Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix profiler path validation #656

Merged
merged 16 commits into from Dec 2, 2022
Merged

Fix profiler path validation #656

merged 16 commits into from Dec 2, 2022

Conversation

tparchambault
Copy link
Contributor

@tparchambault tparchambault commented Oct 14, 2022
edited by jw3

Support for validating relative executable paths by using the existing PATH from the users environment. This also supports evaluating a custom PATH provided through the profiler GUI.

This fixes the issue from #655 where users are forced to use absolute paths to avoid a validation error reporting that the file cannot be found.

Closes #655

@tparchambault
Copy link
Contributor Author

tparchambault commented Nov 17, 2022
edited

Target executables specified with relative paths are now supported, whether the PATH environment variable is acquired from the pkexec runtime environment (On RHEL8.6: /usr/sbin:/usr/bin:/sbin:/bin:/root/bin) or provided by the user in the enironment variable entry in the Profiler Page UI.

If the PATH env var provided by the user on the Profiler Page, the below syntax is supported and expanded in the following order::

  • $PATH or ${PATH} are expanded to the pkexec runtime environment's PATH value.
  • Single periods, lone leading colons, lone trailing colons, and internal double colons in the PATH variable are expanded to the user-specified Profiler Page Working Directory entry. If not specified uses the directory where fapolicy-analyzer was invoked.
  • Double periods are expanded to the parent of the user-specified Profiler Page Working Directory entry otherwise the parent of the directory where invoked.

This new expanded PATH variable is used to determine the absolute path of a relatively specified target executable and also passed into the target executable's runtime environment, in the event it or any spawned processes or shells use the PATH variable.

@tparchambault tparchambault marked this pull request as ready for review November 17, 2022 21:40
@tparchambault
Copy link
Contributor Author

If you aren't running as root you can activate the Profiler Page menu item by creating a file, /tmp/prof_ui_enable. Alternatively, you can extract the attached tarball within your /tmp directory as it contains the above mentioned file and a trivial shell script, Now.sh the prints out a teletype test, and the environment variables WEINER and PATH.

Also, if not running as root the fapolicyd daemon can not be started/stopped by the fapolicy-analyzer, so only the execution of the specified target will occur.

FaProfilerTestCode.zip

dorschs57
dorschs57 requested changes Nov 18, 2022
View reviewed changes
fapolicy_analyzer/ui/faprofiler.py Outdated Show resolved Hide resolved
fapolicy_analyzer/ui/faprofiler.py Outdated Show resolved Hide resolved
fapolicy_analyzer/ui/strings.py Outdated Show resolved Hide resolved
fapolicy_analyzer/tests/test_faprofiler.py Outdated Show resolved Hide resolved
@tparchambault tparchambault marked this pull request as draft November 22, 2022 00:39
@jw3
Copy link
Member

jw3 commented Nov 29, 2022

Is this ready?

@tparchambault
Copy link
Contributor Author

No. Worked it yesterday; As requested in review, added dict key checking for robustness, and adding requested unit-tests. Have not pushed latest work. Hopefully today.

@jw3 jw3 added bug Something isn't working Profiler FA Policy Profiler labels Dec 1, 2022
@tparchambault tparchambault marked this pull request as ready for review December 1, 2022 18:48
@tparchambault
Copy link
Contributor Author

Opened #670 related to the Profiler's default pwd given that within the pkexec environment where /root is the default pwd.`

@jw3
Copy link
Member

jw3 commented Dec 2, 2022

@tparchambault conflicts in the main .pot

jw3
jw3 approved these changes Dec 2, 2022
View reviewed changes
Copy link
Member

@jw3 jw3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as expected 👍

@jw3
Copy link
Member

jw3 commented Dec 2, 2022

Resoled the conflict, was just the file info date/time conflicting.

@jw3 jw3 changed the title Added support function to check relative exec path Fix profiler relative path validation Dec 2, 2022
@jw3 jw3 changed the title Fix profiler relative path validation Fix profiler path validation Dec 2, 2022
@jw3 jw3 merged commit f65690e into ctc-oss:master Dec 2, 2022
@jw3 jw3 mentioned this pull request Jan 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jw3 jw3 jw3 approved these changes

@dorschs57 dorschs57 Awaiting requested review from dorschs57

Assignees
No one assigned
Labels
bug Something isn't working Profiler FA Policy Profiler
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Profiler executable argument validaiton should consider PATH env
3 participants
@tparchambault @jw3 @dorschs57