security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 30 Wiki Activity

system: remove write mode tmpfiles
All checks were successful
Test / Create distribution (push) Successful in 57s
Details
Test / Run NixOS test (push) Successful in 3m42s
Details

Browse Source 
This interface is ugly and bug-prone. This change removes its write mode which has been obsoleted by CopyBind.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-15 03:22:20 +09:00
parent 0340c67995
commit f955b15b84
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 1 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
internal/system/tmpfiles.go
View File

@ -42,26 +42,9 @@ func (sys *I) LinkFileType(et Enablement, oldname, newname string) *I {
return sys return sys
} }
// Write registers an Op that writes dst with the contents of src.
func (sys *I) Write(dst, src string) *I {
return sys.WriteType(Process, dst, src)
}
// WriteType registers a file writing Op labelled with type et.
func (sys *I) WriteType(et Enablement, dst, src string) *I {
sys.lock.Lock()
sys.ops = append(sys.ops, &Tmpfile{et, tmpfileWrite, dst, src})
sys.lock.Unlock()
sys.UpdatePermType(et, dst, acl.Read)
return sys
}
const ( const (
tmpfileCopy uint8 = iota tmpfileCopy uint8 = iota
tmpfileLink tmpfileLink
tmpfileWrite
) )
type Tmpfile struct { type Tmpfile struct {
@ -84,10 +67,6 @@ func (t *Tmpfile) apply(_ *I) error {
fmsg.VPrintln("linking tmpfile", t) fmsg.VPrintln("linking tmpfile", t)
return fmsg.WrapErrorSuffix(os.Link(t.src, t.dst), return fmsg.WrapErrorSuffix(os.Link(t.src, t.dst),
fmt.Sprintf("cannot link tmpfile %q:", t.dst)) fmt.Sprintf("cannot link tmpfile %q:", t.dst))
case tmpfileWrite:
fmsg.VPrintln("writing", t)
return fmsg.WrapErrorSuffix(os.WriteFile(t.dst, []byte(t.src), 0600),
fmt.Sprintf("cannot write tmpfile %q:", t.dst))
default: default:
panic("invalid tmpfile method " + strconv.Itoa(int(t.method))) panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
} }
@ -109,12 +88,7 @@ func (t *Tmpfile) Is(o Op) bool {
return ok && t0 != nil && *t == *t0 return ok && t0 != nil && *t == *t0
} }
func (t *Tmpfile) Path() string { func (t *Tmpfile) Path() string { return t.src }
if t.method == tmpfileWrite {
return fmt.Sprintf("(%d bytes of data)", len(t.src))
}
return t.src
}
func (t *Tmpfile) String() string { func (t *Tmpfile) String() string {
switch t.method { switch t.method {
@ -122,8 +96,6 @@ func (t *Tmpfile) String() string {
return fmt.Sprintf("%q from %q", t.dst, t.src) return fmt.Sprintf("%q from %q", t.dst, t.src)
case tmpfileLink: case tmpfileLink:
return fmt.Sprintf("%q from %q", t.dst, t.src) return fmt.Sprintf("%q from %q", t.dst, t.src)
case tmpfileWrite:
return fmt.Sprintf("%d bytes of data to %q", len(t.src), t.dst)
default: default:
panic("invalid tmpfile method " + strconv.Itoa(int(t.method))) panic("invalid tmpfile method " + strconv.Itoa(int(t.method)))
} }

46
internal/system/tmpfiles_test.go
View File

@ -1,7 +1,6 @@
package system package system
import ( import (
"strconv"
"testing" "testing"
"git.gensokyo.uk/security/fortify/acl" "git.gensokyo.uk/security/fortify/acl"
@ -83,47 +82,6 @@ func TestLinkFileType(t *testing.T) {
} }
} }
func TestWrite(t *testing.T) {
testCases := []struct {
dst, src string
}{
{"/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
{"/etc/group", "fortify:x:65534:\n"},
}
for _, tc := range testCases {
t.Run("write "+strconv.Itoa(len(tc.src))+" bytes to "+tc.dst, func(t *testing.T) {
sys := New(150)
sys.Write(tc.dst, tc.src)
(&tcOp{Process, "(" + strconv.Itoa(len(tc.src)) + " bytes of data)"}).test(t, sys.ops, []Op{
&Tmpfile{Process, tmpfileWrite, tc.dst, tc.src},
&ACL{Process, tc.dst, []acl.Perm{acl.Read}},
}, "Write")
})
}
}
func TestWriteType(t *testing.T) {
testCases := []struct {
et Enablement
dst, src string
}{
{Process, "/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
{Process, "/etc/group", "fortify:x:65534:\n"},
{User, "/etc/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n"},
{User, "/etc/group", "fortify:x:65534:\n"},
}
for _, tc := range testCases {
t.Run("write "+strconv.Itoa(len(tc.src))+" bytes to "+tc.dst+" with type "+TypeString(tc.et), func(t *testing.T) {
sys := New(150)
sys.WriteType(tc.et, tc.dst, tc.src)
(&tcOp{tc.et, "(" + strconv.Itoa(len(tc.src)) + " bytes of data)"}).test(t, sys.ops, []Op{
&Tmpfile{tc.et, tmpfileWrite, tc.dst, tc.src},
&ACL{tc.et, tc.dst, []acl.Perm{acl.Read}},
}, "WriteType")
})
}
}
func TestTmpfile_String(t *testing.T) { func TestTmpfile_String(t *testing.T) {
t.Run("invalid method panic", func(t *testing.T) { t.Run("invalid method panic", func(t *testing.T) {
defer func() { defer func() {
@ -147,10 +105,6 @@ func TestTmpfile_String(t *testing.T) {
`"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/wayland" from "/run/user/1971/wayland-0"`}, `"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/wayland" from "/run/user/1971/wayland-0"`},
{tmpfileLink, "/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse", "/run/user/1971/pulse/native", {tmpfileLink, "/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse", "/run/user/1971/pulse/native",
`"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse" from "/run/user/1971/pulse/native"`}, `"/run/user/1971/fortify/4b6bdc9182fb2f1d3a965c5fa8b9b66e/pulse" from "/run/user/1971/pulse/native"`},
{tmpfileWrite, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n",
`75 bytes of data to "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/passwd"`},
{tmpfileWrite, "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/group", "fortify:x:65534:\n",
`17 bytes of data to "/tmp/fortify.1971/4b6bdc9182fb2f1d3a965c5fa8b9b66e/group"`},
} }
for _, tc := range testCases { for _, tc := range testCases {