diff --git a/components/compliance-service/api/profiles/server/pgserver.go b/components/compliance-service/api/profiles/server/pgserver.go index 01dbe2173ef..72d842ed9b3 100644 --- a/components/compliance-service/api/profiles/server/pgserver.go +++ b/components/compliance-service/api/profiles/server/pgserver.go @@ -29,11 +29,12 @@ import ( // PGProfileServer implements the profile store GRPC interface type PGProfileServer struct { - es *relaxting.ES2Backend - esClient *ingestic.ESClient - profiles *config.Profiles - store *dbstore.Store - eventsClient automate_event.EventServiceClient + es *relaxting.ES2Backend + esClient *ingestic.ESClient + profiles *config.Profiles + store *dbstore.Store + eventsClient automate_event.EventServiceClient + firejailProfilePath string } func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentType string) (string, error) { @@ -69,7 +70,7 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp return "", err } - err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix) + err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix, srv.firejailProfilePath) if err != nil { return "", err } @@ -80,7 +81,7 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp func (srv *PGProfileServer) storeProfile(owner string, cacheFile string) (inspec.CheckResult, error) { var inspecCheckResult inspec.CheckResult // Run InSpec check - inspecCheckResult, err := market.CheckProfile(cacheFile) + inspecCheckResult, err := market.CheckProfile(cacheFile, srv.firejailProfilePath) if err != nil { logrus.Errorf("Create CheckProfile error: %s", err.Error()) inspecCheckResult.Summary.Valid = false @@ -88,7 +89,7 @@ func (srv *PGProfileServer) storeProfile(owner string, cacheFile string) (inspec return inspecCheckResult, status.Error(codes.InvalidArgument, err.Error()) } - sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile) + sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile, srv.firejailProfilePath) if err != nil { logrus.Errorf("Create GetProfileInfo error: %s", err.Error()) inspecCheckResult.Summary.Valid = false diff --git a/components/compliance-service/api/profiles/server/profiles.go b/components/compliance-service/api/profiles/server/profiles.go index 8aa0baba131..c85b117fef0 100644 --- a/components/compliance-service/api/profiles/server/profiles.go +++ b/components/compliance-service/api/profiles/server/profiles.go @@ -14,21 +14,22 @@ import ( // New creates a new server func New(db *pgdb.DB, esBackend *relaxting.ES2Backend, esClient *ingestic.ESClient, profiles *config.Profiles, - eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server) *PGProfileServer { + eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server, firejailProfilePath string) *PGProfileServer { srv := &PGProfileServer{ - profiles: profiles, - es: esBackend, - esClient: esClient, - store: &dbstore.Store{DB: db}, - eventsClient: eventsClient, + profiles: profiles, + es: esBackend, + esClient: esClient, + store: &dbstore.Store{DB: db}, + eventsClient: eventsClient, + firejailProfilePath: firejailProfilePath, } // TODO: unbundle object creation from service bootup sanity check statusserver.AddMigrationUpdate(statusSrv, statusserver.MigrationLabelPRO, "Ensuring Market profiles are up-to-date...") // ensure all market profiles are up to date - err := srv.store.LoadMarketProfiles(profiles.MarketPath) + err := srv.store.LoadMarketProfiles(profiles.MarketPath, firejailProfilePath) if err != nil { logrus.Errorf("could not ensure all market profiles are up to date: %v", err) } diff --git