /usr/lib/*-linux-*/xtables/libebt_dnat.so: + /usr/lib/*-linux-*/xtables/libebt_ip.so: + /usr/lib/*-linux-*/xtables/libebt_ip6.so: + /usr/lib/*-linux-*/xtables/libebt_log.so: + /usr/lib/*-linux-*/xtables/libebt_mark.so: + /usr/lib/*-linux-*/xtables/libebt_mark_m.so: + /usr/lib/*-linux-*/xtables/libebt_nflog.so: + /usr/lib/*-linux-*/xtables/libebt_pkttype.so: + /usr/lib/*-linux-*/xtables/libebt_redirect.so: + /usr/lib/*-linux-*/xtables/libebt_snat.so: + /usr/lib/*-linux-*/xtables/libebt_stp.so: + /usr/lib/*-linux-*/xtables/libebt_vlan.so: + /usr/lib/*-linux-*/xtables/libip6t_DNPT.so: + /usr/lib/*-linux-*/xtables/libip6t_HL.so: + /usr/lib/*-linux-*/xtables/libip6t_NETMAP.so: + /usr/lib/*-linux-*/xtables/libip6t_REJECT.so: + /usr/lib/*-linux-*/xtables/libip6t_SNPT.so: + /usr/lib/*-linux-*/xtables/libip6t_ah.so: + /usr/lib/*-linux-*/xtables/libip6t_dst.so: + /usr/lib/*-linux-*/xtables/libip6t_eui64.so: + /usr/lib/*-linux-*/xtables/libip6t_frag.so: + /usr/lib/*-linux-*/xtables/libip6t_hbh.so: + /usr/lib/*-linux-*/xtables/libip6t_hl.so: + /usr/lib/*-linux-*/xtables/libip6t_icmp6.so: + /usr/lib/*-linux-*/xtables/libip6t_ipv6header.so: + /usr/lib/*-linux-*/xtables/libip6t_mh.so: + /usr/lib/*-linux-*/xtables/libip6t_rt.so: + /usr/lib/*-linux-*/xtables/libip6t_srh.so: + /usr/lib/*-linux-*/xtables/libipt_CLUSTERIP.so: + /usr/lib/*-linux-*/xtables/libipt_ECN.so: + /usr/lib/*-linux-*/xtables/libipt_NETMAP.so: + /usr/lib/*-linux-*/xtables/libipt_REJECT.so: + /usr/lib/*-linux-*/xtables/libipt_TTL.so: + /usr/lib/*-linux-*/xtables/libipt_ULOG.so: + /usr/lib/*-linux-*/xtables/libipt_ah.so: + /usr/lib/*-linux-*/xtables/libipt_icmp.so: + /usr/lib/*-linux-*/xtables/libipt_realm.so: + /usr/lib/*-linux-*/xtables/libipt_ttl.so: + /usr/lib/*-linux-*/xtables/libxt_AUDIT.so: + /usr/lib/*-linux-*/xtables/libxt_CHECKSUM.so: + /usr/lib/*-linux-*/xtables/libxt_CLASSIFY.so: + /usr/lib/*-linux-*/xtables/libxt_CONNMARK.so: + /usr/lib/*-linux-*/xtables/libxt_CONNSECMARK.so: + /usr/lib/*-linux-*/xtables/libxt_CT.so: + /usr/lib/*-linux-*/xtables/libxt_DNAT.so: + /usr/lib/*-linux-*/xtables/libxt_DSCP.so: + /usr/lib/*-linux-*/xtables/libxt_HMARK.so: + /usr/lib/*-linux-*/xtables/libxt_IDLETIMER.so: + /usr/lib/*-linux-*/xtables/libxt_LED.so: + /usr/lib/*-linux-*/xtables/libxt_LOG.so: + /usr/lib/*-linux-*/xtables/libxt_MARK.so: + /usr/lib/*-linux-*/xtables/libxt_MASQUERADE.so: + /usr/lib/*-linux-*/xtables/libxt_NAT.so: + /usr/lib/*-linux-*/xtables/libxt_NFLOG.so: + /usr/lib/*-linux-*/xtables/libxt_NFQUEUE.so: + /usr/lib/*-linux-*/xtables/libxt_NOTRACK.so: + /usr/lib/*-linux-*/xtables/libxt_RATEEST.so: + /usr/lib/*-linux-*/xtables/libxt_REDIRECT.so: + /usr/lib/*-linux-*/xtables/libxt_SECMARK.so: + /usr/lib/*-linux-*/xtables/libxt_SET.so: + /usr/lib/*-linux-*/xtables/libxt_SNAT.so: + /usr/lib/*-linux-*/xtables/libxt_SYNPROXY.so: + /usr/lib/*-linux-*/xtables/libxt_TCPMSS.so: + /usr/lib/*-linux-*/xtables/libxt_TCPOPTSTRIP.so: + /usr/lib/*-linux-*/xtables/libxt_TEE.so: + /usr/lib/*-linux-*/xtables/libxt_TOS.so: + /usr/lib/*-linux-*/xtables/libxt_TPROXY.so: + /usr/lib/*-linux-*/xtables/libxt_TRACE.so: + /usr/lib/*-linux-*/xtables/libxt_addrtype.so: + /usr/lib/*-linux-*/xtables/libxt_bpf.so: + /usr/lib/*-linux-*/xtables/libxt_cgroup.so: + /usr/lib/*-linux-*/xtables/libxt_cluster.so: + /usr/lib/*-linux-*/xtables/libxt_comment.so: + /usr/lib/*-linux-*/xtables/libxt_connbytes.so: + /usr/lib/*-linux-*/xtables/libxt_connlabel.so: + /usr/lib/*-linux-*/xtables/libxt_connlimit.so: + /usr/lib/*-linux-*/xtables/libxt_connmark.so: + /usr/lib/*-linux-*/xtables/libxt_conntrack.so: + /usr/lib/*-linux-*/xtables/libxt_cpu.so: + /usr/lib/*-linux-*/xtables/libxt_dccp.so: + /usr/lib/*-linux-*/xtables/libxt_devgroup.so: + /usr/lib/*-linux-*/xtables/libxt_dscp.so: + /usr/lib/*-linux-*/xtables/libxt_ecn.so: + /usr/lib/*-linux-*/xtables/libxt_esp.so: + /usr/lib/*-linux-*/xtables/libxt_hashlimit.so: + /usr/lib/*-linux-*/xtables/libxt_helper.so: + /usr/lib/*-linux-*/xtables/libxt_ipcomp.so: + /usr/lib/*-linux-*/xtables/libxt_iprange.so: + /usr/lib/*-linux-*/xtables/libxt_ipvs.so: + /usr/lib/*-linux-*/xtables/libxt_length.so: + /usr/lib/*-linux-*/xtables/libxt_limit.so: + /usr/lib/*-linux-*/xtables/libxt_mac.so: + /usr/lib/*-linux-*/xtables/libxt_mark.so: + /usr/lib/*-linux-*/xtables/libxt_multiport.so: + /usr/lib/*-linux-*/xtables/libxt_nfacct.so: + /usr/lib/*-linux-*/xtables/libxt_osf.so: + /usr/lib/*-linux-*/xtables/libxt_owner.so: + /usr/lib/*-linux-*/xtables/libxt_physdev.so: + /usr/lib/*-linux-*/xtables/libxt_pkttype.so: + /usr/lib/*-linux-*/xtables/libxt_policy.so: + /usr/lib/*-linux-*/xtables/libxt_quota.so: + /usr/lib/*-linux-*/xtables/libxt_rateest.so: + /usr/lib/*-linux-*/xtables/libxt_recent.so: + /usr/lib/*-linux-*/xtables/libxt_rpfilter.so: + /usr/lib/*-linux-*/xtables/libxt_sctp.so: + /usr/lib/*-linux-*/xtables/libxt_set.so: + /usr/lib/*-linux-*/xtables/libxt_socket.so: + /usr/lib/*-linux-*/xtables/libxt_standard.so: + /usr/lib/*-linux-*/xtables/libxt_state.so: + /usr/lib/*-linux-*/xtables/libxt_statistic.so: + /usr/lib/*-linux-*/xtables/libxt_string.so: + /usr/lib/*-linux-*/xtables/libxt_tcp.so: + /usr/lib/*-linux-*/xtables/libxt_tcpmss.so: + /usr/lib/*-linux-*/xtables/libxt_time.so: + /usr/lib/*-linux-*/xtables/libxt_tos.so: + /usr/lib/*-linux-*/xtables/libxt_u32.so: + /usr/lib/*-linux-*/xtables/libxt_udp.so: + + # These are created by the post-inst script and sets up + # defaults for some of the binaries. Emulate this by creating + # the expected symlinks. + links: + contents: + /usr/sbin/arptables: {symlink: /usr/sbin/arptables-nft} + /usr/sbin/arptables-restore: {symlink: /usr/sbin/arptables-nft-restore} + /usr/sbin/arptables-save: {symlink: /usr/sbin/arptables-nft-save} + /usr/sbin/ebtables: {symlink: /usr/sbin/ebtables-nft} + /usr/sbin/ebtables-restore: {symlink: /usr/sbin/ebtables-nft-restore} + /usr/sbin/ebtables-save: {symlink: /usr/sbin/ebtables-nft-save} + /usr/sbin/ip6tables: {symlink: /usr/sbin/ip6tables-nft} + /usr/sbin/ip6tables-restore: {symlink: /usr/sbin/ip6tables-nft-restore} + /usr/sbin/ip6tables-save: {symlink: /usr/sbin/ip6tables-nft-save} + /usr/sbin/iptables: {symlink: /usr/sbin/iptables-nft} + /usr/sbin/iptables-restore: {symlink: /usr/sbin/iptables-nft-restore} + /usr/sbin/iptables-save: {symlink: /usr/sbin/iptables-nft-save} + + copyright: + contents: + /usr/share/doc/iptables/copyright: diff --git a/slices/libip4tc2.yaml b/slices/libip4tc2.yaml new file mode 100644 index 000000000..d4eeb744c --- /dev/null +++ b/slices/libip4tc2.yaml @@ -0,0 +1,15 @@ +package: libip4tc2 + +essential: + - libip4tc2_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libip4tc.so.2*: + + copyright: + contents: + /usr/share/doc/libip4tc2/copyright: diff --git a/slices/libip6tc2.yaml b/slices/libip6tc2.yaml new file mode 100644 index 000000000..8fd178ef5 --- /dev/null +++ b/slices/libip6tc2.yaml @@ -0,0 +1,15 @@ +package: libip6tc2 + +essential: + - libip6tc2_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libip6tc.so.2*: + + copyright: + contents: + /usr/share/doc/libip6tc2/copyright: diff --git a/slices/libmnl0.yaml b/slices/libmnl0.yaml new file mode 100644 index 000000000..6a4a337fd --- /dev/null +++ b/slices/libmnl0.yaml @@ -0,0 +1,15 @@ +package: libmnl0 + +essential: + - libmnl0_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libmnl.so.0*: + + copyright: + contents: + /usr/share/doc/libmnl0/copyright: diff --git a/slices/libnetfilter-conntrack3.yaml b/slices/libnetfilter-conntrack3.yaml