[Rpm-maint] [PATCH 1/2] Extending rpm plugin interface, part 1

Panu Matilainen pmatilai at laiskiainen.org
Thu Nov 15 13:58:25 UTC 2012 

On 11/12/2012 10:50 AM, Reshetova, Elena wrote:
>> Scripts run with all the powers that rpm itself has, and there's not a
> whole lot that can be done about it: scriptlets expect to, and often need
> to, do all sorts of crazy things.
>
> True, but we would actually like to be able to limit things that scripts can
> do. It is ok for a script to create a new file or to call ldconfig, but in
> our setup it is not ok for script to start relabeling the xattrs on
> filesystem (you can do this with CAP_MAC_ADMIN for example) or rewriting
> important system files (you can do this with CAP_MAC_OVERRIDE and
> CAP_DAC_OVERRIDE).

Understood, and I see nothing wrong with wanting to limit the damage 
rogue/runaway scriptlets can do. If you control the entire package set 
and compatibility with arbitrary 3rd party "big vendor" packages (which 
are the ones that traditionally do utterly crazy things) isn't an issue 
then certainly some level of added control is possible.

>
>> The differences from regular exec()'ed scripts and Lua-ones are basically:
>> - As Lua scripts run in the rpm process space, some extra protection is
> needed, like saving + restoring current working directory, umask and
> preventing Lua scriptlet from exec()'ing or exit()'ing the process.
> Just out of interest, is there are reason for them actually to run in rpm
> process space as opposite to doing the same as for regular scripts?

The most important use-case is to make it possible to run scripts when 
even /bin/sh is not available. Such as %pretrans scripts on initial 
install - there simply nothing to exec() in that environment. Or if the 
package containing /bin/sh or one of its dependencies needs scripts, 
there's no other choice than an embedded script during initial install.
Related to that, one can avoid problematic external dependencies in the 
early "bootstrap" stages of initial install.

It also allows some things that aren't really possible otherwise, such 
as manipulating macros and "communicating" with other packages through 
the global Lua environment (and in theory, accessing rpmdb but that's 
not implemented), which would not be possible in an externally executed 
script.

It would be possible to fork() for the execution of embedded scripts 
without compromising the main use-case of early install, but it would 
break some possible uses of the second group. Whether that's a good or 
bad thing... is a different question. I dunno if anybody is actually 
using the current possibilities in that area.

>> - There are no context switches for Lua scripts in SELinux world
>> currently: Lua scripts run with rpm_exec_t context, "regular" scripts run
> with rpm_script_t. But both are practically omnipotent contexts, because
> they have to be.
>
> Stephen, do you have any plans related to Lua-scripts?
> I guess the reason it wasn't touched so far is the same as for us: when
> script is run in the same context, very little can be done to make it with
> little priviledge and still be able to continue rpm operation.

See above, I suppose we could add a configuration/compile-time switch or 
such to fork() the embedded script execution and then you wouldn't have 
to worry about getting the privileges back.

>
>> Oh, I meant the common pre- and post-hook pattern seems like it would make
> sense for scripts too in any case, regardless of whether it helps solving
> the context issue. It *might* in the SELinux case, but a post-hook could
> have some other entirely different uses, and it'd make the whole thing a bit
> more >symmetric :)
>
> Sure, I can make the hooks to follow the same principle. Just I would need
> to understand how the post-hook would be used in order to figure out proper
> arguments and decide if we want it to be called if script fails or not.
> I guess I would rather call post-hook then even if script has failed, but
> juts indicate the failure. What do you think should be the argument of
> post-script hook? Return code from the script (to know if it failed or not)
> and maybe script path again then?

Good question... symmetry is usually good, so I guess the post-hook 
should be always called if pre-hook was called. Script path + return 
code as arguments seems like a reasonably starting point at least. (I'm 
not really even dreaming of getting every single detail 100% right the 
first time :)

And like said, I think the plugin hooks should get called with embedded 
scripts too. It'll probably need another argument to let the plugins 
know whether an internal or external script is about to be executed - 
you could eg just deny execution of internal scripts from non-trusted 
sources then, without disabling lua entirely.

	- Panu -

>
> Best Regards,
> Elena.
>

More information about the Rpm-maint mailing list