v3.3.0 - SUmask and Landlock feature

.cargo/config.toml

@@ -63,6 +63,7 @@ RAR_AUTHENTICATION = "perform"
 RAR_EXEC_INFO_DISPLAY = "hide"
 RAR_USER_CONSIDERED = "user"
 RAR_BOUNDING = "strict"
+RAR_UMASK = "0022"
 RAR_MAX_LOCKFILE_RETRIES = "10"
 RAR_LOCKFILE_RETRY_INTERVAL = "1"
 RAR_TIMEOUT_STORAGE = "/var/run/rar/ts"

Cargo.toml

@@ -3,7 +3,7 @@ members = ["xtask", "rar-common"]
 
 [package]
 name = "rootasrole"
-version = "3.2.4"
+version = "3.3.0"
 rust-version = "1.83.0"
 authors = ["Eddie Billoir <lechatp@outlook.fr>"]
 edition = "2021"
@@ -51,14 +51,15 @@ path = "tests/integration_tests.rs"
 required-features = ["finder"]
 
 [features]
-finder = ["plugins", "timeout", "pcre2", "glob", "rar-common/finder", "dep:nonstick", "dep:libpam-sys", "dep:pty-process", "dep:once_cell"]
+finder = ["plugins", "timeout", "pcre2", "glob", "landlock", "rar-common/finder", "dep:nonstick", "dep:libpam-sys", "dep:pty-process", "dep:once_cell"]
 glob = ["rar-common/glob"]
 pcre2 = ["dep:pcre2", "rar-common/pcre2"]
 plugins = ["hashchecker", "ssd", "hierarchy"]
 hashchecker = ["dep:hex", "dep:sha2"]
 ssd = []
 hierarchy = []
 timeout = []
+landlock = ["dep:landlock", "dep:bitflags"]
 editor = ["dep:landlock", "dep:libseccomp", "dep:pest", "dep:pest_derive", "dep:linked_hash_set"]
 
 [lints.rust]
@@ -68,7 +69,7 @@ unexpected_cfgs = { level = "allow", check-cfg = ['cfg(tarpaulin_include)'] }
 toml = { version = "0.8", default-features = false, features = ["parse", "display", "preserve_order"] }
 
 [dependencies]
-rar-common = { path = "rar-common", version = "3.2.4", package = "rootasrole-core" }
+rar-common = { path = "rar-common", version = "3.3.0", package = "rootasrole-core" }
 log = { version = "0.4", default-features = false, features = ["std"] }
 libc = { version = "0.2", default-features = false, features = ["std"]}
 strum = { version = "0.26", default-features = false, features = ["derive"] }
@@ -97,6 +98,7 @@ linked_hash_set = { version = "0.1", default-features = false, optional = true }
 hex = { version = "0.4", default-features = false, optional = true, features = ["alloc"]}
 landlock = { version = "0.4", optional = true }
 libseccomp = { version = "0.3", optional = true }
+bitflags = { version = "2.9", default-features = false, optional = true }
 
 [dev-dependencies]
 log = { version = "0.4", default-features = false, features = ["std"] }

book/src/chsr/README.md

@@ -70,9 +70,12 @@ chsr role [role_name] options [option] [operation]
 chsr role [role_name] task [task_name] options [option] [operation]
   <b>path</b>                          Manage path settings (set, whitelist, blacklist).
   <b>env</b>                           Manage environment variable settings (set, whitelist, blacklist, checklist).
-  <b>root</b> [policy]                 Defines when the root user (uid == 0) gets his privileges by default. (privileged, user, inherit)
-  <b>bounding</b> [policy]             Defines when dropped capabilities are permanently removed in the instantiated process. (strict, ignore, inherit)
+  <b>root</b> [policy]                 Defines when the root user (uid == 0) gets his privileges by default. (del, privileged, user)
+  <b>bounding</b> [policy]             Defines when dropped capabilities are permanently removed in the instantiated process. (del, strict, ignore)
   <b>timeout</b>                       Manage timeout settings (set, unset).
+  <b>umask</b> [umask|del]             Set the umask execution environment (in octal format, e.g., 022, or del for removing).
+  <b>authentication</b> [policy]       Defines if user needs to authenticate (del, skip, perform).
+  <b>execinfo</b> [policy]             Defines if user can see execution settings (del, show, hide).
 
 
 <u><b>Path options:</b></u>

book/src/chsr/file-config.md

@@ -63,7 +63,10 @@ The following example shows a RootAsRole config without plugins when almost ever
       "type": "ppid", // Type of timeout: tty, ppid, uid
       "duration": "15:30:30", // Duration of the timeout in HH:MM:SS format
       "max_usage": 1 // Maximum usage before timeout expires
-    }
+    },
+    "umask": "022", // umask value for the executed command
+    "execinfo": "show", // Allow users to see execution context: show, hide
+    "authentication": "perform" // Authentication: perform, skip
   },
   "roles": [ // Role list
     {

rar-common/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rootasrole-core"
-version = "3.2.4"
+version = "3.3.0"
 edition = "2021"
 description = "This core crate for the RootAsRole project."
 license = "LGPL-3.0-or-later"

rar-common/src/database/actor.rs

@@ -19,6 +19,15 @@ pub enum SGenericActorType {
     Name(String),
 }
 
+impl SGenericActorType {
+    fn as_str(&self) -> Cow<'_, str> {
+        match self {
+            SGenericActorType::Id(id) => Cow::Owned(id.to_string()),
+            SGenericActorType::Name(name) => Cow::Borrowed(name),
+        }
+    }
+}
+
 #[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq)]
 pub struct SUserType(SGenericActorType);
 
