Merge pull request cfengine#5833 from larsewi/immut

ENT-10961, CFE-1840: Files promise can now modify immutable bit in file system attributes

Author: larsewi

cf-agent/acl_posix.c

@@ -33,6 +33,8 @@
 #include <rlist.h>
 #include <eval_context.h>
 #include <unix.h>               /* GetGroupID(), GetUserID() */
+#include <override_fsattrs.h>
+#include <fsattrs.h>
 
 #ifdef HAVE_ACL_H
 # include <acl.h>
@@ -389,6 +391,11 @@ static bool CheckPosixLinuxACEs(EvalContext *ctx, Rlist *aces, AclMethod method,
                 acl_free(acl_text_str);
                 return false;
             }
+
+            bool was_immutable = false;
+            const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+            FSAttrsResult res = TemporarilyClearImmutableBit(changes_path, override_immutable, &was_immutable);
+
             if ((retv = acl_set_file(changes_path, acl_type, acl_new)) != 0)
             {
                 RecordFailure(ctx, pp, a,
@@ -406,6 +413,8 @@ static bool CheckPosixLinuxACEs(EvalContext *ctx, Rlist *aces, AclMethod method,
             }
             acl_free(acl_text_str);
 
+            ResetTemporarilyClearedImmutableBit(changes_path, override_immutable, res, was_immutable);
+
             RecordChange(ctx, pp, a, "%s ACL on '%s' successfully changed", acl_type_str, file_path);
             *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
         }

cf-agent/files_edit.c

@@ -128,7 +128,7 @@ void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, c
                 RecordNoChange(ctx, pp, a, "No edit changes to file '%s' need saving",
                                ec->filename);
             }
-            else if (SaveItemListAsFile(ec->file_start, ec->changes_filename, a, ec->new_line_mode))
+            else if (SaveItemListAsFile(ctx, ec->file_start, ec->changes_filename, a, ec->new_line_mode))
             {
                 RecordChange(ctx, pp, a, "Edited file '%s'", ec->filename);
                 *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
@@ -151,7 +151,7 @@ void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, c
                                    ec->filename);
                 }
             }
-            else if (SaveXmlDocAsFile(ec->xmldoc, ec->changes_filename, a, ec->new_line_mode))
+            else if (SaveXmlDocAsFile(ctx, ec->xmldoc, ec->changes_filename, a, ec->new_line_mode))
             {
                 RecordChange(ctx, pp, a, "Edited xml file '%s'", ec->filename);
                 *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
@@ -254,8 +254,8 @@ static bool SaveXmlCallback(const char *dest_filename, void *param,
 
 /*********************************************************************/
 
-bool SaveXmlDocAsFile(xmlDocPtr doc, const char *file, const Attributes *a, NewLineMode new_line_mode)
+bool SaveXmlDocAsFile(EvalContext *ctx, xmlDocPtr doc, const char *file, const Attributes *a, NewLineMode new_line_mode)
 {
-    return SaveAsFile(&SaveXmlCallback, doc, file, a, new_line_mode);
+    return SaveAsFile(ctx, &SaveXmlCallback, doc, file, a, new_line_mode);
 }
 #endif /* HAVE_LIBXML2 */

cf-agent/files_edit.h

@@ -61,7 +61,7 @@ void FinishEditContext(EvalContext *ctx, EditContext *ec,
 
 #ifdef HAVE_LIBXML2
 bool LoadFileAsXmlDoc(xmlDocPtr *doc, const char *file, EditDefaults ed, bool only_checks);
-bool SaveXmlDocAsFile(xmlDocPtr doc, const char *file,
+bool SaveXmlDocAsFile(EvalContext *ctx, xmlDocPtr doc, const char *file,
                       const Attributes *a, NewLineMode new_line_mode);
 #endif
 

cf-agent/verify_files.c

@@ -60,6 +60,8 @@
 #include <evalfunction.h>
 #include <changes_chroot.h>     /* PrepareChangesChroot(), RecordFileChangedInChroot() */
 #include <cf3.defs.h>
+#include <fsattrs.h>
+#include <override_fsattrs.h>
 
 static PromiseResult FindFilePromiserObjects(EvalContext *ctx, const Promise *pp);
 static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promise *pp);
@@ -345,6 +347,67 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
         changes_path = chrooted_path;
     }
 
