From b5cac3c02237c434331941c60646cd4961fd0e0e Mon Sep 17 00:00:00 2001 From: Knut Anderssen Date: Tue, 4 Jan 2022 10:08:45 +0000 Subject: [PATCH 1/5] Do not propose any module if not configurable --- src/lib/y2security/lsm/config.rb | 1 + test/y2security/lsm/config_test.rb | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/src/lib/y2security/lsm/config.rb b/src/lib/y2security/lsm/config.rb index 8402ba58..036ee8af 100644 --- a/src/lib/y2security/lsm/config.rb +++ b/src/lib/y2security/lsm/config.rb @@ -51,6 +51,7 @@ def initialize # Select the LSM to be used based in the one defined in the control file using apparmor as # fallback in case that no one is selected def propose_default + return unless configurable? log.info("The settings are #{product_feature_settings.inspect}") selected = product_feature_settings.fetch(:select, "apparmor") diff --git a/test/y2security/lsm/config_test.rb b/test/y2security/lsm/config_test.rb index d7de50cc..295ddb6b 100755 --- a/test/y2security/lsm/config_test.rb +++ b/test/y2security/lsm/config_test.rb @@ -174,16 +174,26 @@ end describe "#propose_default" do - it "selects the LSM to be used based on the control file" do - expect { subject.propose_default }.to change { subject.selected&.id }.from(nil).to(:selinux) + context "when Linux Security module is declared as configurable in the control file" do + it "selects the LSM to be used based on the control file" do + expect { subject.propose_default }.to change { subject.selected&.id }.from(nil).to(:selinux) + end + + context "when no default LSM is declared in the control file" do + let(:lsm_section) { { "configurable" => lsm_configurable } } + + it "fallbacks to :apparmor" do + expect { subject.propose_default } + .to change { subject.selected&.id }.from(nil).to(:apparmor) + end + end end - context "when no default LSM is declared in the control file" do - let(:lsm_section) { { "configurable" => lsm_configurable } } + context "when Linux Security module is not declared as configurable in the control file" do + let(:lsm_configurable) { false } - it "fallbacks to :apparmor" do - expect { subject.propose_default } - .to change { subject.selected&.id }.from(nil).to(:apparmor) + it "does not select any module by default" do + expect { subject.propose_default }.to_not(change { subject.selected }) end end end From b58d2cb1bab1253c3e0efff68fe24ef083c66ac0 Mon Sep 17 00:00:00 2001 From: Knut Anderssen Date: Tue, 4 Jan 2022 10:18:30 +0000 Subject: [PATCH 2/5] LSM config is configurable by default. --- src/lib/y2security/lsm/config.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/y2security/lsm/config.rb b/src/lib/y2security/lsm/config.rb index 036ee8af..643a3f61 100644 --- a/src/lib/y2security/lsm/config.rb +++ b/src/lib/y2security/lsm/config.rb @@ -52,6 +52,7 @@ def initialize # fallback in case that no one is selected def propose_default return unless configurable? + log.info("The settings are #{product_feature_settings.inspect}") selected = product_feature_settings.fetch(:select, "apparmor") @@ -141,7 +142,7 @@ def configurable? return @configurable unless @configurable.nil? return false if Yast::Arch.is_wsl - @configurable = product_feature_settings[:configurable] || false + @configurable = product_feature_settings.fetch(:configurable, true) end # Returns the values for the LSM setting from the product features From a811a1b8d679d391c0d6354e82ec338ddebbf2e8 Mon Sep 17 00:00:00 2001 From: Knut Anderssen Date: Tue, 4 Jan 2022 11:59:49 +0000 Subject: [PATCH 3/5] Added selectable option and make select an enum --- src/autoyast-rnc/security.rnc | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/autoyast-rnc/security.rnc b/src/autoyast-rnc/security.rnc index bf38e4f6..bf757af4 100644 --- a/src/autoyast-rnc/security.rnc +++ b/src/autoyast-rnc/security.rnc @@ -130,23 +130,29 @@ y2_security = | lsm security = element security { MAP, y2_security* } -configurable = element configurable { BOOLEAN } -selectable = element