Add functionality to fix specific host security attributes #6204
Conversation
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
from
036b2f7
to
61f48ac
Compare
libfwupdplugin/fu-kernel.c
Outdated
| /* check all the config files are writable */ | ||
| for (guint i = 0; config_files[i] != NULL; i++) { | ||
| g_autoptr(GFile) file = g_file_new_for_path(config_files[i]); | ||
| g_autoptr(GFileInfo) info = NULL; | ||
| g_autoptr(GError) error_local = NULL; |
There was a problem hiding this comment.
you don't think a new helper for this that both could call could work? It seems like the same to me. Am I missing some nuance?
There was a problem hiding this comment.
I had something like gboolean fu_common_file_is_writable(GFile *file, gboolean *is_writable, GError **error) and it felt much clumsier than just copy and pasting the ~8 lines of code.
There was a problem hiding this comment.
I've got something else I'm working on that may use this same function, so it will be 3 places that use the same 8 lines. Still copy/paste better?
There was a problem hiding this comment.
What I was struggling with was "should a file that doesn't exist be a GError" and "should a file that's not writeable be an error" -- the caller sometimes wants the former and sometimes wants the latter...
There was a problem hiding this comment.
Oh I see... so maybe we want two checks? Check if it exists, and check if it is a writable location?
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
2 times, most recently
from
43a00bb
to
3225385
Compare
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
from
3225385
to
cb17fac
Compare
|
@superm1 the only niggle I have is "unfix". Alternatives I have are:
Or we stick to 'unfix'. |
I don't like any of this
I like this
only works if you rename 'fix' too
I don't like this
I like this
|
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
from
cb17fac
to
170a5b2
Compare
|
@superm1 I've pushed "undo" -- does that make more sense? |
it does, but I think you need to plumb that through a lot of things that use |
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
from
ed45a8b
to
67df00c
Compare
The idea here is that rather than limiting ourselves to setting BIOS values to fix HSI attributes, we can do per-plugin actions such as setting kernel command line options. Add two new: * flags for FwupdSecurityAttr * client helpers * PolicyKit rules * D-Bus methods and plugin vfuncs Then teach the iommu and linux-lockdown plugins how to set kernel arguments. This also benefits automation frameworks such as Ansible and Puppet; the framework can call the repair functions with just the AppStream ID. Heavily based on patches by Kate Hsuan <hpa@redhat.com>, many thanks.
hughsie
force-pushed
the
wip/hughsie/fix-security
branch
from
67df00c
to
83b6049
Compare
The idea here is that rather than limiting ourselves to setting BIOS values to fix HSI attributes, we can do per-plugin actions such as setting kernel command line options.
Add two new:
Then teach the iommu and linux-lockdown plugins how to set kernel arguments.
This also benefits automation frameworks such as Ansible and puppet; the framework can call the repair functions with just the AppStream ID.
Heavily based on patches by Kate Hsuan hpa@redhat.com, many thanks.
Type of pull request: