File rpmlint-integration-test.spec of Package rpmlint-integration-test

#
# spec file for package rocket.term
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


Name:           rpmlint-integration-test
Version:        0.1.0
Release:        0
Summary:        Integration test for rpmlint 2.0 security related whitelistings
License:        GPL-2.0-or-later
Group:          Productivity/Networking/Instant Messenger
URL:            https://www.suse.com/security
BuildRequires:  rpmlint-mini
BuildRequires:  cron
BuildRequires:  polkit
PreReq:         permissions
Source1:        com.suse.dbus.testing.conf
Source2:        matomo-archive
Source3:        postfix-perms
Source4:        org.opensuse.broken.policy
Source5:        org.opensuse.rpmlint-test.policy
Source6:        org.freedesktop.policykit.policy
Source7:        valid.rpmlint_cron
Source8:        valid.rpmlint_polkit_rules
Source9:        valid.rpmlint_dbus
Source10:       valid.permissions
Source11:       valid.sudoers
Source12:       valid.zypper_plugin
Source13:       valid.sysctl

%description
This package verifies that the current rpmlint 2.0 integration in Factory
still behaves the way the SUSE Security Team needs it. The idea is that this
package triggers all different variants of whitelist violations and so on.
Then an internal Jenkins job verifies the buildlog output.

%prep

%build

%install
# D-Bus whitelisting check
# ########################
# these should all be complained about
mkdir -p %{buildroot}/etc/dbus-1/system.d
cp %{SOURCE1} %{buildroot}/etc/dbus-1/system.d/
ln -s /etc/fstab %{buildroot}/etc/dbus-1/system.d/funny.conf
mkdir -p %{buildroot}/usr/share/dbus-1/system.d
cp %{SOURCE1} %{buildroot}/usr/share/dbus-1/system.d/
mkdir -p %{buildroot}/usr/share/dbus-1/system-services
cp %{SOURCE1} %{buildroot}/usr/share/dbus-1/system-services/
# existing but mismatching whitelisting (reuse the "valid" whitelisting to
# avoid XML parse errors)
cp %{SOURCE9} %{buildroot}/etc/dbus-1/system.d/rpmlint_mismatch.conf
# valid whitelisting
cp %{SOURCE9} %{buildroot}/etc/dbus-1/system.d/rpmlint_test.conf
# this should trigger an XML parse error and thus E: dbus-file-parse-error
echo "nonense" >%{buildroot}/usr/share/dbus-1/system.d/nonsense.conf

# cron whitelisting check
# #######################
# these should all be complained about
mkdir -p %{buildroot}/etc/cron.d
touch %{buildroot}/etc/cron.d/mycron
mkdir -p %{buildroot}/etc/cron.hourly
touch %{buildroot}/etc/cron.hourly/mycron
mkdir -p %{buildroot}/etc/cron.daily
touch %{buildroot}/etc/cron.daily/mycron
mkdir -p %{buildroot}/etc/cron.weekly
touch %{buildroot}/etc/cron.weekly/mycron
mkdir -p %{buildroot}/etc/cron.monthly
touch %{buildroot}/etc/cron.monthly/mycron
touch %{buildroot}/etc/cron.monthly/myghostcron
# this has a whitelisting but a different digest, which should trigger an
# according error and badness
echo "this should fail" >%{buildroot}/etc/cron.hourly/rpmlint_mismatch
# this has a valid digest but comes from a different package so it should be
# complained about
cp %{SOURCE2} %{buildroot}/etc/cron.d/matomo-archive
# a validly whitelisted cron job that should *not* be complained about
install -m755 %{SOURCE7} %{buildroot}/etc/cron.hourly/rpmlint_cron