a/components/compliance-service/cmd/compliance-service/cmd/run.go b/components/compliance-service/cmd/compliance-service/cmd/run.go index f3d7433e779..c113f5a7f2d 100644 --- a/components/compliance-service/cmd/compliance-service/cmd/run.go +++ b/components/compliance-service/cmd/compliance-service/cmd/run.go @@ -111,7 +111,7 @@ func init() { runCmd.Flags().IntVar(&conf.Service.LcrOpenSearchRequests, "lcr-open-search-requests", conf.Service.LcrOpenSearchRequests, "number of concurrent requests to communicate with open search for large compliance reporting") runCmd.Flags().BoolVar(&conf.Service.EnableEnhancedReporting, "enable-enhanced-reporting", false, "upgrade to support enhanced compliance reporting") runCmd.Flags().IntVar(&conf.Service.ControlsPopulatorsCount, "control-populators-count", 1, "Number of workers for control workers") - + runCmd.Flags().StringVar(&conf.Service.FirejailProfilePath, "firejail-profile-path", conf.Service.FirejailProfilePath, "Firejail profile path") // Postgres Config Flags runCmd.Flags().StringVar(&conf.Postgres.ConnectionString, "postgres-uri", conf.Postgres.ConnectionString, "PostgreSQL connection string to use") runCmd.Flags().StringVar(&conf.Postgres.Database, "postgres-database", "", "PostgreSQL database to use. Will override postgres-uri") diff --git a/components/compliance-service/cmd/inspec_runner/inspec_runner.go b/components/compliance-service/cmd/inspec_runner/inspec_runner.go index bfda36d8489..cecc87e95c4 100644 --- a/components/compliance-service/cmd/inspec_runner/inspec_runner.go +++ b/components/compliance-service/cmd/inspec_runner/inspec_runner.go @@ -12,12 +12,15 @@ import ( "github.com/chef/automate/components/compliance-service/cmd/inspec_runner/platform" "github.com/chef/automate/lib/user" + "github.com/sirupsen/logrus" ) // Set at build time via linker flags. var EXECUTABLE_PATH string func main() { + + logrus.Println("Inside the main method ----- main()") if len(EXECUTABLE_PATH) == 0 { log.Fatal("No value present for executable path.") } @@ -31,6 +34,8 @@ func main() { args := append([]string{cmd}, os.Args[1:]...) + logrus.Println("Inside the args method ----- main()") + if err := syscall.Exec(EXECUTABLE_PATH, args, os.Environ()); err != nil { log.Fatal(fmt.Errorf("inspec_runner unable to complete with executable path: %s, args: %v, env: %s - error %w", EXECUTABLE_PATH, args, os.Environ(), err)) } diff --git a/components/compliance-service/compliance.go b/components/compliance-service/compliance.go index 759bee4fea1..e987150930d 100644 --- a/components/compliance-service/compliance.go +++ b/components/compliance-service/compliance.go @@ -235,7 +235,7 @@ func serveGrpc(ctx context.Context, db *pgdb.DB, connFactory *secureconn.Factory reporting.RegisterReportingServiceServer(s, reportingserver.New(&esr, reportmanagerClient, conf.Service.LcrOpenSearchRequests, db, conf.Service.EnableEnhancedReporting)) - ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv) + ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv, conf.Service.FirejailProfilePath) profiles.RegisterProfilesServiceServer(s, ps) profiles.RegisterProfilesAdminServiceServer(s, ps) @@ -703,7 +703,7 @@ type ServiceInfo struct { connFactory *secureconn.Factory } -//TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs +// TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs // this custom route is used by the inspec-agent scanner to retrieve profile tars for scan execution func (conf *ServiceInfo) serveCustomRoutes() error { conf.ServerBind = fmt.Sprintf("%s:%d", conf.HostBind, conf.Port) diff --git