+    bool is_immutable = false; /* We assume not in case of failure */
+    FSAttrsResult res = FSAttrsGetImmutableFlag(changes_path, &is_immutable);
+    if (res != FS_ATTRS_SUCCESS)
+    {
+        Log((res == FS_ATTRS_FAILURE) ? LOG_LEVEL_ERR : LOG_LEVEL_VERBOSE,
+            "Failed to get the state of the immutable bit from file '%s': %s",
+            changes_path, FSAttrsErrorCodeToString(res));
+    }
+
+    if (a.havefsattrs && a.fsattrs.haveimmutable && !a.fsattrs.immutable)
+    {
+        /* Here we only handle the clearing of the immutable bit. Later we'll
+         * handle the setting of the immutable bit. */
+        if (is_immutable)
+        {
+            res = FSAttrsUpdateImmutableFlag(changes_path, false);
+            switch (res)
+            {
+            case FS_ATTRS_SUCCESS:
+                RecordChange(ctx, pp, &a,
+                             "Cleared the immutable bit on file '%s'",
+                             changes_path);
+                result = PromiseResultUpdate(result, PROMISE_RESULT_CHANGE);
+                break;
+            case FS_ATTRS_FAILURE:
+                RecordFailure(ctx, pp, &a,
+                              "Failed to clear the immutable bit on file '%s'",
+                              changes_path);
+                result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+                break;
+            case FS_ATTRS_NOT_SUPPORTED:
+                /* We will not treat this as a promise failure because this
+                 * will happen on many platforms and filesystems. Instead we
+                 * will log a verbose message to make it apparent for the
+                 * users. */
+                Log(LOG_LEVEL_VERBOSE,
+                    "Failed to clear the immutable bit on file '%s': %s",
+                    changes_path, FSAttrsErrorCodeToString(res));
+                break;
+            case FS_ATTRS_DOES_NOT_EXIST:
+                /* File does not exist. Nothing to do really, but let's log a
+                 * debug message for good measures */
+                Log(LOG_LEVEL_DEBUG,
+                    "Failed to clear the immutable bit on file '%s': %s",
+                    changes_path, FSAttrsErrorCodeToString(res));
+                break;
+            }
+        }
+        else
+        {
+            RecordNoChange(ctx, pp, &a,
+                           "The immutable bit is not set on file '%s' as promised",
+                           changes_path);
+        }
+    }
+
+    /* If we encounter any promises to mutate the file and the immutable
+     * attribute in body fsattrs is "true", we will override the immutable bit
+     * by temporarily clearing it whenever needed. */
+    EvalContextOverrideImmutableSet(ctx, a.havefsattrs && a.fsattrs.haveimmutable && a.fsattrs.immutable && is_immutable);
+
     if (lstat(changes_path, &oslb) == -1)       /* Careful if the object is a link */
     {
         if ((a.create) || (a.touch))
@@ -586,6 +649,51 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
         }
     }
 
+    if (a.havefsattrs && a.fsattrs.haveimmutable && a.fsattrs.immutable)
+    {
+        /* Here we only handle the setting of the immutable bit. Previously we
+         * handled the clearing of the immutable bit. */
+        if (is_immutable)
+        {
+            RecordNoChange(ctx, pp, &a,
+                           "The immutable bit is already set on file '%s' as promised",
+                           changes_path);
+        }
+        else
+        {
+            res = FSAttrsUpdateImmutableFlag(changes_path, true);
+            switch (res)
+            {
+            case FS_ATTRS_SUCCESS:
+                Log(LOG_LEVEL_VERBOSE, "Set the immutable bit on file '%s'",
+                    changes_path);
+                break;
+            case FS_ATTRS_FAILURE:
+                /* Things still may be fine as long as the agent does not try to mutate the file */
+                Log(LOG_LEVEL_VERBOSE,
+                    "Failed to set the immutable bit on file '%s': %s",
+                    changes_path, FSAttrsErrorCodeToString(res));
+                break;
+            case FS_ATTRS_NOT_SUPPORTED:
+                /* We will not treat this as a promise failure because this
+                 * will happen on many platforms and filesystems. Instead we
+                 * will log a verbose message to make it apparent for the
+                 * users. */
+                Log(LOG_LEVEL_VERBOSE,
+                    "Failed to set the immutable bit on file '%s': %s",
+                    changes_path, FSAttrsErrorCodeToString(res));
+                break;
+            case FS_ATTRS_DOES_NOT_EXIST:
+                /* File does not exist. Nothing to do really, but let's log a
+                 * debug message for good measures */
+                Log(LOG_LEVEL_DEBUG,
+                    "Failed to set the immutable bit on file '%s': %s",
+                    changes_path, FSAttrsErrorCodeToString(res));
+                break;
+            }
+        }
+    }
+
 // Once more in case a file has been created as a result of editing or copying
 
