Changes

Signed-off-by: Yashvi Jain <[email protected]>

components/compliance-service/api/profiles/server/pgserver.go

@@ -29,11 +29,12 @@ import (
 
 // PGProfileServer implements the profile store GRPC interface
 type PGProfileServer struct {
-	es           *relaxting.ES2Backend
-	esClient     *ingestic.ESClient
-	profiles     *config.Profiles
-	store        *dbstore.Store
-	eventsClient automate_event.EventServiceClient
+	es                  *relaxting.ES2Backend
+	esClient            *ingestic.ESClient
+	profiles            *config.Profiles
+	store               *dbstore.Store
+	eventsClient        automate_event.EventServiceClient
+	firejailProfilePath string
 }
 
 func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentType string) (string, error) {
@@ -69,7 +70,7 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp
 			return "", err
 		}
 
-		err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix)
+		err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix, srv.firejailProfilePath)
 		if err != nil {
 			return "", err
 		}
@@ -80,15 +81,15 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp
 func (srv *PGProfileServer) storeProfile(owner string, cacheFile string) (inspec.CheckResult, error) {
 	var inspecCheckResult inspec.CheckResult
 	// Run InSpec check
-	inspecCheckResult, err := market.CheckProfile(cacheFile)
+	inspecCheckResult, err := market.CheckProfile(cacheFile, srv.firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("Create CheckProfile error: %s", err.Error())
 		inspecCheckResult.Summary.Valid = false
 		inspecCheckResult.Errors = []inspec.CheckMessage{{Msg: err.Error()}}
 		return inspecCheckResult, status.Error(codes.InvalidArgument, err.Error())
 	}
 
-	sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile)
+	sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile, srv.firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("Create GetProfileInfo error: %s", err.Error())
 		inspecCheckResult.Summary.Valid = false

components/compliance-service/api/profiles/server/profiles.go

@@ -14,21 +14,22 @@ import (
 
 // New creates a new server
 func New(db *pgdb.DB, esBackend *relaxting.ES2Backend, esClient *ingestic.ESClient, profiles *config.Profiles,
-	eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server) *PGProfileServer {
+	eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server, firejailProfilePath string) *PGProfileServer {
 
 	srv := &PGProfileServer{
-		profiles:     profiles,
-		es:           esBackend,
-		esClient:     esClient,
-		store:        &dbstore.Store{DB: db},
-		eventsClient: eventsClient,
+		profiles:            profiles,
+		es:                  esBackend,
+		esClient:            esClient,
+		store:               &dbstore.Store{DB: db},
+		eventsClient:        eventsClient,
+		firejailProfilePath: firejailProfilePath,
 	}
 
 	// TODO: unbundle object creation from service bootup sanity check
 
 	statusserver.AddMigrationUpdate(statusSrv, statusserver.MigrationLabelPRO, "Ensuring Market profiles are up-to-date...")
 	// ensure all market profiles are up to date
-	err := srv.store.LoadMarketProfiles(profiles.MarketPath)
+	err := srv.store.LoadMarketProfiles(profiles.MarketPath, firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("could not ensure all market profiles are up to date: %v", err)
 	}

components/compliance-service/cmd/compliance-service/cmd/run.go

@@ -111,7 +111,7 @@ func init() {
 	runCmd.Flags().IntVar(&conf.Service.LcrOpenSearchRequests, "lcr-open-search-requests", conf.Service.LcrOpenSearchRequests, "number of concurrent requests to communicate with open search for large compliance reporting")
 	runCmd.Flags().BoolVar(&conf.Service.EnableEnhancedReporting, "enable-enhanced-reporting", false, "upgrade to support enhanced compliance reporting")
 	runCmd.Flags().IntVar(&conf.Service.ControlsPopulatorsCount, "control-populators-count", 1, "Number of  workers for control workers")
-
+	runCmd.Flags().StringVar(&conf.Service.FirejailProfilePath, "firejail-profile-path", conf.Service.FirejailProfilePath, "Firejail profile path")
 	// Postgres Config Flags
 	runCmd.Flags().StringVar(&conf.Postgres.ConnectionString, "postgres-uri", conf.Postgres.ConnectionString, "PostgreSQL connection string to use")
 	runCmd.Flags().StringVar(&conf.Postgres.Database, "postgres-database", "", "PostgreSQL database to use. Will override postgres-uri")

components/compliance-service/cmd/inspec_runner/inspec_runner.go

@@ -12,12 +12,15 @@ import (
 
 	"github.com/chef/automate/components/compliance-service/cmd/inspec_runner/platform"
 	"github.com/chef/automate/lib/user"
+	"github.com/sirupsen/logrus"
 )
 
