From 5b83d3cf02bd647b605732ea33f03430b40af511 Mon Sep 17 00:00:00 2001 From: Yasmin Valim Date: Fri, 8 Sep 2023 17:49:15 -0300 Subject: [PATCH] fcos/v1_6_exp: Add new sugar for Selinux Modules. --- config/common/errors.go | 5 + config/fcos/v1_6_exp/schema.go | 10 + config/fcos/v1_6_exp/translate.go | 72 +++++++ config/fcos/v1_6_exp/translate_test.go | 264 +++++++++++++++++++++++++ config/fcos/v1_6_exp/validate.go | 11 ++ config/fcos/v1_6_exp/validate_test.go | 52 +++++ 6 files changed, 414 insertions(+) diff --git a/config/common/errors.go b/config/common/errors.go index a5f8d5b2..2282fcd5 100644 --- a/config/common/errors.go +++ b/config/common/errors.go @@ -93,6 +93,11 @@ var ( // Kernel arguments ErrGeneralKernelArgumentSupport = errors.New("kernel argument customization is not supported in this spec version") + + // Selinux Module + ErrContentInvalid = errors.New("Content is empty, please provide content.") + ErrNameInvalid = errors.New("Name is empty, please provide a valid name.") + ErrFieldInvalid = errors.New("Please, provide valid information.") ) type ErrUnmarshal struct { diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go index 140cd31a..9644179f 100644 --- a/config/fcos/v1_6_exp/schema.go +++ b/config/fcos/v1_6_exp/schema.go @@ -22,6 +22,7 @@ type Config struct { base.Config `yaml:",inline"` BootDevice BootDevice `yaml:"boot_device"` Grub Grub `yaml:"grub"` + Selinux Selinux `yaml:"selinux"` } type BootDevice struct { @@ -49,3 +50,12 @@ type GrubUser struct { Name string `yaml:"name"` PasswordHash *string `yaml:"password_hash"` } + +type Selinux struct { + Module []Module `yaml:"module"` +} + +type Module struct { + Name string `yaml:"name"` + Content string `yaml:"content"` +} diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go index 2a45287b..fe56abed 100644 --- a/config/fcos/v1_6_exp/translate.go +++ b/config/fcos/v1_6_exp/translate.go @@ -16,6 +16,7 @@ package v1_6_exp import ( "fmt" + "os/exec" "strings" baseutil "github.com/coreos/butane/base/util" @@ -89,6 +90,13 @@ func (c Config) ToIgn3_5Unvalidated(options common.TranslateOptions) (types.Conf retConfig, ts := baseutil.MergeTranslatedConfigs(retp, tsp, ret, ts) ret = retConfig.(types.Config) r.Merge(rp) + + // Clean this as it needs to not be so confusing + retr, trs, rr := c.handleSelinux(options) + returnConfig, ts := baseutil.MergeTranslatedConfigs(retr, trs, ret, ts) + ret = returnConfig.(types.Config) + r.Merge(rr) + return ret, ts, r } @@ -367,3 +375,67 @@ func buildGrubConfig(gb Grub) string { superUserCmd := fmt.Sprintf("set superusers=\"%s\"\n", strings.Join(allUsers, " ")) return "# Generated by Butane\n\n" + superUserCmd + strings.Join(cmds, "\n") + "\n" } + +func (c Config) handleSelinux(options common.TranslateOptions) (types.Config, translate.TranslationSet, report.Report) { + rendered := types.Config{} + ts := translate.NewTranslationSet("yaml", "json") + var r report.Report + + for i, module := range c.Selinux.Module { + yamlPath := path.New("yaml", "selinux", "module", i) + if module.Name != "" && module.Content != "" { + rendered = processModule(rendered, module, options, ts, r, yamlPath) + break + } else { + r.AddOnWarn(path.New("yaml", "selinux", "module", i), common.ErrFieldInvalid) + } + } + + if len(rendered.Storage.Files) > 0 { + rendered.Storage.Filesystems = append(rendered.Storage.Filesystems, + types.Filesystem{ + Device: "/dev/disk/by-label/boot", + Format: util.StrToPtr("ext4"), + Path: util.StrToPtr("/boot"), + }) + } + + return rendered, ts, r +} + +func processModule(rendered types.Config, module Module, options common.TranslateOptions, ts translate.TranslationSet, r report.Report, yamlPath path.ContextPath) types.Config { + src, compression, err := baseutil.MakeDataURL([]byte(module.Content), nil, !options.NoResourceAutoCompression) + if err != nil { + r.AddOnError(yamlPath, err) + return rendered + } + filePath := fmt.Sprintf("/etc/selinux/targeted/modules/active/extra/%s.cil", module.Name) + + rendered.Storage.Files = append(rendered.Storage.Files, + types.File{ + Node: types.Node{ + Path: filePath, + }, + FileEmbedded1: types.FileEmbedded1{ + Append: []types.Resource{ + { + Source: util.StrToPtr(src), + Compression: compression, + }, + }, + }, + }) + + commandToExecute := "semodule -i" + cmd := exec.Command(commandToExecute, filePath) + err = cmd.Run() + if err != nil { + fmt.Printf("Error running semodule %v", module.Name) + } + + fmt.Printf("SELinux module file imported successfully\n") + + ts.AddFromCommonSource(yamlPath, path.New("json", "storage"), rendered.Storage) + + return rendered +} diff --git a/config/fcos/v1_6_exp/translate_test.go b/config/fcos/v1_6_exp/translate_test.go index 87620a77..c05f2b87 100644 --- a/config/fcos/v1_6_exp/translate_test.go +++ b/config/fcos/v1_6_exp/translate_test.go @@ -1637,3 +1637,267 @@ func TestTranslateGrub(t *testing.T) { }) } } + +func TestTranslateSelinux(t *testing.T) { + translations := []translate.Translation{ + {From: path.New("yaml", "version"), To: path.New("json", "ignition", "version")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "device")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "format")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "source")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "compression")}, + } + tests := []struct { + in Config + out types.Config + exceptions []translate.Translation + report report.Report + }{ + // config with one module + { + Config{ + Selinux: Selinux{ + Module: []Module{ + { + Name: "some_name", + Content: "some content here", + }, + }, + }, + }, + types.Config{ + Ignition: types.Ignition{ + Version: "3.5.0-experimental", + }, + Storage: types.Storage{ + Filesystems: []types.Filesystem{ + { + Device: "/dev/disk/by-label/boot", + Format: util.StrToPtr("ext4"), + Path: util.StrToPtr("/boot"), + }, + }, + Files: []types.File{ + { + Node: types.Node{ + Path: "/etc/selinux/targeted/modules/active/extra/some_name.cil", + }, + FileEmbedded1: types.FileEmbedded1{ + Append: []types.Resource{ + { + Source: util.StrToPtr("data:,some%20content%20here"), + Compression: util.StrToPtr(""), + }, + }, + }, + }, + }, + }, + }, + translations, + report.Report{}, + }, + } + + for i, test := range tests { + t.Run(fmt.Sprintf("translate %d", i), func(t *testing.T) { + actual, translations, r := test.in.ToIgn3_5Unvalidated(common.TranslateOptions{}) + r = confutil.TranslateReportPaths(r, translations) + baseutil.VerifyReport(t, test.in, r) + assert.Equal(t, test.out, actual, "translation mismatch") + assert.Equal(t, test.report, r, "report mismatch") + baseutil.VerifyTranslations(t, translations, test.exceptions) + assert.NoError(t, translations.DebugVerifyCoverage(actual), "incomplete TranslationSet coverage") + }) + } +} + +func TestTranslateSelinuxaaa(t *testing.T) { + translations := []translate.Translation{ + {From: path.New("yaml", "version"), To: path.New("json", "ignition", "version")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "device")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "format")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "source")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "compression")}, + } + + // With one module + in := Config{ + Selinux: Selinux{ + Module: []Module{ + { + Name: "some_name", + Content: "some content here", + }, + }, + }, + } + out := types.Config{ + Ignition: types.Ignition{ + Version: "3.5.0-experimental", + }, + Storage: types.Storage{ + Filesystems: []types.Filesystem{ + { + Device: "/dev/disk/by-label/boot", + Format: util.StrToPtr("ext4"), + Path: util.StrToPtr("/boot"), + }, + }, + Files: []types.File{ + { + Node: types.Node{ + Path: "/etc/selinux/targeted/modules/active/extra/some_name.cil", + }, + FileEmbedded1: types.FileEmbedded1{ + Append: []types.Resource{ + { + Source: util.StrToPtr("data:,some%20content%20here"), + Compression: util.StrToPtr(""), + }, + }, + }, + }, + }, + }, + } + + test := struct { + in Config + out types.Config + exceptions []translate.Translation + report report.Report + }{ + in, + out, + translations, + report.Report{}, + } + + t.Run(fmt.Sprintf("translate %d", 0), func(t *testing.T) { + actual, translations, r := test.in.ToIgn3_5Unvalidated(common.TranslateOptions{}) + r = confutil.TranslateReportPaths(r, translations) + baseutil.VerifyReport(t, test.in, r) + assert.Equal(t, test.out, actual, "translation mismatch") + assert.Equal(t, test.report, r, "report mismatch") + baseutil.VerifyTranslations(t, translations, test.exceptions) + assert.NoError(t, translations.DebugVerifyCoverage(actual), "incomplete TranslationSet coverage") + }) +} + +// TODO: