File: config.go

package info (click to toggle)
singularity-container 4.0.3%2Bds1-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 21,672 kB
  • sloc: asm: 3,857; sh: 2,125; ansic: 1,677; awk: 414; makefile: 110; python: 99
file content (240 lines) | stat: -rw-r--r-- 6,721 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
 
// Copyright (c) 2018-2022, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.

package capabilities

import (
	"encoding/json"
	"fmt"
	"io"

	"github.com/sylabs/singularity/v4/pkg/sylog"
)

// Caplist defines a map of users/groups with associated list of capabilities
type Caplist map[string][]string

// Config is the in memory representation of the user/group capability
// authorizations as set by an admin
type Config struct {
	Users  Caplist `json:"users,omitempty"`
	Groups Caplist `json:"groups,omitempty"`
}

// ReadFrom reads a capability configuration from an io.Reader and returns a capability
// config with the set of authorized user/group capabilities
func ReadFrom(r io.Reader) (*Config, error) {
	c := &Config{
		Users:  make(Caplist),
		Groups: make(Caplist),
	}

	// read all data from r into b
	b, err := io.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("failed to read from io.Reader: %s", err)
	}

	if len(b) > 0 {
		// if we had data to read in io.Reader, attempt to unmarshal as JSON
		if err := json.Unmarshal(b, c); err != nil {
			return nil, fmt.Errorf("failed to decode JSON data from io.Reader: %s", err)
		}
	} else {
		// if no data in io.Reader, populate c with empty data
		data, err := json.Marshal(c)
		if err != nil {
			return nil, fmt.Errorf("failed to initialize data")
		}
		json.Unmarshal(data, c)
	}

	return c, nil
}

// WriteTo writes the capability config into the provided io.Writer. If writing to the
// same file as passed to ReadFrom(io.Reader), the file should be truncated should seek to 0
// before passing the file as the io.Writer
func (c *Config) WriteTo(w io.Writer) (int64, error) {
	json, err := json.MarshalIndent(c, "", "\t")
	if err != nil {
		return 0, fmt.Errorf("failed to marshall capability data to json: %v", err)
	}

	n, err := w.Write(json)
	if err != nil {
		return int64(n), fmt.Errorf("failed to write capability json to io.Writer: %v", err)
	}

	return int64(n), err
}

func (c *Config) checkCaps(caps []string) error {
	for _, c := range caps {
		if _, ok := Map[c]; !ok {
			return fmt.Errorf("unknown capability %s", c)
		}
	}
	return nil
}

// AddUserCaps adds an authorized capability set to user
func (c *Config) AddUserCaps(user string, caps []string) error {
	if err := c.checkCaps(caps); err != nil {
		return err
	}
	for _, cap := range caps {
		present := false
		for _, c := range c.Users[user] {
			if c == cap {
				present = true
			}
		}
		if !present {
			c.Users[user] = append(c.Users[user], cap)
			sylog.Warningf("Adding '%s' capability will likely allow user %s to escalate privilege on the host", cap, user)
			sylog.Warningf("Use 'singularity capability drop --user %s %s' to reverse this action if necessary", user, cap)
		} else {
			sylog.Warningf("Won't add capability '%s', already assigned to user %s", cap, user)
		}
	}
	return nil
}

// AddGroupCaps adds an authorized capability set to group
func (c *Config) AddGroupCaps(group string, caps []string) error {
	if err := c.checkCaps(caps); err != nil {
		return err
	}
	for _, cap := range caps {
		present := false
		for _, c := range c.Groups[group] {
			if c == cap {
				present = true
			}
		}
		if !present {
			c.Groups[group] = append(c.Groups[group], cap)
		} else {
			sylog.Warningf("Won't add capability '%s', already assigned to group %s", cap, group)
		}
	}
	return nil
}

// DropUserCaps drops a set of capabilities for user
//
//nolint:dupl
func (c *Config) DropUserCaps(user string, caps []string) error {
	if err := c.checkCaps(caps); err != nil {
		return err
	}
	if _, ok := c.Users[user]; !ok {
		return fmt.Errorf("user '%s' doesn't have any capability assigned", user)
	}
	for _, cap := range caps {
		dropped := false
		for i := len(c.Users[user]) - 1; i >= 0; i-- {
			if c.Users[user][i] == cap {
				c.Users[user] = append(c.Users[user][:i], c.Users[user][i+1:]...)
				dropped = true
				break
			}
		}
		if !dropped {
			sylog.Warningf("Won't drop capability '%s', not assigned to user %s", cap, user)
		}
	}
	if len(c.Users[user]) == 0 {
		delete(c.Users, user)
	}
	return nil
}

// DropGroupCaps drops a set of capabilities for group
//
//nolint:dupl
func (c *Config) DropGroupCaps(group string, caps []string) error {
	if err := c.checkCaps(caps); err != nil {
		return err
	}
	if _, ok := c.Groups[group]; !ok {
		return fmt.Errorf("group '%s' doesn't have any capability assigned", group)
	}
	for _, cap := range caps {
		dropped := false
		for i := len(c.Groups[group]) - 1; i >= 0; i-- {
			if c.Groups[group][i] == cap {
				c.Groups[group] = append(c.Groups[group][:i], c.Groups[group][i+1:]...)
				dropped = true
				break
			}
		}
		if !dropped {
			sylog.Warningf("Won't drop capability '%s', not assigned to group %s", cap, group)
		}
	}
	if len(c.Groups[group]) == 0 {
		delete(c.Groups, group)
	}
	return nil
}

// ListUserCaps returns a capability list authorized for user
func (c *Config) ListUserCaps(user string) []string {
	return c.Users[user]
}

// ListGroupCaps returns a capability list authorized for group
func (c *Config) ListGroupCaps(group string) []string {
	return c.Groups[group]
}

// ListAllCaps returns capability list for both authorized users and groups
func (c *Config) ListAllCaps() (Caplist, Caplist) {
	return c.Users, c.Groups
}

// CheckUserCaps checks if provided capability list for user are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (c *Config) CheckUserCaps(user string, caps []string) (authorized []string, unauthorized []string) {
	for _, ca := range caps {
		present := false
		for _, userCap := range c.ListUserCaps(user) {
			if userCap == ca {
				authorized = append(authorized, ca)
				present = true
				break
			}
		}
		if !present {
			unauthorized = append(unauthorized, ca)
		}
	}
	return authorized, unauthorized
}

// CheckGroupCaps checks if provided capability list for group are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (c *Config) CheckGroupCaps(group string, caps []string) (authorized []string, unauthorized []string) {
	for _, ca := range caps {
		present := false
		for _, groupCap := range c.ListGroupCaps(group) {
			if groupCap == ca {
				authorized = append(authorized, ca)
				present = true
				break
			}
		}
		if !present {
			unauthorized = append(unauthorized, ca)
		}
	}
	return authorized, unauthorized
}