udica-0.2.8-2.el9

udica-0.2.8-1.el9
New release https://github.com/containers/udica/releases/tag/v0.2.8 - Improve code readability based on lint and black findings - Fix generating policy for Crio mounts - Add --devices option v0.2.7 release changes: - Improve label collection for mounts and devices (RHEL-16245) - Add support for containerd via "nerdctl inspect" - Avoid duplicate rules for accessing mounts and devices Resolves: RHEL-16245
2024-03-06 04:54:40 +00:00 · 2023-11-30 19:58:16 +01:00
8 changed files with 5280 additions and 137 deletions
--- a/.udica.metadata
+++ b/.udica.metadata
@ -0,0 +1 @@
+033cad13d38db7fcb03b004ac3e60cba8c3166d0 v0.2.8.tar.gz
--- a/0001-Add-option-to-generate-custom-policy-for-a-confined-.patch
+++ b/0001-Add-option-to-generate-custom-policy-for-a-confined-.patch
--- a/0001-Make-sure-each-section-of-the-inspect-exists-before-.patch
+++ b/0001-Make-sure-each-section-of-the-inspect-exists-before-.patch
@ -1,133 +0,0 @@
-From dd05dbe742384dd22f4a63889c56cb75e4e2f571 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 9 Nov 2021 18:04:39 +0100
-Subject: [PATCH] Make sure each section of the inspect exists before accessing
-
-Fixes: https://github.com/containers/udica/issues/105,
-       https://github.com/containers/udica/issues/103
-
-Inspired by:
-https://github.com/WellIDKRealy/udica/commit/0c56d98b8c58a8a4ceb89b04d700c834c13778fd
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
- udica/parse.py | 62 ++++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 48 insertions(+), 14 deletions(-)
-
-diff --git a/udica/parse.py b/udica/parse.py
-index 0797095..59b3dc5 100644
--- a/udica/parse.py
-+++ b/udica/parse.py
-@@ -29,6 +29,24 @@ ENGINE_DOCKER = "docker"
- ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER]
- 
- 
-+# Decorator for verifying that getting value from "data" won't
-+# result in Key error or Type error
-+# e.g. in data[0]["HostConfig"]["Devices"]
-+# missing "HostConfig" key in data[0] produces KeyError and
-+# data[0]["HostConfig"] == none produces TypeError
-+def getter_decorator(function):
-+    # Verify that each element in path exists and return the corresponding value,
-+    # otherwise return [] -- can be safely processed by iterators
-+    def wrapper(self, data, *args):
-+        try:
-+            value = function(self, data, *args)
-+            return value if value else []
-+        except (KeyError, TypeError):
-+            return []
-+
-+    return wrapper
-+
-+
- def json_is_podman_or_docker_format(json_rep):
-     """Check if the inspected file is in a format from docker or podman.
- 
-@@ -91,19 +109,22 @@ class EngineHelper(abc.ABC):
- 
-     def get_caps(self, data, opts):
-         if opts["Caps"]:
-            if opts["Caps"] == "None":
-+            if opts["Caps"] in ["None", "none"]:
-                 return []
-             return opts["Caps"].split(",")
-         return []
- 
- 
- class PodmanDockerHelper(EngineHelper):
-+    @getter_decorator
-     def get_devices(self, data):
-         return data[0]["HostConfig"]["Devices"]
- 
-+    @getter_decorator
-     def get_mounts(self, data):
-         return data[0]["Mounts"]
- 
-+    @getter_decorator
-     def get_ports(self, data):
-         ports = []
-         for key, value in data[0]["NetworkSettings"]["Ports"].items():
-@@ -120,8 +141,13 @@ class PodmanHelper(PodmanDockerHelper):
-     def __init__(self):
-         super().__init__(ENGINE_PODMAN)
- 
-+    @getter_decorator
-     def get_caps(self, data, opts):
-        if not opts["Caps"]:
-+        if opts["Caps"]:
-+            return (
-+                opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else []
-+            )
-+        else:
-             return data[0]["EffectiveCaps"]
-         return []
- 
-@@ -138,18 +164,25 @@ class DockerHelper(PodmanDockerHelper):
-     def adjust_json_from_docker(self, json_rep):
-         """If the json comes from a docker call, we need to adjust it to make use
-         of it."""