testing with two modules and merge those two tests and other scenerios +func TestTranslateModule(t *testing.T) { + translations := []translate.Translation{ + {From: path.New("yaml", "version"), To: path.New("json", "ignition", "version")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "device")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "filesystems", 0, "format")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "path")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0)}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "source")}, + {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "compression")}, + } + + // With 2 modules + in := Config{ + Selinux: Selinux{ + Module: []Module{ + { + Name: "some_name", + Content: "some content here", + }, + { + Name: "another_name", + Content: "some content here", + }, + }, + }, + } + out := types.Config{ + Ignition: types.Ignition{ + Version: "3.5.0-experimental", + }, + Storage: types.Storage{ + Filesystems: []types.Filesystem{ + { + Device: "/dev/disk/by-label/boot", + Format: util.StrToPtr("ext4"), + Path: util.StrToPtr("/boot"), + }, + }, + Files: []types.File{ + { + Node: types.Node{ + Path: "/etc/selinux/targeted/modules/active/extra/some_name.cil", + }, + FileEmbedded1: types.FileEmbedded1{ + Append: []types.Resource{ + { + Source: util.StrToPtr("data:,some%20content%20here"), + Compression: util.StrToPtr(""), + }, + }, + }, + }, + { + Node: types.Node{ + Path: "/etc/selinux/targeted/modules/active/extra/another_name.cil", + }, + FileEmbedded1: types.FileEmbedded1{ + Append: []types.Resource{ + { + Source: util.StrToPtr("data:,some%20content%20here"), + Compression: util.StrToPtr(""), + }, + }, + }, + }, + }, + }, + } + + test := struct { + in Config + out types.Config + exceptions []translate.Translation + report report.Report + }{ + in, + out, + translations, + report.Report{}, + } + + t.Run(fmt.Sprintf("translate %d", 0), func(t *testing.T) { + actual, translations, r := test.in.ToIgn3_5Unvalidated(common.TranslateOptions{}) + r = confutil.TranslateReportPaths(r, translations) + baseutil.VerifyReport(t, test.in, r) + assert.Equal(t, test.out, actual, "translation mismatch") + assert.Equal(t, test.report, r, "report mismatch") + baseutil.VerifyTranslations(t, translations, test.exceptions) + assert.NoError(t, translations.DebugVerifyCoverage(actual), "incomplete TranslationSet coverage") + }) +} diff --git a/config/fcos/v1_6_exp/validate.go b/config/fcos/v1_6_exp/validate.go index 4c3ae9de..ccdab8f1 100644 --- a/config/fcos/v1_6_exp/validate.go +++ b/config/fcos/v1_6_exp/validate.go @@ -77,3 +77,14 @@ func (user GrubUser) Validate(c path.ContextPath) (r report.Report) { } return } + +func (m Module) Validate(c path.ContextPath) (r report.Report) { + if m.Name != "" && m.Content == "" { + r.AddOnError(c.Append("content"), common.ErrContentInvalid) + } + + if m.Content != "" && m.Name == "" { + r.AddOnError(c.Append("name"), common.ErrNameInvalid) + } + return r +} diff --git a/config/fcos/v1_6_exp/validate_test.go b/config/fcos/v1_6_exp/validate_test.go index 2c850580..98d8369b 100644 --- a/config/fcos/v1_6_exp/validate_test.go +++ b/config/fcos/v1_6_exp/validate_test.go @@ -479,3 +479,55 @@ func TestValidateConfig(t *testing.T) { }) } } + +func TestValidateModule(t *testing.T) { + tests := []struct { + in Module + out error + errPath path.ContextPath + }{ + { + // content is empty, path is specified + in: Module{ + Content: "", + Name: "some name", + }, + out: common.ErrContentInvalid, + errPath: path.New("yaml", "content"), + }, + { + // name is empty, content is specified + in: Module{ + Name: "", + Content: "some content", + }, + out: common.ErrNameInvalid, + errPath: path.New("yaml", "name"), + }, + { + // name and content are empty + in: Module{}, + out: nil, + errPath: path.New("yaml"), + }, + { + // name and content are specified + in: Module{ + Content: "some content", + Name: "some name", + }, + out: nil, + errPath: path.New("yaml"), + }, + } + + for i, test := range tests { + t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) { + actual := test.in.Validate(path.New("yaml")) + baseutil.VerifyReport(t, test.in, actual) + expected := report.Report{} + expected.AddOnError(test.errPath, test.out) + assert.Equal(t, expected, actual, "bad report") + }) + } +}