a/components/compliance-service/config/types.go b/components/compliance-service/config/types.go index b876c30f3ab..19bf75d5d89 100644 --- a/components/compliance-service/config/types.go +++ b/components/compliance-service/config/types.go @@ -19,6 +19,7 @@ type Service struct { LcrOpenSearchRequests int EnableEnhancedReporting bool ControlsPopulatorsCount int + FirejailProfilePath string } // Compliance service specific config options diff --git a/components/compliance-service/firejail/secureporofile.profile b/components/compliance-service/firejail/secureporofile.profile new file mode 100644 index 00000000000..138cf917003 --- /dev/null +++ b/components/compliance-service/firejail/secureporofile.profile @@ -0,0 +1,44 @@ +#include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg +#include disable-devel.inc # development tools such as gcc and gdb +#include disable-exec.inc # non-executable directories such as /var, /tmp, and /home +#include disable-interpreters.inc # perl, python, lua etc. +#include disable-programs.inc # user configuration for programs such as firefox, vlc etc. +#include disable-shell.inc # sh, bash, zsh etc. +#include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music + +### Home Directory Whitelisting ### +### If something goes wrong, this section is the first one to comment out. +### Instead, you'll have to relay on the basic blacklisting above. +#private +#whitelist /hab/pkgs/chef/inspec/4.56.22/20220517052126/bin/inspec +#blacklist /hab + +#read-only /hab/pkgs/chef/inspec/4.56.22/20220517052126/bin/inspec +### Filesystem Whitelisting ### +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +#apparmor # if you have AppArmor running, try this one! +caps.drop all +ipc-namespace +netfilter +#no3d # disable 3D acceleration +#nodvd # disable DVD and CD devices +#nogroups # disable supplementary user groups +#noinput # disable input devices +nonewprivs +noroot +#notv # disable DVB TV devices +#nou2f # disable U2F devices +#novideo # disable video capture devices +net none +#seccomp !chroot # allowing chroot, just in case this is an Electron app +#shell none +#tracelog # send blacklist violations to syslog + +#disable-mnt # no access to /mnt, /media, /run/mount and /run/media +#private-bin dash,hab,inspec +#private-cache # run with an +read-only /hab diff --git a/components/compliance-service/habitat/default.toml b/components/compliance-service/habitat/default.toml index 6bf221db0f3..ea18d6b4e75 100644 --- a/components/compliance-service/habitat/default.toml +++ b/components/compliance-service/habitat/default.toml @@ -13,6 +13,7 @@ enable_large_reporting = false lcr_open_search_requests = 50 enable_enhanced_compliance_reporting = false control_data_populators_count = 1 +firejail_profile_path="secureporofile.profile" [storage] database = "chef_compliance_service" diff --git a/components/compliance-service/habitat/hooks/run b/components/compliance-service/habitat/hooks/run index 27893104d3c..9f97f3d85e1 100644 --- a/components/compliance-service/habitat/hooks/run +++ b/components/compliance-service/habitat/hooks/run @@ -25,6 +25,8 @@ pg-helper migrate-tables-v2 delivery "$DBNAME" \ agents node_managers results profiles tags jobs jobs_nodes jobs_profiles \ jobs_tags nodes nodes_agents nodes_secrets nodes_tags + + pg-helper ensure-service-database "$DBNAME" pg-helper create-extension "$DBNAME" pgcrypto @@ -33,6 +35,9 @@ pg-helper fix-permissions "$DBNAME" mkdir -p "{{pkg.svc_data_path}}/profiles" +mkdir -p "{{pkg.svc_data_path}}/firejail" + + # cleanup old migration files rm -rf "{{pkg.svc_static_path}}/migrations" {{pkg.svc_static_path}}/*.sql @@ -57,6 +62,7 @@ CONFIG="$CONFIG --enable-large-reporting={{cfg.service.enable_large_reporting}}" CONFIG="$CONFIG --lcr-open-search-requests {{cfg.service.lcr_open_search_requests}}" CONFIG="$CONFIG --enable-enhanced-reporting={{cfg.service.enable_enhanced_compliance_reporting}}" CONFIG="$CONFIG --control-populators-count {{cfg.service.control_data_populators_count}}" +CONFIG="$CONFIG --firejail-profile-path {{pkg.path}}/data/firejail/{{cfg.service.firejail_profile_path}}" # Interval in minutes to poll for node status. CONFIG="$CONFIG --manager-awsec2-poll {{cfg.nodemanager.awsec2_polling_interval}}" @@ -167,7 +173,10 @@ export HOME="{{pkg.svc_data_path}}" CONFIG="$CONFIG --inspec-tmp-dir {{pkg.svc_var_path}}/tmp" + export FIREJAIL="{{pkgPathFor "core/firejail"}}/bin/firejail" + + # Start our service # shellcheck disable=SC2086 exec compliance-service run ${CONFIG} ${ES_BACKEND} ${PG_BACKEND} diff --git a/components/compliance-service/habitat/plan.sh b/components/compliance-service/habitat/plan.sh index e7ea7ca1cc0..81b5115510d 100644 --- a/components/compliance-service/habitat/plan.sh +++ b/components/compliance-service/habitat/plan.sh @@ -30,6 +30,7 @@ pkg_binds_optional=( [authn-service]="port" [notifications-service]="port" ) + inspec_release="chef/inspec/4.56.22/20220517052126" pkg_deps=( core/coreutils @@ -63,15 +64,17 @@ scaffolding_go_binary_list=( do_prepare() { do_default_prepare - + GO_LDFLAGS="${GO_LDFLAGS} -X main.EXECUTABLE_PATH=$(pkg_path_for chef/inspec)/bin/inspec" -export GO_LDFLAGS + export GO_LDFLAGS } do_install() { do_default_install + echo $HOME + inspec_sem_version=$(awk -F '/' '{print $3}' <<< ${inspec_release}) build_line "Setting InSpec version ${inspec_sem_version}" sed -i "s/REPLACE-FROM-PLAN.SH/${inspec_sem_version}/" habitat/default.toml @@ -83,6 +86,14 @@ do_install() { build_line "Setting perms on inspec_runner" chown root: "${pkg_prefix}/bin/inspec_runner" chmod u+s "${pkg_prefix}/bin/inspec_runner" + + + mkdir -p "${pkg_prefix}/data/firejail" + + cp -r firejail/* "${pkg_prefix}/data/firejail" + + + } do_strip() { diff --git a/components/compliance-service/inspec/cli.go b/components/compliance-service/inspec/cli.go index ceb86ee26bf..3392c8f53f1 100644 --- a/components/compliance-service/inspec/cli.go +++ b/components/compliance-service/inspec/cli.go @@ -8,9 +8,11 @@ import ( "io/ioutil" "os" "os/exec" + "path/filepath" "strings" "time" + "github.com/chef/automate/lib/io/fileutils" "github.com/pkg/errors" "github.com/sirupsen/logrus" yaml "gopkg.in/yaml.v2" @@ -32,6 +34,8 @@ const defaultTimeout = 2 * time.Minute const binName = "inspec" const shimBinName = "inspec_runner" +const startInspec = "===start inspec===" +const endInspec = "===end inspec===" // Set to `true` to emit inspec configuration and environment // variables via debug logs. Leave to false for release. @@ -208,11 +212,12 @@ func run(args []string, conf *TargetConfig, timeout time.Duration, env map[strin cmd = exec.CommandContext(ctx, args[0], args[1:]...) cmd.Stdin = bytes.NewBuffer(jsonConf) if logSensitiveData { - logrus.Debugf("Using inspec configuration: %s", string(jsonConf)) + logrus.Infof("Using inspec configuration: %s", string(jsonConf)) } } cmd.Env = []string{"PATH=" + os.Getenv("PATH")} + if TmpDir != "" { if _, ok := env["TMPDIR"]; !ok { cmd.Env = append(cmd.Env, "TMPDIR="+TmpDir) @@ -235,35 +240,33 @@ func run(args []string, conf *TargetConfig, timeout time.Duration, env map[strin logCtx = logCtx.WithField("env", cmd.Env) } - logCtx.Debug("Running