new file mode 100644 index 000000000..757f37619 --- /dev/null +++ b/slices/libnetfilter-conntrack3.yaml @@ -0,0 +1,17 @@ +package: libnetfilter-conntrack3 + +essential: + - libnetfilter-conntrack3_copyright + +slices: + libs: + essential: + - libc6_libs + - libmnl0_libs + - libnfnetlink0_libs + contents: + /usr/lib/*-linux-*/libnetfilter_conntrack.so.3*: + + copyright: + contents: + /usr/share/doc/libnetfilter-conntrack3/copyright: diff --git a/slices/libnfnetlink0.yaml b/slices/libnfnetlink0.yaml new file mode 100644 index 000000000..ecf4abda5 --- /dev/null +++ b/slices/libnfnetlink0.yaml @@ -0,0 +1,15 @@ +package: libnfnetlink0 + +essential: + - libnfnetlink0_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libnfnetlink.so.0*: + + copyright: + contents: + /usr/share/doc/libnfnetlink0/copyright: diff --git a/slices/libnftnl11.yaml b/slices/libnftnl11.yaml new file mode 100644 index 000000000..aa2a0620b --- /dev/null +++ b/slices/libnftnl11.yaml @@ -0,0 +1,16 @@ +package: libnftnl11 + +essential: + - libnftnl11_copyright + +slices: + libs: + essential: + - libc6_libs + - libmnl0_libs + contents: + /usr/lib/*-linux-*/libnftnl.so.11*: + + copyright: + contents: + /usr/share/doc/libnftnl11/copyright: diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 58562cea9..b70ecbd8e 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -18,41 +18,123 @@ slices: # pam-config and pam-defaults slices are only used for generation, and are useless # for anything else. - # Applications that need libpam for now should just rely on the config and var slices for now - - # until appropriate solution for emulating what pam-auth-update can do (or maybe something else). + # Emulate in part what pam-auth-update does. There is a short coming right now, we + # cannot include other files from other slices that install into + # /usr/share/pam-configs/* + # since this mutation script wont be able to access them as of writing. config: + essential: + - libpam-runtime_var contents: /etc/pam.conf: + /etc/pam.d/common-account: {text: '', mutable: true} + /etc/pam.d/common-auth: {text: '', mutable: true} + /etc/pam.d/common-password: {text: '', mutable: true} + /etc/pam.d/common-session: {text: '', mutable: true} + /etc/pam.d/common-session-noninteractive: {text: '', mutable: true} /etc/pam.d/other: + /usr/share/pam-configs/unix: { until: mutate } + /usr/share/pam/common-account: { until: mutate } + /usr/share/pam/common-auth: { until: mutate } + /usr/share/pam/common-password: { until: mutate } + /usr/share/pam/common-session: { until: mutate } + /usr/share/pam/common-session-noninteractive: { until: mutate } + mutate: | + def parse_type(t): + strippedValue = t[1].strip() + if t[0] == "Auth-Type": + return ["auth", strippedValue] + elif t[0] == "Account-Type": + return ["account", strippedValue] + elif t[0] == "Session-Type": + return ["session-noninteractive", strippedValue] + elif t[0] == "Password-Type": + return ["password", strippedValue] + return [] + + confs_dir = "/usr/share/pam-configs/" + confs = content.list(confs_dir) + confdata = {} + for x in confs: + conf = content.read(confs_dir + x) + lines = conf.splitlines() + + m = "" + p = "" + t = "" + for i in range(len(lines)): + vals = lines[i].split(":") + if vals[0] == "Priority": + p = vals[1].strip() + elif vals[0] in ["Auth-Type", "Account-Type", "Session-Type", "Password-Type"]: + m, t = parse_type(vals) + elif vals[0] == "Session-Interactive-Only": + if vals[1].strip() == "yes": + m = "session" + elif vals[0] in ["Auth", "Account", "Session", "Password"]: + d = [] + for j in range(i + 1, len(lines)): + if ":" in lines[j]: + break + d.append(lines[j]) + confdata[m] = {t: {p: d}} + + def reconfigure_data_line(section, line, i): + res = "" + upd = line.replace("success=end", "success=" + str(i)) + if section == "session-noninteractive": + res += "session" + upd + "\n" + else: + res += section + upd + "\n" + return res + + def build_block(data, section, block, existing): + si = 1 + res = existing + if section in data: + types = data[section] + if block in types: + # get the keys (which are the priorities) and + # then reverse sort them to get the highest priority + # first + itemsByPriority = types[block] + keys = itemsByPriority.keys() + keys = sorted(keys, reverse=True) + for p in keys: + for d in itemsByPriority[p]: + res = reconfigure_data_line(section, d, si) + "\n" + si += 1 + + # no primary block, so output a stock pam_permit line + # to keep the stack intact + if res == "" and block == "Primary": + return reconfigure_data_line(section, "\t[default=1]\t\t\tpam_permit.so\n", 1); + return res + + fnames = ["account", "auth", "password", "session", "session-noninteractive"] + idnames = ["$account", "$auth", "$password", "$session", "$session_nonint"] + + for i in range(len(fnames)): + fn = fnames[i] + template = content.read("/usr/share/pam/common-" + fn) + pb = build_block(confdata, fn, "Primary", "") + ab = build_block(confdata, fn, "Additional", "") + + # session also includes settings from the session-noninteractive, + # but not the other way around + if fn == "session": + pb = build_block(confdata, "session-noninteractive", "Primary", pb) + ab = build_block(confdata, "session-noninteractive", "Additional", ab) + + template = template.replace(idnames[i] + "_primary", pb) + template = template.replace(idnames[i] + "_additional", ab) + content.write("/etc/pam.d/common-" + fn, template) # folders expected by libpam to exist var: contents: /var/lib/pam/: - # Used by pam-auth-update to generate the pam.d/ config - # files inside etc. However pam-auth-update relies on - # debconf to actually work and discover these packages. - pam-config: - contents: - /usr/share/pam-configs/unix: - - # default templates for the /etc/pam.d files that are used by - # pam-auth-update to generate the /etc/pam.d versions based on - # additional plugs in /usr/share/pam-configs/*. - pam-defaults: - contents: - /usr/share/pam/common-account: - /usr/share/pam/common-account.md5sums: - /usr/share/pam/common-auth: - /usr/share/pam/common-auth.md5sums: - /usr/share/pam/common-password: - /usr/share/pam/common-password.md5sums: - /usr/share/pam/common-session: - /usr/share/pam/common-session-noninteractive: - /usr/share/pam/common-session-noninteractive.md5sums: - /usr/share/pam/common-session.md5sums: - copyright: contents: /usr/share/doc/libpam-runtime/copyright: diff --git a/slices/libxtables12.yaml b/slices/libxtables12.yaml new file mode 100644 index 000000000..bd8d1d699 --- /dev/null +++ b/slices/libxtables12.yaml @@ -0,0 +1,15 @@ +package: libxtables12 + +essential: + - libxtables12_copyright + +slices: + libs: + essential: + - libc6_libs + contents: + /usr/lib/*-linux-*/libxtables.so.12*: + + copyright: + contents: + /usr/share/doc/libxtables12/copyright: diff --git a/slices/sudo.yaml b/slices/sudo.yaml new file mode 100644 index 000000000..47831f0bc --- /dev/null +++ b/slices/sudo.yaml @@ -0,0 +1,54 @@ +package: sudo + +essential: + - sudo_copyright + +slices: + bins: + essential: + - libapparmor1_libs + - libaudit1_libs + - libc6_libs + - libpam-modules_libs + - libpam0g_libs + - libselinux1_libs + - libssl3t64_libs + - sudo_config + - sudo_libs + - zlib1g_libs + contents: + /usr/bin/cvtsudoers: + /usr/bin/sudo: + /usr/bin/sudoedit: + /usr/bin/sudoreplay: + /usr/libexec/sudo/sesh: + /usr/sbin/sudo_logsrvd: + /usr/sbin/sudo_sendlog: + /usr/sbin/visudo: + + config: + contents: + /etc/pam.d/sudo: + /etc/pam.d/sudo-i: + /etc/sudo.conf: + /etc/sudo_logsrvd.conf: + /etc/sudoers: + /usr/lib/tmpfiles.d/sudo.conf: + + extras: + contents: + /usr/lib/systemd/system/sudo.service: + + libs: + contents: + /usr/libexec/sudo/audit_json.so: + /usr/libexec/sudo/group_file.so: + /usr/libexec/sudo/libsudo_util.so*: + /usr/libexec/sudo/sudo_intercept.so: + /usr/libexec/sudo/sudo_noexec.so: + /usr/libexec/sudo/sudoers.so: + /usr/libexec/sudo/system_group.so: + + copyright: + contents: + /usr/share/doc/sudo/copyright: diff --git a/spread.yaml b/spread.yaml index b2bb3b951..7f036663c 100644 --- a/spread.yaml +++ b/spread.yaml @@ -47,7 +47,8 @@ backends: echo "Allocating $SPREAD_SYSTEM..." docker_image=$(echo $SPREAD_SYSTEM | awk -F '-' '{print $1":"$2}') docker_arch=$(echo $SPREAD_SYSTEM | awk -F '-' '{print $NF}') - docker run --rm -e DEBIAN_FRONTEND=noninteractice \ + docker run --cap-add=NET_ADMIN --cap-add=NET_RAW \ + --rm -e DEBIAN_FRONTEND=noninteractice \ -e usr=$SPREAD_SYSTEM_USERNAME -e pass=$SPREAD_SYSTEM_PASSWORD \ --name $SPREAD_SYSTEM -d $docker_arch/$docker_image sh -c ' set -x diff --git a/tests/spread/integration/iptables/task.yaml b/tests/spread/integration/iptables/task.yaml new file mode 100644 index 000000000..59d2639c6 --- /dev/null +++ b/tests/spread/integration/iptables/task.yaml @@ -0,0 +1,23 @@ +summary: Integration tests for iptables + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts sudo_bins iptables_bins)" + host=$(hostname) + + # setup /etc/hosts for the current hostname, otherwise + # sudo will be confused + sed -i "/127.0.0.1\tlocalhost/a 127.0.0.1\t$host" "$rootfs"/etc/hosts + + mkdir "$rootfs"/run + + # ensure the command spits something out we can recognize + chroot "$rootfs" sudo iptables-legacy -t filter --list | grep "Chain INPUT" + + # try to check if there is an input rule for this random IP + chroot "$rootfs" sudo iptables-legacy -t filter --check INPUT -s 192.168.1.123 -j DROP 2>&1 | grep "Bad rule" + + # append a random rule + chroot "$rootfs" sudo iptables-legacy -t filter -A INPUT -s 192.168.1.230 -j ACCEPT + + # check it appears + chroot "$rootfs" sudo iptables-legacy --list | grep "192.168.1.230" diff --git a/tests/spread/integration/libpam-runtime/task.yaml b/tests/spread/integration/libpam-runtime/task.yaml new file mode 100644 index 000000000..93ad7dd75 --- /dev/null +++ b/tests/spread/integration/libpam-runtime/task.yaml @@ -0,0 +1,13 @@ +summary: Integration tests for sudo + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts coreutils_bins sudo_bins)" + + # test that libpam correctly generated things + cat "$rootfs"/etc/pam.d/common-account | grep -E "account\s+\[success=1 new_authtok_reqd=done default=ignore\]\s+pam_unix\.so" + cat "$rootfs"/etc/pam.d/common-auth | grep -E "auth\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+nullok" + cat "$rootfs"/etc/pam.d/common-password | grep -E "password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+use_authtok\s+try_first_pass\s+yescrypt" + cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+\[default=1\]\s+pam_permit\.so" + cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+required\s+pam_unix\.so" + cat "$rootfs"/etc/pam.d/common-session-noninteractive | grep -E "session\s+\[default=1\]\s+pam_permit\.so" + cat "$rootfs"/etc/pam.d/common-session-noninteractive | grep -E "session\s+required\s+pam_unix\.so" diff --git a/tests/spread/integration/sudo/task.yaml b/tests/spread/integration/sudo/task.yaml new file mode 100644 index 000000000..92b7c30bf --- /dev/null +++ b/tests/spread/integration/sudo/task.yaml @@ -0,0 +1,12 @@ +summary: Integration tests for sudo + +execute: | + rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts coreutils_bins sudo_bins)" + host=$(hostname) + + # setup /etc/hosts for the current hostname, otherwise + # sudo will be confused + sed -i "/127.0.0.1\tlocalhost/a 127.0.0.1\t$host" "$rootfs"/etc/hosts + + # ensure sudo correctly runs and provides the output "root" + chroot "$rootfs" sudo whoami | grep "root" From dca62785a30881434b8ea5ff26ea2d4ce4d6a346 Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Wed, 28 Aug 2024 13:02:49 +0200 Subject: [PATCH 02/11] spread: remove extended caps for docker --- spread.