mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
This commit is contained in:
Martin Kosek
parent
c49bc80494
commit
256024db0a
@ -21,6 +21,7 @@
|
|||||||
from ipalib import api
|
from ipalib import api
|
||||||
from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam
|
from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam
|
||||||
from ipalib.plugins.baseldap import *
|
from ipalib.plugins.baseldap import *
|
||||||
|
from ipalib.plugins.selinuxusermap import validate_selinuxuser
|
||||||
from ipalib import _
|
from ipalib import _
|
||||||
from ipalib.errors import ValidationError
|
from ipalib.errors import ValidationError
|
||||||
|
|
||||||
@ -258,30 +259,44 @@ class config_mod(LDAPUpdate):
|
|||||||
error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
|
error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
|
||||||
% dict(obj=obj, attr=obj_attr))
|
% dict(obj=obj, attr=obj_attr))
|
||||||
|
|
||||||
# Combine the current entry and options into a single object to
|
if ('ipaselinuxusermapdefault' in entry_attrs or
|
||||||
# evaluate. This covers changes via setattr and options.
|
'ipaselinuxusermaporder' in entry_attrs):
|
||||||
# Note: this is not done in a validator because we may be changing
|
|
||||||
# the default user and map list at the same time and we don't
|
|
||||||
# have both values in a validator.
|
|
||||||
validate = dict(options)
|
|
||||||
validate.update(entry_attrs)
|
|
||||||
if ('ipaselinuxusermapdefault' in validate or
|
|
||||||
'ipaselinuxusermaporder' in validate):
|
|
||||||
config = None
|
config = None
|
||||||
failedattr = 'ipaselinuxusermaporder'
|
failedattr = 'ipaselinuxusermaporder'
|
||||||
if 'ipaselinuxusermapdefault' in validate:
|
|
||||||
defaultuser = validate['ipaselinuxusermapdefault']
|
if 'ipaselinuxusermapdefault' in entry_attrs:
|
||||||
|
defaultuser = entry_attrs['ipaselinuxusermapdefault']
|
||||||
failedattr = 'ipaselinuxusermapdefault'
|
failedattr = 'ipaselinuxusermapdefault'
|
||||||
|
|
||||||
|
# validate the new default user first
|
||||||
|
if defaultuser is not None:
|
||||||
|
error_message = validate_selinuxuser(_, defaultuser)
|
||||||
|
|
||||||
|
if error_message:
|
||||||
|
raise errors.ValidationError(name='ipaselinuxusermapdefault',
|
||||||
|
error=error_message)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
config = ldap.get_ipa_config()[1]
|
config = ldap.get_ipa_config()[1]
|
||||||
if 'ipaselinuxusermapdefault' in config:
|
defaultuser = config.get('ipaselinuxusermapdefault', [None])[0]
|
||||||
defaultuser = config['ipaselinuxusermapdefault'][0]
|
|
||||||
else:
|
|
||||||
defaultuser = None
|
|
||||||
|
|
||||||
if 'ipaselinuxusermaporder' in validate:
|
if 'ipaselinuxusermaporder' in entry_attrs:
|
||||||
order = validate['ipaselinuxusermaporder']
|
order = entry_attrs['ipaselinuxusermaporder']
|
||||||
userlist = order.split('$')
|
userlist = order.split('$')
|
||||||
|
|
||||||
|
# validate the new user order first
|
||||||
|
for user in userlist:
|
||||||
|
if not user:
|
||||||
|
raise errors.ValidationError(name='ipaselinuxusermaporder',
|
||||||
|
error=_('A list of SELinux users delimited by $ expected'))
|
||||||
|
|
||||||
|
error_message = validate_selinuxuser(_, user)
|
||||||
|
if error_message:
|
||||||
|
error_message = _("SELinux user '%(user)s' is not "
|
||||||
|
"valid: %(error)s") % dict(user=user,
|
||||||
|
error=error_message)
|
||||||
|
raise errors.ValidationError(name='ipaselinuxusermaporder',
|
||||||
|
error=error_message)
|
||||||
else:
|
else:
|
||||||
if not config:
|
if not config:
|
||||||
config = ldap.get_ipa_config()[1]
|
config = ldap.get_ipa_config()[1]
