Add capabilities at build
This commit is contained in:
Samuel Aubertin
146
sloptrap-helperd
Normal file
146
sloptrap-helperd
Normal file
@@ -0,0 +1,146 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
helper_dir=${SLOPTRAP_HELPER_DIR:-/run/sloptrap-helper}
|
||||
queue_dir="$helper_dir/queue"
|
||||
caps=${SLOPTRAP_ACTIVE_CAPABILITIES:-}
|
||||
audit_log=${SLOPTRAP_AUDIT_LOG:-/codex/state/capabilities.log}
|
||||
mkdir -p "$queue_dir" "$(dirname "$audit_log")"
|
||||
|
||||
has_capability() {
|
||||
local needle=$1
|
||||
local token
|
||||
for token in $caps; do
|
||||
if [[ $token == "$needle" ]]; then
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
log_action() {
|
||||
local op=$1
|
||||
local details=$2
|
||||
local status=$3
|
||||
printf '%s op=%s status=%s %s\n' "$(date -u +%FT%TZ)" "$op" "$status" "$details" >>"$audit_log"
|
||||
}
|
||||
|
||||
write_status() {
|
||||
local request_dir=$1
|
||||
local status=$2
|
||||
printf '%s\n' "$status" >"$request_dir/status"
|
||||
}
|
||||
|
||||
run_apt_install() {
|
||||
local request_dir=$1
|
||||
has_capability "apt-install" || {
|
||||
printf 'capability apt-install is not active\n' >"$request_dir/stderr"
|
||||
write_status "$request_dir" 126
|
||||
log_action "apt-install" "packages=denied" 126
|
||||
return
|
||||
}
|
||||
local packages_file="$request_dir/packages"
|
||||
if [[ ! -f $packages_file ]]; then
|
||||
printf 'missing package list\n' >"$request_dir/stderr"
|
||||
write_status "$request_dir" 2
|
||||
log_action "apt-install" "packages=missing" 2
|
||||
return
|
||||
fi
|
||||
mapfile -t packages <"$packages_file"
|
||||
if [[ ${#packages[@]} -eq 0 ]]; then
|
||||
printf 'package list is empty\n' >"$request_dir/stderr"
|
||||
write_status "$request_dir" 2
|
||||
log_action "apt-install" "packages=empty" 2
|
||||
return
|
||||
fi
|
||||
if apt-get update >"$request_dir/stdout" 2>"$request_dir/stderr" \
|
||||
&& apt-get install -y --no-install-recommends "${packages[@]}" >>"$request_dir/stdout" 2>>"$request_dir/stderr"; then
|
||||
write_status "$request_dir" 0
|
||||
log_action "apt-install" "packages=${packages[*]}" 0
|
||||
return
|
||||
fi
|
||||
write_status "$request_dir" 1
|
||||
log_action "apt-install" "packages=${packages[*]}" 1
|
||||
}
|
||||
|
||||
run_packet_capture() {
|
||||
local request_dir=$1
|
||||
has_capability "packet-capture" || {
|
||||
printf 'capability packet-capture is not active\n' >"$request_dir/stderr"
|
||||
write_status "$request_dir" 126
|
||||
log_action "packet-capture" "interface=denied" 126
|
||||
return
|
||||
}
|
||||
local iface_file="$request_dir/interface"
|
||||
[[ -f $iface_file ]] || {
|
||||
printf 'missing interface\n' >"$request_dir/stderr"
|
||||
write_status "$request_dir" 2
|
||||
log_action "packet-capture" "interface=missing" 2
|
||||
return
|
||||
}
|
||||
local iface filter_file output_file stdout_mode
|
||||
iface=$(<"$iface_file")
|
||||
filter_file="$request_dir/filter"
|
||||
output_file="$request_dir/output"
|
||||
stdout_mode=0
|
||||
[[ -f "$request_dir/stdout_mode" ]] && stdout_mode=$(<"$request_dir/stdout_mode")
|
||||
local -a cmd=(tcpdump -i "$iface")
|
||||
if [[ -s $filter_file ]]; then
|
||||
local filter
|
||||
filter=$(<"$filter_file")
|
||||
local -a filter_tokens=()
|
||||
read -r -a filter_tokens <<< "$filter"
|
||||
cmd+=("${filter_tokens[@]}")
|
||||
fi
|
||||
if [[ -s $output_file ]]; then
|
||||
local capture_path
|
||||
capture_path=$(<"$output_file")
|
||||
mkdir -p "$(dirname "$capture_path")"
|
||||
cmd+=(-w "$capture_path")
|
||||
fi
|
||||
if [[ $stdout_mode == "1" ]]; then
|
||||
"${cmd[@]}" >"$request_dir/stdout" 2>"$request_dir/stderr" || {
|
||||
write_status "$request_dir" 1
|
||||
log_action "packet-capture" "interface=$iface stdout=1" 1
|
||||
return
|
||||
}
|
||||
else
|
||||
"${cmd[@]}" >"$request_dir/stdout" 2>"$request_dir/stderr" || {
|
||||
write_status "$request_dir" 1
|
||||
log_action "packet-capture" "interface=$iface stdout=0" 1
|
||||
return
|
||||
}
|
||||
fi
|
||||
write_status "$request_dir" 0
|
||||
log_action "packet-capture" "interface=$iface stdout=$stdout_mode" 0
|
||||
}
|
||||
|
||||
while true; do
|
||||
shopt -s nullglob
|
||||
request_dirs=("$queue_dir"/*.req)
|
||||
shopt -u nullglob
|
||||
if [[ ${#request_dirs[@]} -eq 0 ]]; then
|
||||
sleep 1
|
||||
continue
|
||||
fi
|
||||
for request_dir in "${request_dirs[@]}"; do
|
||||
[[ -d $request_dir ]] || continue
|
||||
[[ ! -f "$request_dir/status" ]] || continue
|
||||
op=$(<"$request_dir/op")
|
||||
: >"$request_dir/stdout"
|
||||
: >"$request_dir/stderr"
|
||||
case "$op" in
|
||||
apt-install)
|
||||
run_apt_install "$request_dir"
|
||||
;;
|
||||
packet-capture)
|
||||
run_packet_capture "$request_dir"
|
||||
;;
|
||||
*)
|
||||
printf 'unknown operation %s\n' "$op" >"$request_dir/stderr"
|
||||
write_status "$request_dir" 2
|
||||
log_action "$op" "unknown=1" 2
|
||||
;;
|
||||
esac
|
||||
done
|
||||
done
|
||||
Reference in New Issue
Block a user