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/spread.yaml b/spread.yaml index 7f036663c..b2bb3b951 100644 --- a/spread.yaml +++ b/spread.yaml @@ -47,8 +47,7 @@ backends: echo "Allocating $SPREAD_SYSTEM..." docker_image=$(echo $SPREAD_SYSTEM | awk -F '-' '{print $1":"$2}') docker_arch=$(echo $SPREAD_SYSTEM | awk -F '-' '{print $NF}') - docker run --cap-add=NET_ADMIN --cap-add=NET_RAW \ - --rm -e DEBIAN_FRONTEND=noninteractice \ + docker run --rm -e DEBIAN_FRONTEND=noninteractice \ -e usr=$SPREAD_SYSTEM_USERNAME -e pass=$SPREAD_SYSTEM_PASSWORD \ --name $SPREAD_SYSTEM -d $docker_arch/$docker_image sh -c ' set -x From 28226968724a2d0da1799f7f03f533f3c4d21735 Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Thu, 29 Aug 2024 09:26:50 +0200 Subject: [PATCH 03/11] slices: rename slices away from extras, readd prior broken slices but modify the pam-defaults to actually deliver working files instead --- slices/iptables.yaml | 2 +- slices/libpam-runtime.yaml | 11 +++++++++++ slices/sudo.yaml | 4 +++- tests/spread/integration/libpam-runtime/task.yaml | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/slices/iptables.yaml b/slices/iptables.yaml index 28fc0ad8e..843340bb8 100644 --- a/slices/iptables.yaml +++ b/slices/iptables.yaml @@ -51,7 +51,7 @@ slices: # The xlst is used to convert XML configuration into something # iptables can understand, and vice-versa. - extras: + converters: contents: /usr/bin/iptables-xml: /usr/share/iptables/iptables.xslt: diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index b70ecbd8e..092104aa2 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -130,6 +130,17 @@ slices: template = template.replace(idnames[i] + "_additional", ab) content.write("/etc/pam.d/common-" + fn, template) + # the following two slices are kept for backwards-compatibility + # however the pam-defaults have been modified to deliver correct + # files instead of templates + pam-config: + contents: + /usr/share/pam-configs/unix: + + pam-defaults: + essential: + - libpam_runtime_config + # folders expected by libpam to exist var: contents: diff --git a/slices/sudo.yaml b/slices/sudo.yaml index 47831f0bc..6e9507472 100644 --- a/slices/sudo.yaml +++ b/slices/sudo.yaml @@ -35,7 +35,9 @@ slices: /etc/sudoers: /usr/lib/tmpfiles.d/sudo.conf: - extras: + services: + essential: + - sudo_bins contents: /usr/lib/systemd/system/sudo.service: diff --git a/tests/spread/integration/libpam-runtime/task.yaml b/tests/spread/integration/libpam-runtime/task.yaml index 93ad7dd75..9a7253990 100644 --- a/tests/spread/integration/libpam-runtime/task.yaml +++ b/tests/spread/integration/libpam-runtime/task.yaml @@ -1,4 +1,4 @@ -summary: Integration tests for sudo +summary: Integration tests for libpam-runtime execute: | rootfs="$(install-slices passwd_config libpam-runtime_config netbase_default-hosts coreutils_bins sudo_bins)" From 0280ed7a3d446706da32f60c183d14f3098d2b3e Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Thu, 29 Aug 2024 09:31:02 +0200 Subject: [PATCH 04/11] slices/libpam-runtime: fix typo in essential --- slices/libpam-runtime.