Pull request 2284: AG-32257-file-permission-mitigation

Squashed commit of the following: commit 6e0e61ec2e95a563b04a622f46c6bbe2b2e12711 Merge: e3cccc01a 5b5b39713 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 20:51:29 2024 +0300 Merge branch 'master' into AG-32257-file-permission-mitigation commit e3cccc01a9cbd382cec0fcd7f3685e43acb48424 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 19:57:32 2024 +0300 dnsforward: imp test commit 16ecebbc2fd2f4afe2bf475774af1786fa7a02c0 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 19:22:10 2024 +0300 configmigrate: imp tests commit da8777c3a7c81e17c0d08cfff4e3a9c8d2bbd649 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 18:58:46 2024 +0300 all: imp types, tests commit 58822a0ef8aa2d944a667d1ba77fe23ff52af424 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 18:28:37 2024 +0300 all: imp chlog commit 8ce81f918cc5cf43972e2045532a48c829257a2f Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Oct 2 18:09:57 2024 +0300 all: improve permissions, add safe_fs_patterns
2024-10-02 21:00:15 +03:00
parent 5b5b397132
commit 355cec1d7b
31 changed files with 879 additions and 52 deletions
--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -270,9 +270,9 @@ DNSStubListener=no
 const resolvConfPath = "/etc/resolv.conf"

 // Deactivate DNSStubListener
-func disableDNSStubListener() error {
+func disableDNSStubListener() (err error) {
 	dir := filepath.Dir(resolvedConfPath)
-	err := os.MkdirAll(dir, 0o755)
+	err = os.MkdirAll(dir, 0o755)
 	if err != nil {
 		return fmt.Errorf("os.MkdirAll: %s: %w", dir, err)
 	}
@@ -413,9 +413,12 @@ func (web *webAPI) handleInstallConfigure(w http.ResponseWriter, r *http.Request
 	copyInstallSettings(curConfig, config)

 	Context.firstRun = false
-	config.HTTPConfig.Address = netip.AddrPortFrom(req.Web.IP, req.Web.Port)
 	config.DNS.BindHosts = []netip.Addr{req.DNS.IP}
 	config.DNS.Port = req.DNS.Port
+	config.Filtering.SafeFSPatterns = []string{
+		filepath.Join(Context.workDir, userFilterDataDir, "*"),
+	}
+	config.HTTPConfig.Address = netip.AddrPortFrom(req.Web.IP, req.Web.Port)

 	u := &webUser{
 		Name: req.Username,