-
-        if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
-            raise Exception(
-                "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
-            )
-
-        for item in json_rep[0]["Mounts"]:
-            item["source"] = item["Source"]
-            if item["Mode"] == "rw":
-                item["options"] = "rw"
-            if item["Mode"] == "ro":
-                item["options"] = "ro"
-+        try:
-+            if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
-+                raise Exception(
-+                    "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
-+                )
-+        except (KeyError, TypeError):
-+            # "Ports" not specified in given json file
-+            pass
-+
-+        try:
-+            for item in json_rep[0]["Mounts"]:
-+                item["source"] = item["Source"]
-+                if item["Mode"] == "rw":
-+                    item["options"] = "rw"
-+                if item["Mode"] == "ro":
-+                    item["options"] = "ro"
-+        except (KeyError, TypeError):
-+            # "Mounts" not specified in given json file
-+            pass
- 
- 
- class CrioHelper(EngineHelper):
-@@ -161,6 +194,7 @@ class CrioHelper(EngineHelper):
-         # bind mounting device on the container
-         return []
- 
-+    @getter_decorator
-     def get_mounts(self, data):
-         return data["status"]["mounts"]
- 
-- 
-2.30.2
-
--- a/0002-Add-tests-covering-confined-user-policy-generation.patch
+++ b/0002-Add-tests-covering-confined-user-policy-generation.patch
@ -0,0 +1,170 @@
+From d444e67ead27266d57184ab8bc032c5528f7e26c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 20 Dec 2023 14:33:27 +0100
+Subject: [PATCH] Add tests covering confined user policy generation
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ tests/test_confined_abcdgilmns.cil | 24 ++++++++++++++++++++
+ tests/test_confined_cla.cil        | 15 +++++++++++++
+ tests/test_confined_lb.cil         | 12 ++++++++++
+ tests/test_confined_lsid.cil       | 17 +++++++++++++++
+ tests/test_main.py                 | 35 +++++++++++++++++++++++++-----
+ 5 files changed, 98 insertions(+), 5 deletions(-)
+ create mode 100644 tests/test_confined_abcdgilmns.cil
+ create mode 100644 tests/test_confined_cla.cil
+ create mode 100644 tests/test_confined_lb.cil
+ create mode 100644 tests/test_confined_lsid.cil
+
+diff --git a/tests/test_confined_abcdgilmns.cil b/tests/test_confined_abcdgilmns.cil
+new file mode 100644
+index 0000000..5fd619f
+--- /dev/null
+++ b/tests/test_confined_abcdgilmns.cil
+@@ -0,0 +1,24 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_ssh_agent_t)
+(type my_container_sudo_t)
+(type my_container_sudo_tmp_t)
+(type my_container_t)
+(type my_container_userhelper_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
+(call confinedom_graphical_login_macro (my_container_t my_container_r my_container_dbus_t))
+(call confinedom_mozilla_usage_macro (my_container_t my_container_r))
+(call confinedom_networking_macro (my_container_t my_container_r))
+(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
+(call confinedom_security_basic_macro (my_container_t my_container_r))
+(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))
+(call confined_use_basic_commands_macro (my_container_t my_container_r))
+\ No newline at end of file
+diff --git a/tests/test_confined_cla.cil b/tests/test_confined_cla.cil
+new file mode 100644
+index 0000000..a633aaa
+--- /dev/null
+++ b/tests/test_confined_cla.cil
+@@ -0,0 +1,15 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_ssh_agent_t)
+(type my_container_sudo_t)
+(type my_container_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))
+\ No newline at end of file
+diff --git a/tests/test_confined_lb.cil b/tests/test_confined_lb.cil
+new file mode 100644
+index 0000000..3e3c997
+--- /dev/null
+++ b/tests/test_confined_lb.cil
+@@ -0,0 +1,12 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_use_basic_commands_macro (my_container_t my_container_r))
+\ No newline at end of file
+diff --git a/tests/test_confined_lsid.cil b/tests/test_confined_lsid.cil
+new file mode 100644
+index 0000000..8719420