# polkit rules whitelisting check
# ###############################
# these should all be complained about
mkdir -p %{buildroot}/etc/polkit-default-privs.d/
touch %{buildroot}/etc/polkit-default-privs.d/myrules
mkdir -p %{buildroot}/etc/polkit-1/rules.d/
touch %{buildroot}/etc/polkit-1/rules.d/myrules
mkdir -p %{buildroot}/usr/share/polkit-1/rules.d/
touch %{buildroot}/usr/share/polkit-1/rules.d/myrules
# this is from polkit-default-privs but should not work for our test package
touch %{buildroot}/etc/polkit-1/rules.d/90-default-privs.rules
ln -s /etc/fstab %{buildroot}/usr/share/polkit-1/rules.d/linkedrules
# a file that is whitelisted but with a different digest
cp %{SOURCE8} %{buildroot}/usr/share/polkit-1/rules.d/00-mismatch.rules
# a valid rpmlint-rules file that is actually whitelisted
cp %{SOURCE8} %{buildroot}/usr/share/polkit-1/rules.d/00-rpmlint.rules

# polkit policy whitelisting check
# ################################
mkdir -p %{buildroot}/usr/share/polkit-1/actions
cp %{SOURCE4} %{buildroot}/usr/share/polkit-1/actions
cp %{SOURCE5} %{buildroot}/usr/share/polkit-1/actions
# a valid policy we hijack from PackageKit
cp %{SOURCE6} %{buildroot}/usr/share/polkit-1/actions
ln -s /etc/fstab %{buildroot}/usr/share/polkit-1/actions/linked.policy

# permissions drop-in whitelisting check
# ######################################
mkdir -p %{buildroot}/etc/permissions.d/
touch %{buildroot}/etc/permissions.d/myperms
mkdir -p %{buildroot}/usr/share/permissions/permissions.d/
touch %{buildroot}/usr/share/permissions/permissions.d/myperms
# this has a valid digest but comes from a different package so it should be
# complained about
cp %{SOURCE3} %{buildroot}/etc/permissions.d/postfix
ln -s /etc/fstab %{buildroot}/etc/permissions.d/linkperms
echo "strange stuff" >%{buildroot}/etc/permissions.d/broken
# this is a valid whitelisting that should *not* be complained about
cp %{SOURCE10} %{buildroot}/etc/permissions.d/valid
# this should trigger a digest mismatch
cp %{SOURCE10} %{buildroot}/etc/permissions.d/mismatch

# permissions set*id, capabilities whitelisting check
# ###################################################
mkdir -p %{buildroot}/usr/bin
echo "int main() {}" | gcc -xc -o %{buildroot}/usr/bin/setuidbin -
chmod 4755 %{buildroot}/usr/bin/setuidbin
echo "int main() {}" | gcc -xc -o %{buildroot}/usr/bin/setgidbin -
chmod 2755 %{buildroot}/usr/bin/setgidbin
echo "int main() {}" | gcc -xc -o %{buildroot}/usr/bin/capbin -
mkdir -p %{buildroot}/var/lib/giddir
chmod 2755 %{buildroot}/var/lib/giddir
# claim an existing permissions entry but place a symlink there to trigger
# permissions-symlink. note that this is not a security problem per se and
# will not cause badness
ln -s /etc/fstab %{buildroot}/usr/bin/at
# testing a valid permissions entry. since these are not coupled to package
# names at the moment we simply hijack one for another package
echo "int main() {}" | gcc -xc -o %{buildroot}/usr/bin/crontab -
chmod 4750 %{buildroot}/usr/bin/crontab

# PAM whitelisting check
# ######################
mkdir -p %{buildroot}/usr/lib{,64}/security
mkdir -p %{buildroot}/lib{,64}/security
touch %{buildroot}/usr/lib64/security/mypam.so
touch %{buildroot}/lib64/security/mypam.so
# this is whitelisted but only for the pam_krb5 package, so should be
# complained about
touch %{buildroot}/lib64/security/pam_krb5.so
# a valid "PAM module" that is whitelisted
echo "int fake_pam() {}" | gcc -xc -shared -o %{buildroot}/usr/lib64/security/pam_rpmlint.so -

