Initial work on limiting what names an agent can register by the seliux context. #1023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexlarsson
force-pushed
the
uds-selinux
branch
from
082984e to
e543d48
Compare
alexlarsson
force-pushed
the
uds-selinux
branch
2 times, most recently
from
7fd0435 to
db66289
Compare
This is very useful for arrays of strings for example.
This lists the sections in a config.
This will be needed for later use.
alexlarsson
force-pushed
the
uds-selinux
branch
from
db66289 to
e6e9ad4
Compare
engelmi
reviewed
Jan 14, 2025
There was a problem hiding this comment.
We should definitely add a few integration tests for this change.
Since the GH CI runners use Ubuntu VMs, we can't really run SELinux tests in the GH CI - only via Packit/Testing Farm these tests would be (reliably) running. I think we have already integration tests like this tagged with testing-farm-container.
We can postpone this to another PR, though. If yes, then I'll create an issue to track it.
This parses a full selinux context and returns the type. Will be needed later.
This is mainly doable for UDS sockets, but will allow us to limit what name can register by the selinux label.
This extends how we configure allowed node names, and allows us to configure per-node-name requirements. A node name can now either be in the AllowedNodeNames list, or the in a section named "[node FOO]", with a key Allowed=true. The later is very useful from a .d dropin file. If a named node is allowed, we look for the "RequiredSelinuxContext" key in the above section, and if it is set, we require the connecting agent to have the given selinux context type. Note: We already disallow most processes (except bluechi_agent_t and haproxy_t) to connect to the controller, but with this we can limit what names they can claim. For example, we could enforce a special name for an agent running in qm.
I didn't change these likes, but clang-format complains about them, so fix them.
Current code breaks with these and they don't seem to be helpful.
These were the warnings:
src/libbluechi/common/protocol.h:107:9: error: inital values in enum 'JobState' are not consistent, consider explicit initialization of all, none or only the first enumerator [readability-enum-initial-value,-warnings-as-errors]
107 | typedef enum JobState {
| ^
108 | JOB_WAITING,
| = 0
109 | JOB_RUNNING,
| = 1
src/libbluechi/common/protocol.h:116:9: error: inital values in enum 'UnitActiveState' are not consistent, consider explicit initialization of all, none or only the first enumerator [readability-enum-initial-value,-warnings-as-errors]
116 | typedef enum UnitActiveState {
| ^
117 | UNIT_ACTIVE,
| = 0
118 | UNIT_RELOADING,
| = 1
119 | UNIT_INACTIVE,
| = 2
120 | UNIT_FAILED,
| = 3
121 | UNIT_ACTIVATING,
| = 4
122 | UNIT_DEACTIVATING,
| = 5
123 | UNIT_MAINTENANCE,
| = 6
124 | _UNIT_ACTIVE_STATE_MAX,
| = 7
src/libbluechi/bus/utils.c:329:26: error: '*' has higher precedence than '+'; add parentheses to explicitly specify the order of operations [readability-math-missing-parentheses,-warnings-as-errors]
329 | char *r = malloc(strlen(s) * 3 + 1);
| ^~~~~~~~~~~~~
| ( )
This lets us build strings easier.
Now that we use more than one section, make the debug output make sense by printing the section headers.
alexlarsson
force-pushed
the
uds-selinux
branch
from
c63a02c to
092a92a
Compare
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extends how we configure allowed node names, and allows us to configure per-node-name requirements.
A node name can now either be in the allowed names list, or the controller config (or via a .d dropin) can have a section named "[node FOO]", with a key Allowed=true.
If a named node is allowed, we look for the "RequiredSelinuxContext" key in the above section, and if it is set, we require the connecting agent to have the given selinux context type.
Note: We already disallow most processes (except bluechi_agent_t and haproxy_t) to connect to the controller, but with this we can limit what names they can claim. For example, we could enforce a special name for an agent running in qm.