Merge branch 'master' of https://github.com/subgraph/paxrat (includes

mckinney-subgraph · mckinney-subgraph · commit 9afddb44a8ff · 2016-01-08T13:25:30.000-05:00
@DerLat's PR)
diff --git a/README.md b/README.md
@@ -36,12 +36,10 @@ The following is an example configuration:
 ```json
 {
   "/usr/lib/iceweasel/iceweasel": {                                                     
-       "flags": "pm",                                                              
-       "nonroot": false                                                             
+    "flags": "pm"
   },                                                                            
   "/usr/lib/iceweasel/plugin-container": {                                                                  
-    "flags": "m",                                                               
-    "nonroot": false                                                             
+    "flags": "m"
   },
   "/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/firefox": {
     "flags": "pm",
diff --git a/paxrat.conf b/paxrat.conf
@@ -1,97 +1,73 @@
 { "/usr/bin/gnome-shell": {
-    "flags": "mr",
-    "nonroot": false
+    "flags": "mr"
   },
   "/usr/lib/gnome-session/gnome-session-check-accelerated": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/lib/gnome-session/gnome-session-check-accelerated-helper": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/lib/gnome-session/gnome-session-failed": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/seahorse": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/grub-bios-setup": {
-    "flags": "E",
-    "nonroot": false 
+    "flags": "E"
   },
   "/usr/sbin/grub-mkdevicemap": {
-    "flags": "E",
-    "nonroot": false
+    "flags": "E"
   },
   "/usr/sbin/grub-probe": {
-    "flags": "E",
-    "nonroot": false
+    "flags": "E"
   },
   "/usr/bin/grub-script-check":  {
-    "flags": "E",
-    "nonroot": false
+    "flags": "E"
   },
   "/usr/bin/grub-mount": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/sbin/grub-probe": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   }, 
   "/usr/bin/mplayer": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/python2": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/python3": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/vlc": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/lib/libreoffice/program/soffice.bin": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/lib/openoffice/program/unopkg.bin": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/lib/policy-kit-1/polkitd": {
-    "flags": "mr",
-    "nonroot": false
+    "flags": "mr"
   },
   "/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java": {
-    "flags": "mr",
-    "nonroot": false
+    "flags": "mr"
   },
   "/usr/lib/jvm/java-7-openjdk-amd64/bin/javac": {
-    "flags": "mr",
-    "nonroot": false
+    "flags": "mr"
   },
   "/usr/lib/jvm/java-7-openjdk-amd64/bin/jar": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   },
   "/usr/bin/gdbus": {
-    "flags": "mr",
-    "nonroot": false
+    "flags": "mr"
   },
   "/usr/lib/iceweasel/iceweasel": {
-    "flags": "pm",
-    "nonroot": false
+    "flags": "pm"
   },
   "/usr/lib/iceweasel/plugin-container": {
-    "flags": "m",
-    "nonroot": false
+    "flags": "m"
   }
 }
diff --git a/paxrat.go b/paxrat.go
@@ -1,43 +1,46 @@
 package main
 
 import (
-	"flag"
-	"io/ioutil"
+	"bufio"
 	"encoding/json"
-	"regexp"
+	"flag"
 	"fmt"
 	"log"
 	"log/syslog"
-	"syscall"
 	"os"
 	"os/exec"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"strings"
+	"syscall"
 
 	"golang.org/x/exp/inotify"
 )
 
-
 var configvar string
 var testvar bool
 var watchvar bool
 var flagsvar string
 var binaryvar string
 var nonrootvar bool
+
 type Setting struct {
-	Flags		string 	`json:"flags"`
-	Nonroot 	bool	`json:"nonroot"`
+	Flags   string `json:"flags"`
+	Nonroot bool   `json:"nonroot,omitempty"`
 }
 type Config struct {
 	Settings map[string]Setting
 }
+
 var InotifyFlags uint32
 var InotifyDirFlags uint32
 var Conf *Config
 var LogWriter *syslog.Writer
 var SyslogError error
 
+var commentRegexp = regexp.MustCompile("^[ \t]*#")
+
 func init() {
 	LogWriter, SyslogError = syslog.New(syslog.LOG_INFO, "paxrat")
 	if SyslogError != nil {
@@ -57,7 +60,7 @@ func init() {
 		"Test the config file and then exit")
 	flag.BoolVar(&watchvar, "w", false,
 		"Run paxrat in watch mode")
-	flag.StringVar(&flagsvar, "s", "", 
+	flag.StringVar(&flagsvar, "s", "",
 		"Set PaX flags for a single binary (must also specify binary)")