# Device File Whitelisting Check
# ##############################
mkdir -p %{buildroot}/var/lib/funnypkg
mkdir -p %{buildroot}/mydev
# the rest is handled in %%files via %%ghost and %%attr

# World Writable Files Check
# ##########################
touch %{buildroot}/var/lib/funnypkg/sharedfile
chmod 666 %{buildroot}/var/lib/funnypkg/sharedfile
mkdir -p %{buildroot}/run/rpmlint
# validly whitelisted
touch %{buildroot}/run/rpmlint/socket
chmod 666 %{buildroot}/run/rpmlint/socket
# mismatch in mode bits
touch %{buildroot}/run/rpmlint/mismatch
chmod 666 %{buildroot}/run/rpmlint/mismatch
# mismatch in ownership
touch %{buildroot}/run/rpmlint/mismatch2
chmod 662 %{buildroot}/run/rpmlint/mismatch2

# sudoers.d Whitelisting Check
# ############################
mkdir -p %{buildroot}/etc/sudoers.d
echo "arbitrary stuff" >%{buildroot}/etc/sudoers.d/unauthorized-rules
echo "more strange stuff" >%{buildroot}/etc/sudoers.d/mismatching-rules
ln -s /etc/fstab %{buildroot}/etc/sudoers.d/linked-rules
cp %{SOURCE11} %{buildroot}/etc/sudoers.d/valid-but-evil-rules

# sysctl Whitelisting Check
# #########################
mkdir -p %{buildroot}/usr/lib/sysctl.d
echo "arbitrary stuff" >%{buildroot}/usr/lib/sysctl.d/unauthorized.conf
echo "more strange stuff" >%{buildroot}/usr/lib/sysctl.d/mismatch.conf
ln -s /etc/fstab %{buildroot}/usr/lib/sysctl.d/linked.conf
cp %{SOURCE13} %{buildroot}/usr/lib/sysctl.d/valid.conf

# zypper plugins check
# ####################
mkdir -p %{buildroot}/usr/lib/zypp/plugins/commit
echo "arbitrary stuff" >%{buildroot}/usr/lib/zypp/plugins/commit/unauthorized-plugin.sh
echo "strange stuff" >%{buildroot}/usr/lib/zypp/plugins/commit/mismatching-plugin.sh
cp %{SOURCE12} %{buildroot}/usr/lib/zypp/plugins/commit/test-plugin.sh

# systemd-tmpfiles check
# ######################
mkdir -p %{buildroot}/usr/lib/tmpfiles.d
echo "f /some/where 4755 root root -" >%{buildroot}/usr/lib/tmpfiles.d/mytmpfile.conf
echo '$' >%{buildroot}/usr/lib/tmpfiles.d/brokentmpfile.conf
ln -s mytmpfile.conf %{buildroot}/usr/lib/tmpfiles.d/linkedtmpfile.conf

%files
# D-Bus whitelisting check
# ########################
%config /etc/dbus-1/system.d/*.conf
/etc/dbus-1/system.d/funny.conf
/usr/share/dbus-1/system.d/*.conf
/usr/share/dbus-1/system-services/*.conf
# for whitelisted entries ghost files should be complained about
%ghost /etc/dbus-1/system.d/cups.conf
/etc/dbus-1/system.d/rpmlint_test.conf

# cron whitelisting check
# #######################
%config /etc/cron.*/mycron
%config /etc/cron.d/matomo-archive
%ghost /etc/cron.monthly/myghostcron
%config /etc/cron.hourly/rpmlint_cron
%config /etc/cron.hourly/rpmlint_mismatch

# polkit rules whitelisting check
# ###############################
%dir /etc/polkit*/
/etc/polkit*/*
/usr/share/polkit-1/rules.d/*
%ghost /usr/share/polkit-1/rules.d/ghost.rules