+--- /dev/null
+++ b/tests/test_confined_lsid.cil
+@@ -0,0 +1,17 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_sudo_t)
+(type my_container_sudo_tmp_t)
+(type my_container_t)
+(type my_container_userhelper_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
+(call confinedom_security_basic_macro (my_container_t my_container_r))
+(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+\ No newline at end of file
+diff --git a/tests/test_main.py b/tests/test_main.py
+index fb6a9ab..0c73861 100644
+--- a/tests/test_main.py
+++ b/tests/test_main.py
+@@ -369,7 +369,26 @@ class TestBase(unittest.TestCase):
+         self.assert_templates(output, ["base_container"])
+         self.assert_policy(test_file("test_devices.podman.cil"))
+ 
+-    def run_udica(self, args):
+    # Confined user tests
+    def test_confined_user(self):
+        """udica confined_user <args> --level s0 --range s0:c0 my_container"""
+        for arg in ["cla", "lb", "lsid", "abcdgilmns"]:
+            output = self.run_udica(
+                [
+                    "udica",
+                    "confined_user",
+                    "-{}".format(arg),
+                    "--level",
+                    "s0",
+                    "--range",
+                    "s0:c0",
+                    "my_container",
+                ],
+                True,
+            )
+            self.assert_policy(test_file("test_confined_{}.cil".format(arg)))
+
+    def run_udica(self, args, confined=False):
+         with patch("sys.argv", args):
+             with patch("sys.stderr.write") as mock_err, patch(
+                 "sys.stdout.write"
+@@ -383,10 +402,16 @@ class TestBase(unittest.TestCase):
+                 udica.__main__.main()
+                 mock_err.assert_not_called()
+ 
+-        self.assertRegex(mock_out.output, "Policy my_container created")
+-        self.assertRegex(
+-            mock_out.output, "--security-opt label=type:my_container.process"
+-        )
+        if confined:
+            self.assertRegex(mock_out.output, "semodule -i my_container.cil")
+            self.assertRegex(
+                mock_out.output, "semanage login -a -s my_container_u my_container"
+            )
+        else:
+            self.assertRegex(mock_out.output, "Policy my_container created")
+            self.assertRegex(
+                mock_out.output, "--security-opt label=type:my_container.process"
+            )
+ 
+         return mock_out.output
+ 
+-- 
+2.43.0
+
--- a/0003-confined-make-l-non-optional.patch
+++ b/0003-confined-make-l-non-optional.patch
@ -0,0 +1,57 @@
+From f411c146986fabe7375724528b2d4ba8cf78b904 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 12 Feb 2024 19:38:14 +0100
+Subject: [PATCH] confined: make "-l" non optional
+
+The confinedom_user_login_macro is needed for all custom users.
+
+Also, allow the new user type to be accessed via remote login.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ udica/__main__.py                     | 2 +-
+ udica/macros/confined_user_macros.cil | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/udica/__main__.py b/udica/__main__.py
+index 1ba8515..801499c 100644
+--- a/udica/__main__.py
+++ b/udica/__main__.py
+@@ -92,7 +92,7 @@ def get_args():
+             "-l",
+             "--user_login",
+             action="store_true",
+-            default=False,
+            default=True,
+             dest="user_login",
+             help="Basic rules common to all users (tty, pty, ...)",
+         )
+diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
+index ddb5689..06c4c56 100644
+--- a/udica/macros/confined_user_macros.cil
+++ b/udica/macros/confined_user_macros.cil
+@@ -2411,7 +2411,7 @@
+         (typetransition utype sudo_exec_t process sudo_type)
+         (allow sudo_type utype (fd (use)))
+         (allow sudo_type utype (fifo_file (ioctl read write getattr lock append)))
+-        (allow sudo_type utype (process (sigchld)))
+        (allow sudo_type utype (process (getpgid sigchld)))
+         (allow sudo_type bin_t (dir (getattr open search)))
+         (allow sudo_type bin_t (dir (ioctl read getattr lock open search)))
+         (allow sudo_type bin_t (dir (getattr open search)))