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 092104aa2..f471e26d9 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -139,7 +139,7 @@ slices: pam-defaults: essential: - - libpam_runtime_config + - libpam-runtime_config # folders expected by libpam to exist var: From 77110c823c967553d0933dcd2239376dc24f35c1 Mon Sep 17 00:00:00 2001 From: Philip Meulengracht Date: Tue, 1 Oct 2024 11:07:45 +0200 Subject: [PATCH 05/11] tests: use \s instead of \t --- tests/spread/integration/iptables/task.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/spread/integration/iptables/task.yaml b/tests/spread/integration/iptables/task.yaml index 59d2639c6..f89381d1a 100644 --- a/tests/spread/integration/iptables/task.yaml +++ b/tests/spread/integration/iptables/task.yaml @@ -6,7 +6,7 @@ execute: | # setup /etc/hosts for the current hostname, otherwise # sudo will be confused - sed -i "/127.0.0.1\tlocalhost/a 127.0.0.1\t$host" "$rootfs"/etc/hosts + sed -i "/127.0.0.1\slocalhost/a 127.0.0.1\s$host" "$rootfs"/etc/hosts mkdir "$rootfs"/run From 47f917ca1aab24dc0a7a6a08fd084ebd284856f9 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Tue, 26 Nov 2024 14:45:20 +0100 Subject: [PATCH 06/11] Update slices/libpam-runtime.yaml Co-authored-by: Rafid Bin Mostofa --- slices/libpam-runtime.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index f471e26d9..5a168d8c9 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -20,7 +20,7 @@ slices: # Emulate in part what pam-auth-update does. There is a short coming right now, we # cannot include other files from other slices that install into - # /usr/share/pam-configs/* + # /usr/share/pam-configs/* # since this mutation script wont be able to access them as of writing. config: essential: From 8d551447d1764300f5b1f35b39dd48e2c4906ce5 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Tue, 26 Nov 2024 14:47:29 +0100 Subject: [PATCH 07/11] fix: preserver pam-defaults slice --- slices/libpam-runtime.yaml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 5a168d8c9..d9fdc4595 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -27,11 +27,11 @@ slices: - libpam-runtime_var contents: /etc/pam.conf: - /etc/pam.d/common-account: {text: '', mutable: true} - /etc/pam.d/common-auth: {text: '', mutable: true} - /etc/pam.d/common-password: {text: '', mutable: true} - /etc/pam.d/common-session: {text: '', mutable: true} - /etc/pam.d/common-session-noninteractive: {text: '', mutable: true} + /etc/pam.d/common-account: { text: "", mutable: true } + /etc/pam.d/common-auth: { text: "", mutable: true } + /etc/pam.d/common-password: { text: "", mutable: true } + /etc/pam.d/common-session: { text: "", mutable: true } + /etc/pam.d/common-session-noninteractive: { text: "", mutable: true } /etc/pam.d/other: /usr/share/pam-configs/unix: { until: mutate } /usr/share/pam/common-account: { until: mutate } @@ -138,8 +138,17 @@ slices: /usr/share/pam-configs/unix: pam-defaults: - essential: - - libpam-runtime_config + contents: + /usr/share/pam/common-account: + /usr/share/pam/common-account.md5sums: + /usr/share/pam/common-auth: + /usr/share/pam/common-auth.md5sums: + /usr/share/pam/common-password: + /usr/share/pam/common-password.md5sums: + /usr/share/pam/common-session: + /usr/share/pam/common-session-noninteractive: + /usr/share/pam/common-session-noninteractive.md5sums: + /usr/share/pam/common-session.md5sums: # folders expected by libpam to exist var: From e3a4fe816a142f6a7f4bddfbe34ec50136e75f58 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Wed, 18 Dec 2024 10:12:38 +0100 Subject: [PATCH 08/11] Update slices/libpam-runtime.yaml Co-authored-by: zhijie-yang --- slices/libpam-runtime.