 // Set at build time via linker flags.
 var EXECUTABLE_PATH string
 
 func main() {
+
+	logrus.Println("Inside the main method ----- main()")
 	if len(EXECUTABLE_PATH) == 0 {
 		log.Fatal("No value present for executable path.")
 	}
@@ -31,6 +34,8 @@ func main() {
 
 	args := append([]string{cmd}, os.Args[1:]...)
 
+	logrus.Println("Inside the args method ----- main()")
+
 	if err := syscall.Exec(EXECUTABLE_PATH, args, os.Environ()); err != nil {
 		log.Fatal(fmt.Errorf("inspec_runner unable to complete with executable path: %s, args: %v, env: %s - error %w", EXECUTABLE_PATH, args, os.Environ(), err))
 	}

components/compliance-service/compliance.go

@@ -235,7 +235,7 @@ func serveGrpc(ctx context.Context, db *pgdb.DB, connFactory *secureconn.Factory
 	reporting.RegisterReportingServiceServer(s, reportingserver.New(&esr, reportmanagerClient,
 		conf.Service.LcrOpenSearchRequests, db, conf.Service.EnableEnhancedReporting))
 
-	ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv)
+	ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv, conf.Service.FirejailProfilePath)
 	profiles.RegisterProfilesServiceServer(s, ps)
 	profiles.RegisterProfilesAdminServiceServer(s, ps)
 
@@ -703,7 +703,7 @@ type ServiceInfo struct {
 	connFactory *secureconn.Factory
 }
 
-//TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs
+// TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs
 // this custom route is used by the inspec-agent scanner to retrieve profile tars for scan execution
 func (conf *ServiceInfo) serveCustomRoutes() error {
 	conf.ServerBind = fmt.Sprintf("%s:%d", conf.HostBind, conf.Port)

components/compliance-service/config/types.go

@@ -19,6 +19,7 @@ type Service struct {
 	LcrOpenSearchRequests   int
 	EnableEnhancedReporting bool
 	ControlsPopulatorsCount int
+	FirejailProfilePath     string
 }
 
 // Compliance service specific config options

components/compliance-service/firejail/secureporofile.profile

@@ -0,0 +1,44 @@
+#include disable-common.inc      # dangerous directories like ~/.ssh and ~/.gnupg
+#include disable-devel.inc      # development tools such as gcc and gdb
+#include disable-exec.inc       # non-executable directories such as /var, /tmp, and /home
+#include disable-interpreters.inc       # perl, python, lua etc.
+#include disable-programs.inc    # user configuration for programs such as firefox, vlc etc.
+#include disable-shell.inc      # sh, bash, zsh etc.
+#include disable-xdg.inc        # standard user directories: Documents, Pictures, Videos, Music
+
+### Home Directory Whitelisting ###
+### If something goes wrong, this section is the first one to comment out.
+### Instead, you'll have to relay on the basic blacklisting above.
+#private 
+#whitelist /hab/pkgs/chef/inspec/4.56.22/20220517052126/bin/inspec
+#blacklist /hab
+
+#read-only /hab/pkgs/chef/inspec/4.56.22/20220517052126/bin/inspec
+### Filesystem Whitelisting ###
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+#apparmor       # if you have AppArmor running, try this one!
+caps.drop all
+ipc-namespace
+netfilter
+#no3d   # disable 3D acceleration
+#nodvd  # disable DVD and CD devices
+#nogroups       # disable supplementary user groups
+#noinput        # disable input devices
+nonewprivs
+noroot
+#notv   # disable DVB TV devices
+#nou2f  # disable U2F devices
+#novideo        # disable video capture devices
+net none
+#seccomp !chroot        # allowing chroot, just in case this is an Electron app
+#shell none
+#tracelog       # send blacklist violations to syslog
+
+#disable-mnt    # no access to /mnt, /media, /run/mount and /run/media
+#private-bin dash,hab,inspec
+#private-cache  # run with an
+read-only /hab

components/compliance-service/habitat/default.toml

@@ -13,6 +13,7 @@ enable_large_reporting = false
 lcr_open_search_requests = 50
 enable_enhanced_compliance_reporting = false
 control_data_populators_count = 1
+firejail_profile_path="secureporofile.profile"
 
