all: sync with master

2024-12-05 16:00:18 +03:00
parent 54f3a5f990
commit 3f95db98d3
143 changed files with 3476 additions and 2959 deletions
--- a/internal/permcheck/security_unix.go
+++ b/internal/permcheck/security_unix.go
@@ -0,0 +1,123 @@
+//go:build unix
+
+package permcheck
+
+import (
+	"context"
+	"fmt"
+	"io/fs"
+	"log/slog"
+	"os"
+	"path/filepath"
+
+	"github.com/AdguardTeam/golibs/container"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
+)
+
+// entity is a filesystem entity with a path and a flag indicating whether it is
+// a directory.
+type entity = container.KeyValue[string, bool]
+
+// entities returns a list of filesystem entities that need to be ranged over.
+//
+// TODO(a.garipov): Put all paths in one place and remove this duplication.
+func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {
+	ents = []entity{{
+		Key:   workDir,
+		Value: true,
+	}, {
+		Key:   confFilePath,
+		Value: false,
+	}, {
+		Key:   dataDir,
+		Value: true,
+	}, {
+		Key:   filepath.Join(dataDir, "filters"),
+		Value: true,
+	}, {
+		Key:   filepath.Join(dataDir, "sessions.db"),
+		Value: false,
+	}, {
+		Key:   filepath.Join(dataDir, "leases.json"),
+		Value: false,
+	}}
+
+	if dataDir != querylogDir {
+		ents = append(ents, entity{
+			Key:   querylogDir,
+			Value: true,
+		})
+	}
+	ents = append(ents, entity{
+		Key:   filepath.Join(querylogDir, "querylog.json"),
+		Value: false,
+	}, entity{
+		Key:   filepath.Join(querylogDir, "querylog.json.1"),
+		Value: false,
+	})
+
+	if dataDir != statsDir {
+		ents = append(ents, entity{
+			Key:   statsDir,
+			Value: true,
+		})
+	}
+	ents = append(ents, entity{
+		Key: filepath.Join(statsDir, "stats.db"),
+	})
+
+	return ents
+}
+
+// checkPath checks the permissions of a single filesystem entity.  The results
+// are logged at the appropriate level.
+func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {
+	l = l.With("path", entPath)
+
+	s, err := os.Stat(entPath)
+	if err != nil {
+		lvl := slog.LevelError
+		if errors.Is(err, os.ErrNotExist) {
+			lvl = slog.LevelDebug
+		}
+
+		l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)
+
+		return
+	}
+
+	// TODO(a.garipov): Add a more fine-grained check and result reporting.
+	perm := s.Mode().Perm()
+	if perm == want {
+		return
+	}
+
+	permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)
+	l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)
+}
+
+// chmodPath changes the permissions of a single filesystem entity.  The results
+// are logged at the appropriate level.
+func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {
+	var lvl slog.Level
+	var msg string
+	args := []any{"path", entPath}
+
+	switch err := os.Chmod(entPath, fm); {
+	case err == nil:
+		lvl = slog.LevelInfo
+		msg = "changed permissions"
+	case errors.Is(err, os.ErrNotExist):
+		lvl = slog.LevelDebug
+		msg = "checking permissions"
+		args = append(args, slogutil.KeyError, err)
+	default:
+		lvl = slog.LevelError
+		msg = "cannot change permissions; this can leave your system vulnerable, see " +
+			"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"
+		args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)
+	}
+
+	l.Log(ctx, lvl, msg, args...)
+}