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index d9fdc4595..854526935 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -130,9 +130,9 @@ slices: template = template.replace(idnames[i] + "_additional", ab) content.write("/etc/pam.d/common-" + fn, template) - # the following two slices are kept for backwards-compatibility - # however the pam-defaults have been modified to deliver correct - # files instead of templates + # The following two slices are kept for backwards compatibility. + # However, the pam-defaults have been modified to deliver correct + # files instead of templates. pam-config: contents: /usr/share/pam-configs/unix: From 5f7fc268446112128eb4583730e7fa9a0c46f295 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Wed, 18 Dec 2024 10:14:55 +0100 Subject: [PATCH 09/11] fix: address review comments Add -Initial suffix to mutation scritps --- slices/libpam-runtime.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 854526935..a41b32025 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -71,7 +71,7 @@ slices: elif vals[0] == "Session-Interactive-Only": if vals[1].strip() == "yes": m = "session" - elif vals[0] in ["Auth", "Account", "Session", "Password"]: + elif vals[0] in ["Auth-Initial", "Account-Initial", "Session-Initial", "Password-Initial"]: d = [] for j in range(i + 1, len(lines)): if ":" in lines[j]: From 8dfccc3d813f2d32b541f97fb954e69c9a22f9b2 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Wed, 18 Dec 2024 13:17:20 +0100 Subject: [PATCH 10/11] Apply suggestions from code review Co-authored-by: zhijie-yang --- slices/libpam-runtime.yaml | 3 ++- tests/spread/integration/libpam-runtime/task.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index a41b32025..0f6e1ca0e 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -71,7 +71,8 @@ slices: elif vals[0] == "Session-Interactive-Only": if vals[1].strip() == "yes": m = "session" - elif vals[0] in ["Auth-Initial", "Account-Initial", "Session-Initial", "Password-Initial"]: + elif vals[0] in ["Auth-Initial", "Account-Initial", + "Session-Initial", "Password-Initial"]: d = [] for j in range(i + 1, len(lines)): if ":" in lines[j]: diff --git a/tests/spread/integration/libpam-runtime/task.yaml b/tests/spread/integration/libpam-runtime/task.yaml index 9a7253990..a49243338 100644 --- a/tests/spread/integration/libpam-runtime/task.yaml +++ b/tests/spread/integration/libpam-runtime/task.yaml @@ -6,7 +6,7 @@ execute: | # test that libpam correctly generated things cat "$rootfs"/etc/pam.d/common-account | grep -E "account\s+\[success=1 new_authtok_reqd=done default=ignore\]\s+pam_unix\.so" cat "$rootfs"/etc/pam.d/common-auth | grep -E "auth\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+nullok" - cat "$rootfs"/etc/pam.d/common-password | grep -E "password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+use_authtok\s+try_first_pass\s+yescrypt" + cat "$rootfs"/etc/pam.d/common-password | grep -E "password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+yescrypt" cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+\[default=1\]\s+pam_permit\.so" cat "$rootfs"/etc/pam.d/common-session | grep -E "session\s+required\s+pam_unix\.so" cat "$rootfs"/etc/pam.d/common-session-noninteractive | grep -E "session\s+\[default=1\]\s+pam_permit\.so" From 5e65b3c0b85dc84d17e799b80d5fa67c2c9f6b2e Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Wed, 18 Dec 2024 13:27:14 +0100 Subject: [PATCH 11/11] fix: linting --- slices/libpam-runtime.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slices/libpam-runtime.yaml b/slices/libpam-runtime.yaml index 0f6e1ca0e..91f3943bd 100644 --- a/slices/libpam-runtime.yaml +++ b/slices/libpam-runtime.yaml @@ -71,7 +71,7 @@ slices: elif vals[0] == "Session-Interactive-Only": if vals[1].strip() == "yes": m = "session" - elif vals[0] in ["Auth-Initial", "Account-Initial", + elif vals[0] in ["Auth-Initial", "Account-Initial", "Session-Initial", "Password-Initial"]: d = [] for j in range(i + 1, len(lines)):