 [storage]
 database = "chef_compliance_service"

components/compliance-service/habitat/hooks/run

@@ -25,6 +25,8 @@ pg-helper migrate-tables-v2 delivery "$DBNAME" \
   agents node_managers results profiles tags jobs jobs_nodes jobs_profiles \
   jobs_tags nodes nodes_agents nodes_secrets nodes_tags
 
+
+
 pg-helper ensure-service-database "$DBNAME"
 
 pg-helper create-extension "$DBNAME" pgcrypto
@@ -33,6 +35,9 @@ pg-helper fix-permissions "$DBNAME"
 
 mkdir -p "{{pkg.svc_data_path}}/profiles"
 
+mkdir -p "{{pkg.svc_data_path}}/firejail"
+
+
 # cleanup old migration files
 rm -rf "{{pkg.svc_static_path}}/migrations" {{pkg.svc_static_path}}/*.sql
 
@@ -57,6 +62,7 @@ CONFIG="$CONFIG --enable-large-reporting={{cfg.service.enable_large_reporting}}"
 CONFIG="$CONFIG --lcr-open-search-requests {{cfg.service.lcr_open_search_requests}}"
 CONFIG="$CONFIG --enable-enhanced-reporting={{cfg.service.enable_enhanced_compliance_reporting}}"
 CONFIG="$CONFIG --control-populators-count {{cfg.service.control_data_populators_count}}"
+CONFIG="$CONFIG --firejail-profile-path {{pkg.path}}/data/firejail/{{cfg.service.firejail_profile_path}}"
 
 # Interval in minutes to poll for node status.
 CONFIG="$CONFIG --manager-awsec2-poll {{cfg.nodemanager.awsec2_polling_interval}}"
@@ -167,7 +173,10 @@ export HOME="{{pkg.svc_data_path}}"
 
 CONFIG="$CONFIG --inspec-tmp-dir {{pkg.svc_var_path}}/tmp"
 
+
 export FIREJAIL="{{pkgPathFor "core/firejail"}}/bin/firejail"
+
+
 # Start our service
 # shellcheck disable=SC2086
 exec compliance-service run ${CONFIG} ${ES_BACKEND} ${PG_BACKEND}

components/compliance-service/habitat/plan.sh

@@ -30,6 +30,7 @@ pkg_binds_optional=(
   [authn-service]="port"
   [notifications-service]="port"
 )
+
 inspec_release="chef/inspec/4.56.22/20220517052126"
 pkg_deps=(
   core/coreutils
@@ -63,15 +64,17 @@ scaffolding_go_binary_list=(
 
 do_prepare() {
   do_default_prepare
-
+   
   GO_LDFLAGS="${GO_LDFLAGS} -X main.EXECUTABLE_PATH=$(pkg_path_for chef/inspec)/bin/inspec"
-export GO_LDFLAGS
+ export GO_LDFLAGS
 
 }
 
 do_install() {
   do_default_install
 
+  echo $HOME
+
   inspec_sem_version=$(awk -F  '/' '{print $3}' <<< ${inspec_release})
   build_line "Setting InSpec version ${inspec_sem_version}"
   sed -i "s/REPLACE-FROM-PLAN.SH/${inspec_sem_version}/" habitat/default.toml
@@ -83,6 +86,14 @@ do_install() {
   build_line "Setting perms on inspec_runner"
   chown root: "${pkg_prefix}/bin/inspec_runner"
   chmod u+s "${pkg_prefix}/bin/inspec_runner"
+
+
+  mkdir -p "${pkg_prefix}/data/firejail"
+
+  cp -r firejail/* "${pkg_prefix}/data/firejail"
+
+
+
 }
 
 do_strip() {