Update el8 to 1.3.0 (#994)

Updates el8 for 1.3.0 - Use digest crate #984 - Reload rules while profiling #990 - Add lang for config #991 Adds a draft release check to guard artifact publishing. - Closes #976
ctc-oss · Jan 22, 2024 · 1a5067d · 1a5067d
1 parent 3ea480f
commit 1a5067d
Show file tree

Hide file tree

Showing 20 changed files with 297 additions and 121 deletions.
diff --git a/.github/workflows/rpm.yml b/.github/workflows/rpm.yml
@@ -27,6 +27,23 @@ jobs:
         if: startsWith(github.event.head_commit.message, 'Release v')
         run: echo ::set-output name=version-number::$(echo "${{ github.event.head_commit.message }}" | cut -d" " -f2)
 
+      - name: Find related release
+        id: find-release
+        if: startsWith(github.event.head_commit.message, 'Release v')
+        uses: joutvhu/get-release@v1
+        with:
+          tag_name: ${{ steps.parse-commit-msg.outputs.version-number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify is draft
+        if: startsWith(github.event.head_commit.message, 'Release v')
+        run: |
+          if [[ "${{ steps.find-release.outputs.draft }}" != "true" ]]; then
+            echo "Release ${{ steps.parse-commit-msg.outputs.version-number }} is not a draft"
+            exit 1;
+          fi
+
       - name: Load config matrix
         id: set-matrix
         run: |
@@ -74,15 +91,15 @@ jobs:
           spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2)
           commit_number=$(git rev-list HEAD~1 --count)
           patched_version="$spec_version~dev${commit_number}"
-          mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz
+          mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.el8.tar.gz
 
       - name: Rename source0 with pull request version
         if: github.event_name == 'pull_request'
         run: |
           spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2)
           pr_number=${{ github.event.pull_request.number }}
           patched_version="0.0.${pr_number}"
-          mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz
+          mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.el8.tar.gz
 
       - name: Upload
         uses: actions/upload-artifact@v3
@@ -225,7 +242,7 @@ jobs:
         run: |
           spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
           cd /tmp/rpmbuild/SOURCES/
-          mv vendor-rs.tar.gz vendor-rs-${spec_version}.tar.gz
+          mv vendor-rs.tar.gz vendor-rs-${spec_version}.el8.tar.gz
 
       - name: Generate doc tag
         if: startsWith(github.event.head_commit.message, 'Release v')
@@ -249,7 +266,7 @@ jobs:
       - name: Export el tarballs
         run: |
           version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
-          mv /tmp/rpmbuild/SOURCES/vendor-rs-${version}.tar.gz /tmp/archives/
+          mv /tmp/rpmbuild/SOURCES/vendor-rs-${version}.el8.tar.gz /tmp/archives/
 
       - name: Upload Tarballs
         uses: actions/upload-artifact@v3
@@ -430,14 +447,6 @@ jobs:
         with:
           path: /tmp/archives/
 
-      - name: Tag artifacts as el8
-        run: |
-          tag="${{ needs.config.outputs.version-number }}"
-          v="${tag#v}"
-          mv source0/fapolicy-analyzer-${v}.tar.gz fapolicy-analyzer-${v}.el8.tar.gz
-          mv tarball-artifacts/vendor-rs-${v}.tar.gz vendor-rs-${v}.el8.tar.gz
-        working-directory: /tmp/archives
-
       - name: Release artifacts
         uses: softprops/action-gh-release@v1
         with:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/pyo3/Cargo.toml b/crates/pyo3/Cargo.toml
@@ -22,6 +22,7 @@ fapolicy-app = { version = "*", path = "../app" }
 fapolicy-daemon = { version = "*", path = "../daemon" }
 fapolicy-rules = { version = "*", path = "../rules" }
 fapolicy-trust = { version = "*", path = "../trust" }
+fapolicy-util = { version = "*", path = "../util" }
 
 [features]
 default = []

diff --git a/crates/pyo3/src/profiler.rs b/crates/pyo3/src/profiler.rs
@@ -8,10 +8,12 @@
 
 use chrono::Utc;
 use fapolicy_analyzer::users::read_users;
+use fapolicy_app::sys::Error::WriteRulesFail;
 use fapolicy_daemon::fapolicyd::wait_until_ready;
+use fapolicy_daemon::pipe;
 use pyo3::exceptions::PyRuntimeError;
 use pyo3::prelude::*;
-use pyo3::{PyResult, Python};
+use pyo3::{exceptions, PyResult, Python};
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::Write;
@@ -23,6 +25,7 @@ use std::sync::Arc;
 use std::time::{Duration, SystemTime};
 use std::{io, thread};
 
+use crate::system::PySystem;
 use fapolicy_daemon::profiler::Profiler;
 use fapolicy_rules::read::load_rules_db;
 