# polkit policy whitelisting check
# ################################
/usr/share/polkit-1/actions/*.policy
%ghost /usr/share/polkit-1/actions/ghost.policy

# permissions drop-in whitelisting check
# ######################################
%dir /etc/permissions.d
/etc/permissions.d/myperms
/etc/permissions.d/postfix
/etc/permissions.d/linkperms
/etc/permissions.d/broken
/etc/permissions.d/valid
/etc/permissions.d/mismatch
%dir /usr/share/permissions/permissions.d
/usr/share/permissions/permissions.d/myperms
%ghost /etc/permissions.d/ghostperms

# permissions set*id, capabilities whitelisting check
/usr/bin/{setuid,setgid}bin
# packaging capabilities is not supported anyway, but we check this
# restriction, too
%caps(cap_net_admin=ep) /usr/bin/capbin
/var/lib/giddir
/usr/bin/at
%attr(4750,root,trusted) /usr/bin/crontab

# PAM whitelisting check
# ######################
/usr/lib64/security/*.so
/lib64/security/*.so
%ghost /usr/lib64/security/ghostpam.so

# Device File Whitelisting Check
# ##############################
%dir /var/lib/funnypkg
%ghost /var/lib/funnypkg/funnycdev
%attr(0660, root, root) %dev(c, 1, 5) /var/lib/funnypkg/funnycdev
%ghost /var/lib/funnypkg/funnybdev
%attr(0660, root, root) %dev(b, 8, 5) /var/lib/funnypkg/funnybdev
%dir /mydev
# validly whitelisted
%ghost /mydev/mychr
%attr(0666, root, root) %dev(c, 1, 3) /mydev/mychr
# validly whitelisted
%ghost /mydev/myblk
%attr(0666, root, root) %dev(b, 1, 8) /mydev/myblk
# mismatch
%ghost /mydev/myblk2
%attr(0666, root, root) %dev(b, 1, 9) /mydev/myblk2

# World Writable Files Check
# ##########################
%dir /run/rpmlint
/var/lib/funnypkg/sharedfile
%ghost /run/rpmlint/socket
%ghost /run/rpmlint/mismatch
%ghost /run/rpmlint/mismatch2

# sudoers.d Whitelisting Check
# ############################
/etc/sudoers.d/linked-rules
/etc/sudoers.d/unauthorized-rules
/etc/sudoers.d/mismatching-rules
/etc/sudoers.d/valid-but-evil-rules
%ghost /etc/sudoers.d/ghost-rules
%dir /etc/sudoers.d

# sysctl Whitelisting Check
###########################
/usr/lib/sysctl.d/linked.conf
/usr/lib/sysctl.d/unauthorized.conf
/usr/lib/sysctl.d/mismatch.conf
/usr/lib/sysctl.d/valid.conf
%ghost /usr/lib/sysctl.d/ghost.conf
%dir /usr/lib/sysctl.d

# zypper plugins check
# ####################
%dir /usr/lib/zypp
%dir /usr/lib/zypp/plugins
%dir /usr/lib/zypp/plugins/commit
/usr/lib/zypp/plugins/commit/unauthorized-plugin.sh
/usr/lib/zypp/plugins/commit/mismatching-plugin.sh
/usr/lib/zypp/plugins/commit/test-plugin.sh
%ghost /usr/lib/zypp/plugins/commit/ghost-plugin.sh

# systemd-tmpfiles check
# ######################
/usr/lib/tmpfiles.d/mytmpfile.conf
%ghost /usr/lib/tmpfiles.d/myghosttmpfile.conf
/usr/lib/tmpfiles.d/linkedtmpfile.conf
/usr/lib/tmpfiles.d/brokentmpfile.conf

%post
#touch /etc/dbus-1/system.d/cups.conf
%set_permissions %{_bindir}/crontab

%verifyscript
%verify_permissions -e %{_bindir}/crontab

%changelog
Places

File rpmlint-integration-test.spec of Package rpmlint-integration-test

Places
