nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Properly handle sandbox analysis of timer units

Browse Source 
- When a timer is provided to 'systemctl show' not all expected keys are
provided in the result. This leads to a KeyError exception.

- Also the security analysis for a timer unit is not useful. Instead perform the
analysis on the corresponding .service unit.

Closes: #2145

Tests:

- Before the patch, Wordpress shows as not sandboxed. The security report page
crashes on Debian testing setup.

- After the patch, there is no crash. Wordpress shows as sandboxed with 86%
coverage.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2021-11-08 16:54:33 -08:00 committed by James Valleroy
parent 903bf6f29b
commit 7b9149d048
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
plinth/modules/security/__init__.py
View File

@ -155,6 +155,11 @@ def get_apps_report():
if services: if services:
apps[module_name]['sandboxed'] = False apps[module_name]['sandboxed'] = False
for service in services: for service in services:
# If an app lists a timer, work on the associated service
# instead
if service.rpartition('.')[-1] == 'timer':
service = service.rpartition('.')[0]
if _get_service_is_sandboxed(service): if _get_service_is_sandboxed(service):
apps[module_name]['sandboxed'] = True apps[module_name]['sandboxed'] = True
apps[module_name][ apps[module_name][
@ -183,18 +188,18 @@ def _get_service_is_sandboxed(service):
'--property=PrivateMounts', '--property=PrivateMounts',
]).decode().strip().split('\n') ]).decode().strip().split('\n')
pairs = [line.partition('=')[::2] for line in lines] pairs = [line.partition('=')[::2] for line in lines]
properties = {name: value for name, value in pairs} properties = dict(pairs)
if properties['ProtectSystem'] in ['yes', 'full', 'strict']: if properties.get('ProtectSystem') in ['yes', 'full', 'strict']:
return True return True
if properties['ProtectHome'] in ['yes', 'read-only', 'tmpfs']: if properties.get('ProtectHome') in ['yes', 'read-only', 'tmpfs']:
return True return True
for name in [ for name in [
'PrivateTmp', 'PrivateDevices', 'PrivateNetwork', 'PrivateUsers', 'PrivateTmp', 'PrivateDevices', 'PrivateNetwork', 'PrivateUsers',
'PrivateMounts' 'PrivateMounts'
]: ]:
if properties[name] == 'yes': if properties.get(name) == 'yes':
return True return True
return False return False