@@ -472,9 +475,30 @@ impl PyProfiler {
     }
 }
 
+/// Update the compiled.rules in place and send a signal to the fapolicyd pipe to reload
+/// Cleanup of the change here is handled in the normal shutdown flow by the profiler
+#[pyfunction]
+fn reload_profiler_rules(system: &PySystem) -> PyResult<()> {
+    println!("writing rules update");
+
+    let compiled_rules_path = PathBuf::from(&system.rs.config.system.rules_file_path)
+        .parent()
+        .expect("invalid toml: rules_file_path")
+        .join("compiled.rules");
+
+    fapolicy_rules::write::compiled_rules(&system.rs.rules_db, &compiled_rules_path)
+        .map_err(WriteRulesFail)
+        .map_err(|e| exceptions::PyRuntimeError::new_err(format!("{:?}", e)))?;
+
+    pipe::reload_rules()
+        .map_err(|e| exceptions::PyRuntimeError::new_err(format!("Reload failed: {:?}", e)))
+}
+
 pub fn init_module(_py: Python, m: &PyModule) -> PyResult<()> {
     m.add_class::<PyProfiler>()?;
     m.add_class::<ProcHandle>()?;
     m.add_class::<ExecHandle>()?;
+    m.add_function(wrap_pyfunction!(reload_profiler_rules, m)?)?;
+
     Ok(())
 }
diff --git a/crates/pyo3/src/rules.rs b/crates/pyo3/src/rules.rs
@@ -218,7 +218,7 @@ pub(crate) fn to_text(db: &DB) -> String {
         .1
 }
 
-fn text_for_entry(e: &Entry) -> String {
+pub(crate) fn text_for_entry(e: &Entry) -> String {
     match e {
         Invalid { text, .. } => text.clone(),
         InvalidSet { text, .. } => text.clone(),

diff --git a/crates/pyo3/src/system.rs b/crates/pyo3/src/system.rs
@@ -15,7 +15,10 @@ use fapolicy_analyzer::events::db::DB as EventDB;
 use fapolicy_app::app::State;
 use fapolicy_app::cfg;
 use fapolicy_app::sys::deploy_app_state;
+use fapolicy_rules::db::Entry::Comment;
 use fapolicy_trust::stat::Status::*;
+use fapolicy_util::sha::sha256_digest;
+// use fapolicy_util::sha::sha256_digest;
 
 use crate::acl::{PyGroup, PyUser};
 use crate::analysis::PyEventLog;
@@ -254,10 +257,28 @@ fn checked_system(py: Python) -> PyResult<PySystem> {
     })
 }
 
+/// Generate a sha256 hash of the db text
+/// The text hashed here is the same as what would be written to
+/// compiled.rules by either fapolicyd or the analyzer
+#[pyfunction]
+pub fn rule_identity(system: &PySystem) -> PyResult<String> {
+    let txt = system
+        .rs
+        .rules_db
+        .iter()
+        .fold(String::new(), |acc, (_, (_, x))| match x {
+            Comment(_) => acc,
+            e => format!("{}\n{}\n", acc, crate::rules::text_for_entry(e)),
+        });
+    sha256_digest(txt.as_bytes())
+        .map_err(|e| exceptions::PyRuntimeError::new_err(format!("{:?}", e)))
+}
+
 pub fn init_module(_py: Python, m: &PyModule) -> PyResult<()> {
     m.add_class::<PySystem>()?;
     m.add_function(wrap_pyfunction!(config_difference, m)?)?;
     m.add_function(wrap_pyfunction!(rules_difference, m)?)?;
     m.add_function(wrap_pyfunction!(checked_system, m)?)?;
+    m.add_function(wrap_pyfunction!(rule_identity, m)?)?;
     Ok(())
 }
diff --git a/crates/trust/src/ops.rs b/crates/trust/src/ops.rs
@@ -6,12 +6,11 @@
  * file, You can obtain one at https://mozilla.org/MPL/2.0/.
  */
 
+use fapolicy_util::sha::sha256_digest;
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::BufReader;
 
-use fapolicy_util::sha::sha256_digest;
-
 use crate::db::{Rec, DB};
 use crate::error::Error;
 use crate::ops::TrustOp::{Add, Del, Ins};
@@ -101,7 +100,7 @@ pub fn get_path_action_map(cs: &Changeset) -> HashMap<String, String> {
     cs.changes.iter().map(to_pair).collect()
 }
 
-fn new_trust_record(path: &str) -> Result<Trust, fapolicy_util::sha::Error> {
+fn new_trust_record(path: &str) -> Result<Trust, Error> {
     let f = File::open(path)?;
     let sha = sha256_digest(BufReader::new(&f))?;
 

diff --git a/crates/util/Cargo.toml b/crates/util/Cargo.toml
@@ -6,7 +6,7 @@ version = "0.4.1"
 edition = "2018"
 
 [dependencies]
-data-encoding = "2.3.1"
-ring = "0.17"
 thiserror = "1.0"
 nom = "7.1"
+digest = "0.10"
+sha2 = "0.10"