selectable { BOOLEAN } +## Whether the module can be proposed/configured during installation +lsm_configurable = element configurable { BOOLEAN } +## Whether the module can be selected during installation +lsm_selectable = element selectable { BOOLEAN } +## Space-separated list of required/suggested patterns for the selected module +lsm_patterns = element patterns { text } lsm = element lsm { MAP, ( lsm_select? & - configurable? & + lsm_configurable? & + lsm_selectable? & selinux? & apparmor? ) } -lsm_select = element select { STRING } +# Linux Security Major Module to be activated after installation +lsm_select = element select { "apparmor" | "selinux" | "none" } lsm_module = - configurable - | selectable - | element patterns { STRING } + lsm_configurable + | lsm_selectable + | lsm_patterns apparmor = element apparmor { MAP, lsm_module* From 14d4b3c53072acada3ab9a318b7da26558a36f60 Mon Sep 17 00:00:00 2001 From: Knut Anderssen Date: Tue, 4 Jan 2022 15:51:09 +0000 Subject: [PATCH 4/5] Bump version & changelog --- package/yast2-security.changes | 9 +++++++++ package/yast2-security.spec | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/package/yast2-security.changes b/package/yast2-security.changes index fc3d74dc..717e7bb9 100644 --- a/package/yast2-security.changes +++ b/package/yast2-security.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Jan 4 12:06:48 UTC 2022 - Knut Anderssen + +- Related to jsc#SLE-22069: + - Autoyast LSM section: added "selectable" option to the section + - Do not propose a default LSM configuration when it is declared + as not configurable in the control file or AutoYaST +- 4.4.4 + ------------------------------------------------------------------- Wed Dec 29 11:47:15 UTC 2021 - Knut Anderssen diff --git a/package/yast2-security.spec b/package/yast2-security.spec index 4a6daf64..3378d30b 100644 --- a/package/yast2-security.spec +++ b/package/yast2-security.spec @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.4.3 +Version: 4.4.4 Release: 0 Group: System/YaST License: GPL-2.0-only From 6ee5ae1c7556a315c35c4382f05e38c8deb92756 Mon Sep 17 00:00:00 2001 From: Knut Anderssen Date: Tue, 4 Jan 2022 16:04:23 +0000 Subject: [PATCH 5/5] Do not set resolvables if not configurable --- src/modules/Security.rb | 2 ++ test/security_test.rb | 24 +++++++++++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/modules/Security.rb b/src/modules/Security.rb index cace7a4a..db4b6ed7 100644 --- a/src/modules/Security.rb +++ b/src/modules/Security.rb @@ -932,6 +932,8 @@ def import_lsm_config(settings) section = Y2Security::AutoinstProfile::SecuritySection.new_from_hashes(settings) Y2Security::Autoinst::LSMConfigReader.new(section.lsm).read + return unless lsm_config.configurable? + PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns) end diff --git a/test/security_test.rb b/test/security_test.rb index 544998d5..3ec2cff5 100755 --- a/test/security_test.rb +++ b/test/security_test.rb @@ -720,13 +720,23 @@ def enabled? end context "when a specific Linux Security Module is selected" do - it "sets resolvables for needed patterns" do - allow_any_instance_of(Y2Security::LSM::Base).to receive(:needed_patterns) - .and_return(selinux_patterns) - expect(Yast::PackagesProposal).to receive(:SetResolvables) - .with(anything, :pattern, selinux_patterns) - - Security.Import("selinux_mode" => "permissive") + context "and LSM is configurable" do + it "sets resolvables for needed patterns" do + allow_any_instance_of(Y2Security::LSM::Base).to receive(:needed_patterns) + .and_return(selinux_patterns) + expect(Yast::PackagesProposal).to receive(:SetResolvables) + .with(anything, :pattern, selinux_patterns) + + Security.Import("selinux_mode" => "permissive") + end + end + + context "and LSM is declared as no configurable" do + it "does not touch resolvables" do + expect(Yast::PackagesProposal).to_not receive(:SetResolvables) + + Security.Import("lsm" => { "configurable" => false }) + end end end