Skip to content

Commit

Permalink
security : check tmpfs is secure
Browse files Browse the repository at this point in the history
Signed-off-by: Shahriyar Jalayeri <[email protected]>
  • Loading branch information
shjala committed Nov 8, 2023
1 parent 9d38d88 commit f9f043a
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 2 deletions.
36 changes: 34 additions & 2 deletions tests/sec/rutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,14 @@ type mount struct {
Options string `json:"options"`
}

type perm struct {
uid int
gid int
user string
group string
perms string
}

type remoteNode struct {
openEVEC *openevec.OpenEVEC
}
Expand Down Expand Up @@ -66,7 +74,7 @@ func (node *remoteNode) runCommand(command string) ([]byte, error) {
return out, nil
}

func (node *remoteNode) fileExists(fileName string) (bool, error) {
func (node *remoteNode) pathExists(fileName string) (bool, error) {
command := fmt.Sprintf("if stat \"%s\"; then echo \"1\"; else echo \"0\"; fi", fileName)
out, err := node.runCommand(command)
if err != nil {
Expand All @@ -81,7 +89,7 @@ func (node *remoteNode) fileExists(fileName string) (bool, error) {
}

func (node *remoteNode) readFile(fileName string) ([]byte, error) {
exist, err := node.fileExists(fileName)
exist, err := node.pathExists(fileName)
if err != nil {
return nil, err
}
Expand All @@ -94,6 +102,30 @@ func (node *remoteNode) readFile(fileName string) ([]byte, error) {
return node.runCommand(command)
}

func (node *remoteNode) getPathPerm(path string, perm *perm) error {
exist, err := node.pathExists(path)
if err != nil {
return err
}

if !exist {
return fmt.Errorf("file/dir %s does not exist", path)
}

command := fmt.Sprintf("stat -c \"%%u %%g %%U %%G %%A\" %s", path)
out, err := node.runCommand(command)
if err != nil {
return err
}

_, err = fmt.Sscanf(string(out), "%d %d %s %s %s", &perm.uid, &perm.gid, &perm.user, &perm.group, &perm.perms)
if err != nil {
return err
}

return nil
}

func (node *remoteNode) getMountPoints(mtype string) ([]mount, error) {
mountCommand := "mount -l"
if mtype != "" {
Expand Down
35 changes: 35 additions & 0 deletions tests/sec/sec_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,41 @@ func TestCheckMountOptions(t *testing.T) {
}
}

func TestCheckTmpIsSecure(t *testing.T) {

Check failure on line 155 in tests/sec/sec_test.go

View workflow job for this annotation

GitHub Actions / yetus

golangcilint: Function TestCheckTmpIsSecure missing the call to method parallel (paralleltest)
log.Println("TestCheckTempIsSecure started")
defer log.Println("TestCheckTempIsSecure finished")

edgeNode := tc.GetEdgeNode(tc.WithTest(t))
tc.WaitForState(edgeNode, 60)

mounts, err := rnode.getMountPoints("tmpfs")
if err != nil {
t.Fatal(err)
}

fail := false
for _, mount := range mounts {
p := perm{}
if err := rnode.getPathPerm(mount.Path, &p); err != nil {
t.Fatal(err)
}

if p.user != "root" || p.group != "root" {
t.Logf("[FAIL] %s is not owned by root:root", mount.Path)
fail = true
}

if !strings.Contains(p.perms, "t") {
t.Logf("[FAIL] %s is not sticky", mount.Path)
fail = true
}
}

if fail {
t.Fatal("Some tmpfs mounts are not secure, see logs above")
}
}

func checkMountSecurityOptions(mount mount, secureOptions []string) []string {
secOptNotFound := make([]string, 0)

Expand Down

0 comments on commit f9f043a

Please sign in to comment.