+@@ -4006,6 +4006,12 @@
+             )
+         )
+     )
+    ; Telnet login
+    (optional  confinedom_user_login_optional_3
+      (typeattributeset cil_gen_require remote_login_t)
+      (allow remote_login_t utype (process (signal transition)))
+      (allow utype self (bpf (prog_load)))
+    )
+ )
+ 
+ (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
+-- 
+2.43.0
+
--- a/0004-confined-allow-asynchronous-I-O-operations.patch
+++ b/0004-confined-allow-asynchronous-I-O-operations.patch
@ -0,0 +1,31 @@
+From 131d228c6a91eaaeccc1d000821beeccba69d134 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 4 Mar 2024 12:59:53 +0100
+Subject: [PATCH] confined: allow asynchronous I/O operations
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ udica/macros/confined_user_macros.cil | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
+index 06c4c56..dcb5198 100644
+--- a/udica/macros/confined_user_macros.cil
+++ b/udica/macros/confined_user_macros.cil
+@@ -4012,6 +4012,13 @@
+       (allow remote_login_t utype (process (signal transition)))
+       (allow utype self (bpf (prog_load)))
+     )
+    ; asynchronous I/O operations RHEL 10
+    (optional  confinedom_user_login_optional_4
+      (typeattributeset cil_gen_require io_uring_t)
+      (allow utype self (io_uring (sqpoll)))
+      (allow utype io_uring_t (anon_inode (create)))
+      (allow utype io_uring_t (anon_inode (read write getattr map)))
+    )
+ )
+ 
+ (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))
+-- 
+2.43.0
+
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (v0.2.6.tar.gz) = 29295c9d95ecb15aed7e226d92a0b838046cf607e98956c66a83ad0f4ddf58b255586c24d407216ae9ddf5b11f502ae2b3a6822208d8dc8141124e68dac19265
+SHA512 (v0.2.8.tar.gz) = 513d932cad65d75b5aa753f2b0e4a99c0f5fa930740c65c20343521bc74deca13b140a69b78ab001dcd144a14254d1dda8ca8989531070e545fddbb08c1e64f0
--- a/udica.spec
+++ b/udica.spec
@ -1,9 +1,13 @@
 Summary: A tool for generating SELinux security policies for containers
 Name: udica
-Version: 0.2.6
-Release: 30%{?dist}
+Version: 0.2.8
+Release: 2%{?dist}
 Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
-Patch0: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch
+#git format-patch -N v0.2.8 -- . ':!.cirrus.yml' ':!.github'
+Patch0001: 0001-Add-option-to-generate-custom-policy-for-a-confined-.patch
+Patch0002: 0002-Add-tests-covering-confined-user-policy-generation.patch
+Patch0003: 0003-confined-make-l-non-optional.patch
+Patch0004: 0004-confined-allow-asynchronous-I-O-operations.patch
 License: GPLv3+
 BuildArch: noarch
 Url: https://github.com/containers/udica
@ -38,6 +42,7 @@ inspection of container JSON file.
 %{__python2} setup.py install --single-version-externally-managed --root=%{buildroot}
 %endif

+install --directory %{buildroot}%{_datadir}/udica/macros
 install --directory %{buildroot}%{_mandir}/man8
 install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8

@ -46,7 +51,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 %{_bindir}/udica
 %dir %{_datadir}/udica
 %dir %{_datadir}/udica/ansible
+%dir %{_datadir}/udica/macros
 %{_datadir}/udica/ansible/*
+%{_datadir}/udica/macros/*

 %if 0%{?fedora} || 0%{?rhel} > 7
 %license LICENSE
@ -59,6 +66,21 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
 %endif

 %changelog
+* Tue Mar 05 2024 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-2
+- Add option to generate custom policy for a confined user (RHEL-28166)
+- Add tests covering confined user policy generation
+- confined: make "-l" non optional
+- confined: allow asynchronous I/O operations
+
+* Thu Nov 30 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-1
+- Improve code readability based on lint and black findings
+- Fix generating policy for Crio mounts
+- Add --devices option
+- v0.2.7 release changes:
+- Improve label collection for mounts and devices (RHEL-16245)
+- Add support for containerd via "nerdctl inspect"
+- Avoid duplicate rules for accessing mounts and devices
+
 * Fri Jan 27 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-30
 - Bump release to preserve upgrade path (#2160401)
				`@ -0,0 +1 @@`
				`033cad13d38db7fcb03b004ac3e60cba8c3166d0 v0.2.8.tar.gz`