|
||||||
|
|||||||
@ -61,31 +61,61 @@ class test_config(Declarative):
|
|||||||
),
|
),
|
||||||
|
|
||||||
dict(
|
dict(
|
||||||
desc='Try to set invalid ipaselinuxusermapdefault',
|
desc='Try to set ipaselinuxusermapdefault not in selinux order list',
|
||||||
command=('config_mod', [],
|
command=('config_mod', [],
|
||||||
dict(ipaselinuxusermapdefault=u'unknown_u:s0')),
|
dict(ipaselinuxusermapdefault=u'unknown_u:s0')),
|
||||||
expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
|
expected=errors.ValidationError(name='ipaselinuxusermapdefault',
|
||||||
|
error='SELinux user map default user not in order list'),
|
||||||
|
),
|
||||||
|
|
||||||
|
dict(
|
||||||
|
desc='Try to set invalid ipaselinuxusermapdefault',
|
||||||
|
command=('config_mod', [],
|
||||||
|
dict(ipaselinuxusermapdefault=u'foo')),
|
||||||
|
expected=errors.ValidationError(name='ipaselinuxusermapdefault',
|
||||||
|
error='Invalid MLS value, must match s[0-15](-s[0-15])'),
|
||||||
),
|
),
|
||||||
|
|
||||||
dict(
|
dict(
|
||||||
desc='Try to set invalid ipaselinuxusermapdefault with setattr',
|
desc='Try to set invalid ipaselinuxusermapdefault with setattr',
|
||||||
command=('config_mod', [],
|
command=('config_mod', [],
|
||||||
dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')),
|
dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')),
|
||||||
expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
|
expected=errors.ValidationError(name='ipaselinuxusermapdefault',
|
||||||
|
error='SELinux user map default user not in order list'),
|
||||||
|
),
|
||||||
|
|
||||||
|
dict(
|
||||||
|
desc='Try to set ipaselinuxusermaporder without ipaselinuxusermapdefault out of it',
|
||||||
|
command=('config_mod', [],
|
||||||
|
dict(ipaselinuxusermaporder=u'notfound_u:s0')),
|
||||||
|
expected=errors.ValidationError(name='ipaselinuxusermaporder',
|
||||||
|
error='SELinux user map default user not in order list'),
|
||||||
),
|
),
|
||||||
|
|
||||||
dict(
|
dict(
|
||||||
desc='Try to set invalid ipaselinuxusermaporder',
|
desc='Try to set invalid ipaselinuxusermaporder',
|
||||||
command=('config_mod', [],
|
command=('config_mod', [],
|
||||||
dict(ipaselinuxusermaporder=u'notfound_u:s0')),
|
dict(ipaselinuxusermaporder=u'$')),
|
||||||
expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'),
|
expected=errors.ValidationError(name='ipaselinuxusermaporder',
|
||||||
|
error='A list of SELinux users delimited by $ expected'),
|
||||||
|
),
|
||||||
|
|
||||||
|
dict(
|
||||||
|
desc='Try to set invalid selinux user in ipaselinuxusermaporder',
|
||||||
|
command=('config_mod', [],
|
||||||
|
dict(ipaselinuxusermaporder=u'unconfined_u:s0-s0:c0.c1023$baduser$guest_u:s0')),
|
||||||
|
expected=errors.ValidationError(name='ipaselinuxusermaporder',
|
||||||
|
error='SELinux user \'baduser\' is not valid: Invalid MLS '
|
||||||
|
'value, must match s[0-15](-s[0-15])'),
|
||||||
),
|
),
|
||||||
|
|
||||||
dict(
|
dict(
|
||||||
desc='Try to set new selinux order and invalid default user',
|
desc='Try to set new selinux order and invalid default user',
|
||||||
command=('config_mod', [],
|
command=('config_mod', [],
|
||||||
dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')),
|
dict(ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
|
||||||
expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
|
ipaselinuxusermapdefault=u'unknown_u:s0')),
|
||||||
|
expected=errors.ValidationError(name='ipaselinuxusermapdefault',
|
||||||
|
error='SELinux user map default user not in order list'),
|
||||||
),
|
),
|
||||||
|
|
||||||
]
|
]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user