From 7b9149d048aa62b09c52bd2f079cd8e88879e932 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Mon, 8 Nov 2021 16:54:33 -0800
Subject: [PATCH] security: Properly handle sandbox analysis of timer units

- When a timer is provided to 'systemctl show' not all expected keys are
provided in the result. This leads to a KeyError exception.

- Also the security analysis for a timer unit is not useful. Instead perform the
analysis on the corresponding .service unit.

Closes: #2145

Tests:

- Before the patch, Wordpress shows as not sandboxed. The security report page
crashes on Debian testing setup.

- After the patch, there is no crash. Wordpress shows as sandboxed with 86%
coverage.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/security/__init__.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py
index 43325562f..4fbad8597 100644
--- a/plinth/modules/security/__init__.py
+++ b/plinth/modules/security/__init__.py
@@ -155,6 +155,11 @@ def get_apps_report():
         if services:
             apps[module_name]['sandboxed'] = False
             for service in services:
+                # If an app lists a timer, work on the associated service
+                # instead
+                if service.rpartition('.')[-1] == 'timer':
+                    service = service.rpartition('.')[0]
+
                 if _get_service_is_sandboxed(service):
                     apps[module_name]['sandboxed'] = True
                     apps[module_name][
@@ -183,18 +188,18 @@ def _get_service_is_sandboxed(service):
         '--property=PrivateMounts',
     ]).decode().strip().split('\n')
     pairs = [line.partition('=')[::2] for line in lines]
-    properties = {name: value for name, value in pairs}
-    if properties['ProtectSystem'] in ['yes', 'full', 'strict']:
+    properties = dict(pairs)
+    if properties.get('ProtectSystem') in ['yes', 'full', 'strict']:
         return True
 
-    if properties['ProtectHome'] in ['yes', 'read-only', 'tmpfs']:
+    if properties.get('ProtectHome') in ['yes', 'read-only', 'tmpfs']:
         return True
 
     for name in [
             'PrivateTmp', 'PrivateDevices', 'PrivateNetwork', 'PrivateUsers',
             'PrivateMounts'
     ]:
-        if properties[name] == 'yes':
+        if properties.get(name) == 'yes':
             return True
 
     return False