@@ -57,6 +66,11 @@ impl SUserType {
             _ => false,
         }
     }
+    // Allowing dead code for RootAsRole-gensr project
+    #[allow(dead_code)]
+    pub fn as_str(&self) -> Cow<'_, str> {
+        self.0.as_str()
+    }
 }
 
 impl DUserType<'_> {
@@ -69,6 +83,12 @@ impl DUserType<'_> {
             },
         }
     }
+    pub fn fetch_user(&self) -> Option<User> {
+        match &self.0 {
+            DGenericActorType::Id(id) => User::from_uid((*id).into()).ok().flatten(),
+            DGenericActorType::Name(name) => User::from_name(name).ok().flatten(),
+        }
+    }
 }
 
 impl fmt::Display for SUserType {
@@ -119,6 +139,9 @@ impl SGroupType {
             SGenericActorType::Name(name) => Group::from_name(name).ok().flatten(),
         }
     }
+    pub fn as_str(&self) -> Cow<'_, str> {
+        self.0.as_str()
+    }
 }
 
 impl DGroupType<'_> {
@@ -131,6 +154,12 @@ impl DGroupType<'_> {
             },
         }
     }
+    pub fn fetch_group(&self) -> Option<Group> {
+        match &self.0 {
+            DGenericActorType::Id(id) => Group::from_gid((*id).into()).ok().flatten(),
+            DGenericActorType::Name(name) => Group::from_name(name).ok().flatten(),
+        }
+    }
 }
 
 impl Display for DGroupType<'_> {
@@ -808,12 +837,20 @@ mod tests {
         let group = SGroupType::from("unkown");
         assert_eq!(group.fetch_id(), None);
     }
+
     #[test]
     fn test_fetch_user() {
-        let user = SUserType::from("testuser");
-        assert!(user.fetch_user().is_none());
-        let user_by_id = SUserType::from(0);
-        assert!(user_by_id.fetch_user().is_some());
+        let user = DUserType::from("root");
+        assert_eq!(
+            user.fetch_user(),
+            Some(User::from_uid(0.into()).unwrap().unwrap())
+        );
+
+        let user = DUserType::from(0);
+        assert_eq!(
+            user.fetch_user(),
+            Some(User::from_uid(0.into()).unwrap().unwrap())
+        );
     }
 
     #[test]
@@ -1012,6 +1049,8 @@ mod tests {
         assert!(group.is_single());
         let group = SGroups::from(["test"]);
         assert!(group.is_single());
+        let group = SGroups::from("test");
+        assert!(group.is_single());
         let group = SGroups::from(["test", "test2"]);
         assert!(!group.is_single());
         let group = SGroups::from(vec![0, 1]);
@@ -1080,4 +1119,16 @@ mod tests {
         let ids: Result<Vec<u32>, _> = (&groups).try_into();
         assert!(ids.is_err());
     }
+
+    #[test]
+    fn test_as_str() {
+        let group = SGroupType::from("test");
+        assert_eq!(group.as_str(), "test");
+        let group = SGroupType::from(100);
+        assert_eq!(group.as_str(), "100");
+        let user = SUserType::from("test");
+        assert_eq!(user.as_str(), "test");
+        let user = SUserType::from(100);
+        assert_eq!(user.as_str(), "100");
+    }
 }

rar-common/src/database/de.rs

@@ -576,6 +576,24 @@ mod tests {
         assert!(serde_json::from_value::<SGenericActorType>(invalid_data).is_err());
     }
 
+    #[test]
+    fn test_s_setgid_set_deserialization() {
+        let json_data = json!({
+            "default": "all",
+            "fallback": "group1",
+            "add": ["group2", "group3"],
+            "sub": ["group4"]
+        });
+        let setgid_set: SSetgidSet = serde_json::from_value(json_data).unwrap();
+        assert_eq!(setgid_set.default_behavior, SetBehavior::All);
+        assert_eq!(setgid_set.fallback, SGroups::from("group1"));
+        assert_eq!(setgid_set.add.len(), 2);
+        assert_eq!(setgid_set.add[0], SGroups::from("group2"));
+        assert_eq!(setgid_set.add[1], SGroups::from("group3"));
+        assert_eq!(setgid_set.sub.len(), 1);
+        assert_eq!(setgid_set.sub[0], SGroups::from("group4"));
+    }
+
     #[test]
     fn test_s_commands_deserialization_seq() {
         let json_data = json!(["/bin/ls", "/bin/cat"]);

rar-common/src/database/mod.rs

@@ -1,7 +1,7 @@
 use std::error::Error;
 
 use actor::{SGroups, SUserType};
-use bon::{builder, Builder};
+use bon::Builder;
 use chrono::Duration;
 use linked_hash_set::LinkedHashSet;
 use options::EnvBehavior;