     exists = (lstat(changes_path, &osb) != -1);
@@ -603,6 +711,9 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
     }
 
 exit:
+    /* Reset this to false before next file promise */
+    EvalContextOverrideImmutableSet(ctx, false);
+
     free(chrooted_path);
     if (AttrHasNoAction(&a))
     {
@@ -686,20 +797,31 @@ static PromiseResult WriteContentFromString(EvalContext *ctx, const char *path,
 
     if (!HashesMatch(existing_content_digest, promised_content_digest, CF_DEFAULT_DIGEST))
     {
+        bool override_immutable = EvalContextOverrideImmutableGet(ctx);
         if (!MakingChanges(ctx, pp, attr, &result,
                           "update file '%s' with content '%s'",
                            path, attr->content))
         {
             return result;
         }
 
-        FILE *f = safe_fopen(changes_path, "w");
+        char override_path[PATH_MAX];
+        if (!OverrideImmutableBegin(changes_path, override_path, sizeof(override_path), override_immutable))
+        {
+            RecordFailure(ctx, pp, attr, "Failed to override immutable bit on file '%s'", changes_path);
+            return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+        }
+
+        FILE *f = safe_fopen(override_path, "w");
         if (f == NULL)
         {
             RecordFailure(ctx, pp, attr, "Cannot open file '%s' for writing", path);
+            OverrideImmutableCommit(changes_path, override_path, override_immutable, true);
             return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
         }
 
+        bool override_abort = false;
+
         Writer *w = FileWriter(f);
         if (WriterWriteLen(w, attr->content, bytes_to_write) == bytes_to_write )
         {
@@ -714,9 +836,16 @@ static PromiseResult WriteContentFromString(EvalContext *ctx, const char *path,
             RecordFailure(ctx, pp, attr,
                           "Failed to update file '%s' with content '%s'",
                           path, attr->content);
+            override_abort = true;
             result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
         }
         WriterClose(w);
+
+        if (!OverrideImmutableCommit(changes_path, override_path, override_immutable, override_abort))
+        {
+            RecordFailure(ctx, pp, attr, "Failed to override immutable bit on file '%s'", changes_path);
+            result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+        }
     }
 
     return result;
@@ -861,7 +990,7 @@ static PromiseResult RenderTemplateMustache(EvalContext *ctx,
                                   edcontext->filename, message);
                     result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
                 }
-                else if (SaveAsFile(SaveBufferCallback, output_buffer,
+                else if (SaveAsFile(ctx, SaveBufferCallback, output_buffer,
                                     edcontext->changes_filename, attr,
                                     edcontext->new_line_mode))
                 {

cf-agent/verify_files_utils.c

@@ -67,6 +67,7 @@
 #include <known_dirs.h>
 #include <changes_chroot.h>     /* PrepareChangesChroot(), RecordFileChangedInChroot() */
 #include <unix.h>               /* GetGroupName(), GetUserName() */
+#include <override_fsattrs.h>
 
 #include <cf-windows-functions.h>
 
@@ -1925,7 +1926,8 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con
     else
 #endif
     {
-        if (rename(changes_new, changes_dest) == 0)
+        bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+        if (OverrideImmutableRename(changes_new, changes_dest, override_immutable))
         {
             RecordChange(ctx, pp, attr, "Moved '%s' to '%s'", new, dest);
             *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
@@ -1937,7 +1939,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con
                           dest, GetErrorStr());
             *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL);
 
-            if (backupok && (rename(changes_backup, changes_dest) == 0))
+            if (backupok && OverrideImmutableRename(changes_backup, changes_dest, override_immutable))
             {
                 RecordChange(ctx, pp, attr, "Restored '%s' from '%s'", dest, backup);
                 *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
@@ -2041,6 +2043,10 @@ static bool TransformFile(EvalContext *ctx, char *file, const Attributes *attr,
             }
         }
 
+        const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+        bool was_immutable = false;
+        FSAttrsResult res = TemporarilyClearImmutableBit(file, override_immutable, &was_immutable);
+
         Log(LOG_LEVEL_INFO, "Transforming '%s' with '%s'", file, command_str);
         if ((pop = cf_popen(changes_command, "r", true)) == NULL)
         {
@@ -2084,6 +2090,8 @@ static bool TransformFile(EvalContext *ctx, char *file, const Attributes *attr,
 
         transRetcode = cf_pclose(pop);
 
