Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Unify functions that evaluate commands

Browse Source
This commit is contained in:
Ben Grande 2024-07-22 17:06:07 +02:00
parent 9c3566f524
commit 7ee1ea2cc7
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
1 changed files with 24 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
usr/bin/permission-hardener
View File

@ -14,33 +14,23 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
echo_wrapper_ignore() { echo_wrapper_ignore() {
echo "INFO: run: $*" if test "${1}" = "verbose"; then
"$@" 2>/dev/null || true echo "INFO: run: $*"
} fi
shift
echo_wrapper_silent_ignore() {
#echo "INFO: run: $@"
"$@" 2>/dev/null || true "$@" 2>/dev/null || true
} }
echo_wrapper_audit() { echo_wrapper_audit() {
echo "INFO: run: $*" if test "${1}" = "verbose"; then
echo "INFO: run: $*"
fi
shift
return_code=0 return_code=0
"$@" || "$@" ||
{ {
return_code="$?" return_code="$?"
exit_code=203 exit_code=203
echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
}
}
echo_wrapper_silent_audit() {
#echo "run (debugging): $@"
return_code=0
"$@" ||
{
return_code="$?"
exit_code=204
echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
} }
} }
@ -52,7 +42,7 @@ make_store_dir(){
} }
sanity_tests() { sanity_tests() {
echo_wrapper_silent_audit which \ echo_wrapper_audit silent which \
capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null
} }
@ -205,7 +195,7 @@ add_nosuid_statoverride_entry() {
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}"
fi fi
## No need to check "dpkg-statoverride --list" for existing entries. ## No need to check "dpkg-statoverride --list" for existing entries.
@ -214,18 +204,18 @@ add_nosuid_statoverride_entry() {
## and re-add. ## and re-add.
## Remove from real database. ## Remove from real database.
echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}" echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}"
## Remove from separate database. ## Remove from separate database.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}"
## Add to real database and use --update to make changes on disk. ## Add to real database and use --update to make changes on disk.
echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
## Not using --update as this is only for recording. ## Not using --update as this is only for recording.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
@ -414,20 +404,20 @@ set_file_perms() {
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
fi fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}"
## Remove from and add to real database. ## Remove from and add to real database.
echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}" echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}"
echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
## Save in separate database. ## Save in separate database.
## Not using --update as this is only for saving. ## Not using --update as this is only for saving.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
fi fi
else else
true "There is no fso entry. Therefore add one." true "There is no fso entry. Therefore add one."
@ -439,16 +429,16 @@ set_file_perms() {
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
fi fi
## Add to real database. ## Add to real database.
echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
## Save in separate database. ## Save in separate database.
## Not using --update as this is only for saving. ## Not using --update as this is only for saving.
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
fi fi
fi fi
if test -z "${capability_from_config}"; then if test -z "${capability_from_config}"; then
@ -462,7 +452,7 @@ set_file_perms() {
## The value of the capability argument is not permitted for a file. Or ## The value of the capability argument is not permitted for a file. Or
## the file is not a regular (non-symlink) file ## the file is not a regular (non-symlink) file
## Therefore use echo_wrapper_ignore. ## Therefore use echo_wrapper_ignore.
echo_wrapper_ignore setcap -r "${fso}" echo_wrapper_ignore verbose setcap -r "${fso}"
getcap_output="$(getcap "${fso}")" getcap_output="$(getcap "${fso}")"
if test -n "${getcap_output}"; then if test -n "${getcap_output}"; then
exit_code=205 exit_code=205
@ -477,7 +467,7 @@ set_file_perms() {
## feature request: dpkg-statoverride: support for capabilities ## feature request: dpkg-statoverride: support for capabilities
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}" echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}"
fi fi
done <"${config_file}" done <"${config_file}"
true "INFO: END parsing config_file: '${config_file}'" true "INFO: END parsing config_file: '${config_file}'"