🌱 Harden config path and make sure are not rootfs-dependant (kairos-i…

…o#348) Signed-off-by: Ettore Di Giacinto <mudler@users.noreply.github.com> Signed-off-by: Ettore Di Giacinto <mudler@users.noreply.github.com>
c0ffee · Nov 1, 2022 · 1e68834 · 1e68834
1 parent 785c19b
commit 1e68834
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/overlay/files/system/oem/11_persistency.yaml b/overlay/files/system/oem/11_persistency.yaml
@@ -65,7 +65,7 @@ stages:
         expand_partition:
           # Size 0 is required to specify all remaining space
           size: 0
-  boot:
+  fs.after:
   - if: "[ ! -d /usr/local/cloud-config ]"
     commands:
     - mkdir /usr/local/cloud-config

diff --git a/overlay/files/system/oem/27_harderning.yaml b/overlay/files/system/oem/27_harderning.yaml
@@ -0,0 +1,13 @@
+name: "Security configuration hardening"
+stages:
+    initramfs:
+    - name: "Ensure runtime permission"
+      if: '[ -e "/oem" ]'
+      commands:
+      - chown -R root:admin /oem
+      - chmod 770 /oem
+    - name: "Ensure runtime permission"
+      if: '[ -e "/usr/local/cloud-config" ]'
+      commands:
+      - chown -R root:admin /usr/local/cloud-config
+      - chmod 770 /usr/local/cloud-config
diff --git a/tests/autoinstall_test.go b/tests/autoinstall_test.go
@@ -134,6 +134,16 @@ var _ = Describe("kairos autoinstall test", Label("autoinstall-test"), func() {
 			Expect(out).To(ContainSubstring("bpf"))
 		})
 
+		It("has correct permissions", func() {
+			out, err := Sudo(`stat -c "%a" /oem`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(out).To(ContainSubstring("770"))
+
+			out, err = Sudo(`stat -c "%a" /usr/local/cloud-config`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(out).To(ContainSubstring("770"))
+		})
+
 		It("has grubmenu", func() {
 			out, err := Sudo("cat /run/initramfs/cos-state/grubmenu")
 			Expect(err).ToNot(HaveOccurred())

diff --git a/tests/reset_test.go b/tests/reset_test.go
@@ -76,10 +76,10 @@ var _ = Describe("kairos reset test", Label("reset-test"), func() {
 		})
 
 		It("resets", func() {
-			_, err := Sudo("echo 'test' > /usr/local/test")
+			_, err := Sudo("touch /usr/local/test")
 			Expect(err).ToNot(HaveOccurred())
 
-			_, err = Sudo("echo 'testoem' > /oem/test")
+			_, err = Sudo("touch /oem/test")
 			Expect(err).ToNot(HaveOccurred())
 
 			HasFile("/oem/test")