 	flag.BoolVar(&nonrootvar, "n", false,
 		"Set nonroot variable for a single binary (needed to set flags on a non-root owned binary")
@@ -66,12 +69,21 @@ func init() {
 }
 
 func (conf *Config) readConfig(path string) (err error) {
-	file, err := ioutil.ReadFile(path)
+	file, err := os.Open(path)
 	if err != nil {
 		log.Fatal(err)
 	}
+	scanner := bufio.NewScanner(file)
+	out := ""
+	for scanner.Scan() {
+		line := scanner.Text()
+		if !commentRegexp.MatchString(line) {
+			out += line + "\n"
+		}
+
+	}
 	var data = &conf.Settings
-	err = json.Unmarshal(file, data)
+	err = json.Unmarshal([]byte(out), data)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -87,8 +99,8 @@ func pathExists(path string) (result bool) {
 
 func validateFlags(flags string) (err error) {
 	match, _ := regexp.MatchString("(?i)[^pemrxs]", flags)
-    	if match {
-		err = fmt.Errorf("Bad characters found in PaX flags: %s", 
+	if match {
+		err = fmt.Errorf("Bad characters found in PaX flags: %s",
 			flags)
 	}
 	return
@@ -141,10 +153,10 @@ func setFlags(path string, flags string, nonroot bool) (err error) {
 	}
 	linkUid := fiPath.Sys().(*syscall.Stat_t).Uid
 	// Throw error if nonroot option is not set but the file is owned by a user other than root
-	if (!nonroot && linkUid > 0) {
+	if !nonroot && linkUid > 0 {
 		err = fmt.Errorf(
 			"Cannot set PaX flags on %s. Owner of symlink did not match owner of symlink target\n",
-		path)
+			path)
 		return
 	}
 	// Resolve the symlink target
@@ -161,7 +173,7 @@ func setFlags(path string, flags string, nonroot bool) (err error) {
 	}
 	targetUid := fiRPath.Sys().(*syscall.Stat_t).Uid
 	// If nonroot is set then throw an error if the owner of the file is different than the owner of the symlink target
-	if (nonroot && targetUid != linkUid) {
+	if nonroot && targetUid != linkUid {
 		err = fmt.Errorf(
 			"Cannot set PaX flags on %s. Owner of symlink did not match owner of symlink target\n",
 			path)
@@ -190,7 +202,7 @@ func setFlagsWatchMode(watcher *inotify.Watcher, path string, flags string, nonr
 	watcher.RemoveWatch(path)
 	setFlags(path, flags, nonroot)
 	if err != nil {
-		return(err)
+		return (err)
 	}
 	addWatchToClosestPath(watcher, path)
 	return
@@ -305,7 +317,7 @@ func runWatcher(watcher *inotify.Watcher) {
 					msg := fmt.Sprintf("File created: %s\n", ev.Name)
 					LogWriter.Info(msg)
 				}
-			// Catch directory creation events for non-existent directories in executable path
+				// Catch directory creation events for non-existent directories in executable path
 			} else if ev.Mask == (inotify.IN_CREATE | inotify.IN_ISDIR) {
 				for path, _ := range (*Conf).Settings {
 					if strings.HasPrefix(path, ev.Name) {
diff --git a/paxrat_test.go b/paxrat_test.go
@@ -1,10 +1,10 @@
 package main
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"testing"
-	"fmt"
 	"time"
 )
 
@@ -30,12 +30,12 @@ func TestRunWatcher1(t *testing.T) {
 		}
 	}
 	testJson := fmt.Sprintf(
-	"{\"%s/test1\": {" +
-	"\"flags\": \"mr\"," +
-	"\"nonroot\": false}," +
-	"\"%s/test2\": {" +
-	"\"flags\": \"E\"," +
-	"\"nonroot\": false}}", dir, dir)
+		`{"%s/test1": {`+
+			`"flags": "mr",`+
+			`"nonroot": false},`+
+			`"%s/test2": {`+
+			`"flags": "E",`+
+			`"nonroot": false}}`, dir, dir)
 	configPath := dir + "paxrat_conf.json"
 	Conf = new(Config)
 	err = createTestConfig(configPath, testJson)
@@ -58,7 +58,7 @@ func TestRunWatcher1(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Could not remove testFile1: %s", err)
 	}
-	err = os.Rename(files[1], dir + "moved")
+	err = os.Rename(files[1], dir+"moved")
 	if err != nil {
 		t.Fatalf("Could not move/rename TestFile2: %s", err)
 	}
@@ -76,9 +76,9 @@ func TestRunWatcher2(t *testing.T) {
 	}
 	defer os.RemoveAll(dir)
 	testJson := fmt.Sprintf(
-		"{\"%s/1/2/3/4/5/6/7/8/9/10/test1\": {" +
-		"\"flags\": \"mr\"," +
-		"\"nonroot\": false}}", dir)
+		`{"%s/1/2/3/4/5/6/7/8/9/10/test1": {`+
+			`"flags": "mr",`+
+			`"nonroot": false}}`, dir)
 	configPath := dir + "paxrat_conf.json"
 	Conf = new(Config)
 	err = createTestConfig(configPath, testJson)
@@ -99,7 +99,7 @@ func TestRunWatcher2(t *testing.T) {
 		runWatcher(watcher)
 	}(done)
 	time.Sleep(1 * time.Second)
-	os.MkdirAll(dir + "/1/2/3/4/5/6/7/8/9/10", 0600 )
+	os.MkdirAll(dir+"/1/2/3/4/5/6/7/8/9/10", 0600)
 	time.Sleep(1 * time.Second)
 	file := dir + "/1/2/3/4/5/6/7/8/9/10/test1"
 	fmt.Printf("Creating test file: %s", file)
@@ -108,4 +108,3 @@ func TestRunWatcher2(t *testing.T) {
 		t.Fatalf("creating test file: %s", err)
 	}
 }
-
