set acl permissions on workdir root

In machines with umask set to `0027` it is necessary to setup an acl to overide it so the workdir root directory stays multi-user access. This is specially necessary on machines accessed with a non-root user, that are hardened to CIS Level 1 guidelines. Fixes: #2496 Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
teemtee · Feb 22, 2024 · 981dd52 · 981dd52
1 parent d2df591
commit 981dd52
Show file tree

Hide file tree

Showing 12 changed files with 83 additions and 1 deletion.
diff --git a/examples/plugins/provision.py b/examples/plugins/provision.py
@@ -88,6 +88,7 @@ def go(self):
 
         self._guest = GuestExample(data, name=self.name, parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self):
         """
@@ -110,6 +111,7 @@ class GuestExample(tmt.Guest):
     user ....... user name to log in
     key ........ private key
     password ... password
+    become ..... whether to run the scripts with sudo
 
     These are by default imported into instance attributes (see the
     class attribute '_keys' in tmt.Guest class).
@@ -190,6 +192,16 @@ def start(self):
         raise tmt.utils.ProvisionError(
             "All attempts to provision a machine with example failed.")
 
+    def setup(self):
+        """
+        Setup the guest
+
+        This should include all necessary configurations inside the instance
+        to get the plans to work. For example, ensure the permissions in
+        TMT_WORKDIR_ROOT will work if the user is non-root.
+        """
+        print("setup() called")
+
     # For advanced development
     def execute(self, command, **kwargs):
         """

diff --git a/tests/provision/become/data/umask.fmf b/tests/provision/become/data/umask.fmf
@@ -0,0 +1,12 @@
+summary: Check that become works when instance umask is restricted
+description: Ensures that become works when used in virtual instances with umask set to 0027 like in hardened OSs.
+provision+:
+    become: true
+discover:
+    tests:
+      - name: Beakerlib test to generate report files on guest
+        test: ./umask.sh
+        framework: beakerlib
+prepare:
+    how: shell
+    script: "echo 'umask 0027' >> /etc/profile; echo 'umask 0027' >> /etc/bashrc"
diff --git a/tests/provision/become/data/umask.sh b/tests/provision/become/data/umask.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory"
+        rlRun "pushd $tmp"
+        rlRun "set -o pipefail"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun -s "echo HELLO > output" 0 "Say something"
+        rlAssertGrep "HELLO" "output"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $tmp" 0 "Remove tmp directory"
+    rlPhaseEnd
+rlJournalEnd
diff --git a/tests/provision/become/main.fmf b/tests/provision/become/main.fmf
@@ -6,4 +6,4 @@ tag+:
   - provision-only
   - provision-container
   - provision-virtual
-duration: 20m
+duration: 24m
diff --git a/tests/provision/become/test.sh b/tests/provision/become/test.sh
@@ -37,6 +37,12 @@ rlJournalStart
         rlRun "tmt --context provisiontest=$PROVISION_HOW run -rvvv plan --name /prepare-finish/user/scripts"
     rlPhaseEnd
 
+    if [[ "$PROVISION_HOW" == "virtual" ]]; then
+        rlPhaseStartTest "$PROVISION_HOW, umask with become=true"
+            rlRun "tmt --context provisiontest=$PROVISION_HOW run -rvvv plan --name /umask"
+        rlPhaseEnd
+    fi
+
     rlPhaseStartCleanup
         rlRun "popd"
         if [[ "$PROVISION_HOW" == "container" ]]; then

diff --git a/tmt/steps/provision/__init__.py b/tmt/steps/provision/__init__.py
@@ -48,6 +48,7 @@
     ShellScript,
     cached_property,
     configure_constant,
+    effective_workdir_root,
     field,
     key_to_option,
     )
@@ -734,6 +735,13 @@ def start(self) -> None:
         """
         self.debug(f"Doing nothing to start guest '{self.primary_address}'.")
 
+    def setup(self) -> None:
+        """
+        Setup the guest
+
+        Setup the guest after it has been started. It is called after start().
+        """
+
     # A couple of requiremens for this field:
     #
     # * it should be valid, i.e. when someone tries to access it, the values
@@ -1365,6 +1373,23 @@ def is_ready(self) -> bool:
         # Enough for now, ssh connection can be created later
         return self.primary_address is not None
 
+    def setup(self) -> None:
+        if self.is_dry_run:
+            return
+        if not self.facts.is_superuser and self.become:
+            assert self.facts.package_manager is not None
+            self.execute(
+                Command(
+                    'sudo',
+                    f'{self.facts.package_manager.value}',
+                    'install',
+                    '-y',
+                    'acl'))
+            workdir_root = effective_workdir_root()
+            acl_setup_script = ShellScript(f'mkdir -p {workdir_root}')
+            acl_setup_script += ShellScript(f'setfacl -d -m o:rX {workdir_root}')
+            self.execute(acl_setup_script)
+
     def execute(self,
                 command: Union[tmt.utils.Command, tmt.utils.ShellScript],
                 cwd: Optional[Path] = None,

diff --git a/tmt/steps/provision/artemis.py b/tmt/steps/provision/artemis.py
@@ -757,6 +757,7 @@ def go(self) -> None:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestArtemis]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/connect.py b/tmt/steps/provision/connect.py
@@ -229,6 +229,7 @@ def go(self) -> None:
             data=data,
             name=self.name,
             parent=self.step)
+        self._guest.setup()
 
     def guest(self) -> Optional[tmt.GuestSsh]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/local.py b/tmt/steps/provision/local.py
@@ -187,6 +187,7 @@ def go(self) -> None:
             self.warn("The 'local' provision plugin does not support hardware requirements.")
 
         self._guest = GuestLocal(logger=self._logger, data=data, name=self.name, parent=self.step)
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestLocal]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/mrack.py b/tmt/steps/provision/mrack.py
@@ -811,6 +811,7 @@ def go(self) -> None:
             logger=self._logger,
             )
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestBeaker]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/podman.py b/tmt/steps/provision/podman.py
@@ -457,6 +457,7 @@ def go(self) -> None:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
         # TODO: this might be allowed with `--privileged`...
         self._guest.facts.capabilities[GuestCapability.SYSLOG_ACTION_READ_ALL] = False

diff --git a/tmt/steps/provision/testcloud.py b/tmt/steps/provision/testcloud.py
@@ -956,6 +956,7 @@ def _report_support(constraint: tmt.hardware.Constraint[Any]) -> bool:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[tmt.Guest]:
         """ Return the provisioned guest """