+        ResetTemporarilyClearedImmutableBit(file, override_immutable, res, was_immutable);
+
         if (VerifyCommandRetcode(ctx, transRetcode, attr, pp, result))
         {
             Log(LOG_LEVEL_INFO, "Transformer '%s' => '%s' seemed to work ok", file, command_str);
@@ -2174,10 +2182,10 @@ static PromiseResult VerifyName(EvalContext *ctx, char *path, const struct stat
         {
             if (!FileInRepository(newname))
             {
-                if (rename(changes_path, changes_newname) == -1)
+                const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+                if (!OverrideImmutableRename(changes_path, changes_newname, override_immutable))
                 {
-                    RecordFailure(ctx, pp, attr, "Error occurred while renaming '%s'. (rename: %s)",
-                                  path, GetErrorStr());
+                    RecordFailure(ctx, pp, attr, "Error occurred while renaming '%s'", path);
                     result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
                 }
                 else
@@ -2312,7 +2320,8 @@ static PromiseResult VerifyName(EvalContext *ctx, char *path, const struct stat
 
         if (MakingChanges(ctx, pp, attr, &result, "rename file '%s' to '%s'", path, newname))
         {
-            if (safe_chmod(changes_path, newperm) == 0)
+            const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+            if (OverrideImmutableChmod(changes_path, newperm, override_immutable))
             {
                 RecordChange(ctx, pp, attr, "Changed permissions of '%s' to 'mode %04jo'",
                              path, (uintmax_t)newperm);
@@ -2327,10 +2336,9 @@ static PromiseResult VerifyName(EvalContext *ctx, char *path, const struct stat
 
             if (!FileInRepository(newname))
             {
-                if (rename(changes_path, changes_newname) == -1)
+                if (!OverrideImmutableRename(changes_path, changes_newname, override_immutable))
                 {
-                    RecordFailure(ctx, pp, attr, "Error occurred while renaming '%s'. (rename: %s)",
-                                  path, GetErrorStr());
+                    RecordFailure(ctx, pp, attr, "Error occurred while renaming '%s'", path);
                     result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
                     free(chrooted_path);
                     return result;
@@ -2417,8 +2425,8 @@ static PromiseResult VerifyDelete(EvalContext *ctx,
     {
         if (!S_ISDIR(sb->st_mode))                      /* file,symlink */
         {
-            int ret = unlink(lastnode);
-            if (ret == -1)
+            bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+            if (!OverrideImmutableDelete(lastnode, override_immutable))
             {
                 RecordFailure(ctx, pp, attr, "Couldn't unlink '%s' tidying. (unlink: %s)",
                               path, GetErrorStr());
@@ -2482,15 +2490,16 @@ static PromiseResult TouchFile(EvalContext *ctx, char *path, const Attributes *a
     PromiseResult result = PROMISE_RESULT_NOOP;
     if (MakingChanges(ctx, pp, attr, &result, "update time stamps for '%s'", path))
     {
-        if (utime(ToChangesPath(path), NULL) != -1)
+        bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+        if (OverrideImmutableUtime(ToChangesPath(path), override_immutable, NULL))
         {
             RecordChange(ctx, pp, attr, "Touched (updated time stamps) for path '%s'", path);
             result = PromiseResultUpdate(result, PROMISE_RESULT_CHANGE);
         }
         else
         {
-            RecordFailure(ctx, pp, attr, "Touch '%s' failed to update timestamps. (utime: %s)",
-                          path, GetErrorStr());
+            RecordFailure(ctx, pp, attr, "Touch '%s' failed to update timestamps",
+                          path);
             result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
         }
     }
@@ -2644,7 +2653,8 @@ static PromiseResult VerifyFileAttributes(EvalContext *ctx, const char *file, co
         if (MakingChanges(ctx, pp, attr, &result, "change permissions of '%s' from %04jo to %04jo",
                           file, (uintmax_t)dstat->st_mode & 07777, (uintmax_t)newperm & 07777))
         {
-            if (safe_chmod(changes_file, newperm & 07777) == -1)
+            const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+            if (!OverrideImmutableChmod(changes_file, newperm & 07777, override_immutable))
             {
                 RecordFailure(ctx, pp, attr, "Failed to change permissions of '%s'. (chmod: %s)",
                               file, GetErrorStr());

libpromises/Makefile.am

@@ -137,6 +137,7 @@ libpromises_la_SOURCES = \
 	modes.c \
 	monitoring_read.c monitoring_read.h \
 	ornaments.c ornaments.h \
+	override_fsattrs.c override_fsattrs.h \
 	policy.c policy.h \
 	parser.c parser.h \
 	parser_helpers.h \