Skip to content

Commit

Permalink
feat: changeable effects (WIP)
Browse files Browse the repository at this point in the history
  • Loading branch information
desbma-s1n committed Nov 15, 2024
1 parent baeea83 commit 82bcf50
Show file tree
Hide file tree
Showing 3 changed files with 249 additions and 54 deletions.
27 changes: 26 additions & 1 deletion src/summarize.rs
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ impl ValueCounted for u16 {
}
}

impl<T: Eq + ValueCounted> CountableSetSpecifier<T> {
impl<T: Eq + Ord + Clone + ValueCounted> CountableSetSpecifier<T> {
fn contains_one(&self, needle: &T) -> bool {
match self {
Self::None => false,
Expand All @@ -116,6 +116,31 @@ impl<T: Eq + ValueCounted> CountableSetSpecifier<T> {
Self::All => !matches!(other, Self::None),
}
}

/// Remove a single element from the set
/// The element to remove **must** be in the set, otherwise may panic
#[expect(clippy::unwrap_used)]
pub(crate) fn remove(&mut self, to_rm: &Self) {
debug_assert!(self.intersects(to_rm));
let Self::One(e) = to_rm else { unreachable!() };
match self {
Self::None => unreachable!(),
Self::One(_) => {
*self = Self::None;
}
Self::Some(es) => {
let idx = es.iter().position(|e2| e == e2).unwrap();
es.remove(idx);
}
Self::AllExcept(excs) => {
let idx = excs.binary_search(e).unwrap_err();
excs.insert(idx, e.to_owned());
}
Self::All => {
*self = Self::AllExcept(vec![e.to_owned()]);
}
}
}
}

/// Quantify something that is done or denied
Expand Down
68 changes: 68 additions & 0 deletions src/systemd/options.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,21 @@ use crate::{
systemd::{KernelVersion, SystemdVersion},
};

/// Callbacks to dynamic update an option to make it compatible with an action
#[derive(Debug)]
pub(crate) struct OptionUpdater {
/// Generate a new option effect compatible with the previously incompatible action
pub effect: fn(&OptionValueEffect, &ProgramAction) -> Option<OptionValueEffect>,
/// Generate the option value from the new effect
pub value: fn(&OptionValueEffect) -> OptionValue,
}

/// Systemd option with its possibles values, and their effect
#[derive(Debug)]
pub(crate) struct OptionDescription {
pub name: &'static str,
pub possible_values: Vec<OptionValueDescription>,
pub updater: Option<OptionUpdater>,
}

impl fmt::Display for OptionDescription {
Expand Down Expand Up @@ -862,6 +872,7 @@ pub(crate) fn build_options(
})),
},
],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
Expand Down Expand Up @@ -918,6 +929,7 @@ pub(crate) fn build_options(
)),
},
],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
Expand All @@ -936,6 +948,7 @@ pub(crate) fn build_options(
}),
])),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
Expand Down Expand Up @@ -968,6 +981,7 @@ pub(crate) fn build_options(
OptionValueEffect::DenySyscalls(DenySyscalls::Class("raw-io")),
])),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
Expand Down Expand Up @@ -1014,6 +1028,7 @@ pub(crate) fn build_options(
.collect(),
)),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
Expand All @@ -1034,6 +1049,7 @@ pub(crate) fn build_options(
OptionValueEffect::DenySyscalls(DenySyscalls::Class("module")),
])),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelLogs=
Expand All @@ -1053,6 +1069,7 @@ pub(crate) fn build_options(
}),
])),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=
Expand All @@ -1065,6 +1082,7 @@ pub(crate) fn build_options(
exceptions: vec![],
})),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=
Expand All @@ -1085,6 +1103,7 @@ pub(crate) fn build_options(
regex::bytes::Regex::new("^/proc/[0-9]+(/|$)").unwrap(),
))),
}],
updater: None,
});
}

Expand All @@ -1098,6 +1117,7 @@ pub(crate) fn build_options(
ProgramAction::WriteExecuteMemoryMapping,
)),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=
Expand Down Expand Up @@ -1173,6 +1193,7 @@ pub(crate) fn build_options(
.collect(),
),
}],
updater: None,
});

if let HardeningMode::Aggressive = mode {
Expand All @@ -1194,6 +1215,7 @@ pub(crate) fn build_options(
}),
)),
}],
updater: None,
});
}

Expand Down Expand Up @@ -1234,6 +1256,46 @@ pub(crate) fn build_options(
.collect(),
),
}],
updater: Some(OptionUpdater {
effect: |e, a| {
let OptionValueEffect::DenyAction(ProgramAction::NetworkActivity(effect_na)) = e
else {
unreachable!();
};
let ProgramAction::NetworkActivity(denied_na) = a else {
unreachable!();
};
let mut new_eff_local_port = effect_na.local_port.clone();
new_eff_local_port.remove(&denied_na.local_port);
Some(OptionValueEffect::DenyAction(
ProgramAction::NetworkActivity(NetworkActivity {
af: effect_na.af.clone(),
proto: effect_na.proto.clone(),
kind: effect_na.kind.clone(),
local_port: new_eff_local_port,
}),
))
},
value: |e| {
let OptionValueEffect::DenyAction(ProgramAction::NetworkActivity(denied_na)) = e
else {
unreachable!();
};
OptionValue::List {
values: denied_na
.af
.iter()
.zip(denied_na.proto)
.zip(denied_na.local_port.iter_ranges())
.map(|(af, proto)| format!("{af}:{proto}:{port_range}"))
.collect(),
value_if_empty: None,
negation_prefix: false,
repeat_option: true,
mode: ListMode::BlackList,
}
},
}),
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LockPersonality=
Expand All @@ -1248,6 +1310,7 @@ pub(crate) fn build_options(
"personality",
))),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime=
Expand All @@ -1259,6 +1322,7 @@ pub(crate) fn build_options(
ProgramAction::SetRealtimeScheduler,
)),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
Expand All @@ -1271,6 +1335,7 @@ pub(crate) fn build_options(
"clock",
))),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#CapabilityBoundingSet=
Expand Down Expand Up @@ -1430,6 +1495,7 @@ pub(crate) fn build_options(
},
desc: OptionEffect::Cumulative(cap_effects.into_iter().map(|(_c, e)| e).collect()),
}],
updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
Expand Down Expand Up @@ -1464,6 +1530,7 @@ pub(crate) fn build_options(
.collect(),
),
}],
updater: None,
});

if let HardeningMode::Aggressive = mode {
Expand All @@ -1477,6 +1544,7 @@ pub(crate) fn build_options(
value: OptionValue::String("native".to_owned()),
desc: OptionEffect::None,
}],
updater: None,
});
}

Expand Down
Loading

0 comments on commit 82bcf50

Please sign in to comment.