Inspec") + logCtx.Info("Running Inspec") err := cmd.Run() return stdout.Bytes(), stderr.Bytes(), err } -func Check(profilePath string) (CheckResult, error) { +func Check(profilePath string, firejailprofilePath string) (CheckResult, error) { var res CheckResult + tmpDirPath := fmt.Sprintf("/tmp/inspec-upload-%v", makeTimestamp()) + tmpDirFile, args, err := getFirejailArgsaAndOutputFile(false, firejailprofilePath, profilePath, tmpDirPath) + if err != nil { + return res, err + } - firjailBin := os.Getenv("FIREJAIL") - firjailCommand := "--profile=./myprofile.profile" - firejailFlag := "--quiet" - - //firjailComamnd := "hab pkg exec core" - - args := []string{firjailBin, firjailCommand, firejailFlag} - - args = append(args, []string{shimBinName, "check", profilePath, "--format", "json"}...) + args = append(args, []string{binName, "check", tmpDirFile, "--format", "json"}...) - logrus.Debugf("Run: inspec %v", args) + logrus.Infof("Run: inspec %v", args) stdout, stderr, err := run(args, nil, defaultTimeout, inspecShimEnv()) - + //Removing the file before checking the command + os.RemoveAll(tmpDirPath) if err != nil { e := fmt.Sprintf("%s\n%s", err.Error(), stderr) return res, errors.New("Check InSpec check failed for " + profilePath + " with message: " + e) } - logrus.Info("Gicing the ouytpoyut xsjcnasdnca", string(stdout)) + logrus.Info("check command giving the output", string(stdout)) - jsonContent := findJsonLine(stdout) + jsonContent := findJsonLine([]byte(stdout)) err = json.Unmarshal(jsonContent, &res) if err != nil { return res, fmt.Errorf("Failed to unmarshal json:\n%s\nWith message: %s\nstdout: %s\nstderr: %s", jsonContent, err.Error(), stdout, stderr) @@ -277,43 +280,66 @@ func Check(profilePath string) (CheckResult, error) { return res, errors.New(strings.Join(errs, "\n")) } - logrus.Debugf("Successfully checked inspec profile in %s", profilePath) + logrus.Infof("Successfully checked inspec profile in %s", profilePath) return res, nil } -func Json(profilePath string) ([]byte, error) { - firjailBin := os.Getenv("FIREJAIL") - //firjailCommand := "--profile=./myprofile.profile" - firejailFlag := "--quiet" +func Json(profilePath string, firejailprofilePath string) ([]byte, error) { + var output string + tmpDirPath := fmt.Sprintf("/tmp/inspec-upload-%v", makeTimestamp()) + + tmpDirFile, args, err := getFirejailArgsaAndOutputFile(false, firejailprofilePath, profilePath, tmpDirPath) + if err != nil { + return nil, err + } - args := []string{firjailBin, firejailFlag, shimBinName, "json", profilePath} - logrus.Debugf("Run: inspec %v", args) + //echoStatement := fmt.Sprintf(";echo '%s'", endInspec) + args = append(args, []string{binName, "json", tmpDirFile}...) + logrus.Infof("Run: inspec %v", args) stdout, stderr, err := run(args, nil, defaultTimeout, inspecShimEnv()) - logrus.Debugf("Run: %s %s %v", stdout, stderr, err) + + logrus.Infof("Run output from json: %s %s %v", stdout, stderr, err) + + logrus.Infof("Run: %s %s %v", output, stderr, err) if err != nil { e := fmt.Sprintf("%s\n%s", err.Error(), stderr) return nil, errors.New("Could not gather profile json for " + profilePath + " caused by: " + e) } - return stdout, nil + os.RemoveAll(tmpDirPath) + + return []byte(output), nil } // Archives a directory to a TAR.GZ -func Archive(profilePath string, outputPath string) error { - firjailBin := os.Getenv("FIREJAIL") +func Archive(profilePath string, outputPath string, firejailprofilePath string) error { + tmpDirPath := fmt.Sprintf("/tmp/inspec-upload-%v", makeTimestamp()) + tmpDirProfilePath, args, err := getFirejailArgsaAndOutputFile(true, firejailprofilePath, profilePath, tmpDirPath) + if err != nil { + return err + } + _, outputFileName := filepath.Split(outputPath) + outputFilePath := tmpDirPath + "/" + outputFileName - firjailCommand := "--profile=./myprofile.profile" - firejailFlag := "--quiet" - logrus.Info("--------------------- output path", outputPath) - args := []string{firjailBin, firjailCommand, firejailFlag, shimBinName, "archive", profilePath, "-o", outputPath, "--overwrite"} - logrus.Debugf("Run: inspec %v", args) + args = append(args, []string{binName, "archive", tmpDirProfilePath, "-o", outputFilePath, "--overwrite"}...) + + logrus.Infof("Run: inspec %v", args) _, stderr, err := run(args, nil, defaultTimeout, inspecShimEnv()) if err != nil { e := fmt.Sprintf("%s\n%s", err.Error(), stderr) - return errors.New("InSpec archive failed for " + profilePath + " with message: " + e) + return errors.New("InSpec archive failed for " + tmpDirProfilePath + " with message: " + e) + } + + err = fileutils.CopyFile(outputFilePath, outputPath) + if err != nil { + return errors.Wrapf(err, "Unable to copy archived file for output file", outputFileName) } + err = os.RemoveAll(tmpDirPath) + if err != nil { + logrus.Errorf("Unable to delete tmp direcotory created %v", err) - logrus.Debugf("Successfully archived %s to %s", profilePath, outputPath) + } + logrus.Infof("Successfully archived %s to %s", profilePath, outputPath) return nil } @@ -403,3 +429,79 @@ func findJsonLine(in []byte) []byte { } return []byte(rawJson) } + +func getFirejailArgsaAndOutputFile(isArchive bool, firejailprofilePath string, profilePath string, tmpDirPath string) (string, []string, error) { + + firjailBin := os.Getenv("FIREJAIL") + firejailFlag := "--quiet" + firejailProfile := fmt.Sprintf("--profile=%s", firejailprofilePath) + //echoStatement := fmt.Sprintf("echo '%s' ;", startInspec) + + firejailArgs := []string{firjailBin, firejailProfile, firejailFlag} + + fileName := filepath.Base(profilePath) + fileCreated := tmpDirPath + "/" + fileName + + if isArchive { + tempDirProfile := tmpDirPath + "/" + fileName + err := prerequisiteForArchive(tempDirProfile, profilePath) + if err != nil { + logrus.Errorf("Unable to move files %v", err) + return "", nil, nil + } + return tempDirProfile, firejailArgs, nil + } + + err := prerequisiteForCommands(tmpDirPath, profilePath, fileName) + if err != nil { + logrus.Errorf("Unable to move files %v", err) + return "", nil, nil + } + return fileCreated, firejailArgs, nil +} + +func prerequisiteForArchive(tmpDir string, file string) error { + err := os.MkdirAll(tmpDir, 0777) + if err != nil { + return errors.Wrapf(err, "Unable to make tmp directory") + } + + err = fileutils.CopyDir(file, tmpDir, fileutils.Overwrite()) + if err != nil { + return errors.Wrapf(err, "Unable to copy files in tmp directory") + } + return nil + +} + +func prerequisiteForCommands(tmpDir string, filepath string, fileName string) error { + + err := os.MkdirAll(tmpDir, 0777) + if err != nil { + return errors.Wrapf(err, "Unable to make tmp directory") + } + tmpDir = tmpDir + "/" + fileName + err = fileutils.CopyFile(filepath, tmpDir, fileutils.Overwrite()) + if err != nil { + return err + } + + return nil +} + +func makeTimestamp() int64 { + return time.Now().UnixNano() +} + +// func getTrimmedOutputFromFirejail(output []byte) string { +// var trimmedOutput string +// outputStr := string(output) +// startIndex := strings.Index(outputStr, startInspec) +// endIndex := strings.Index(outputStr, endInspec) +// if startIndex != -1 { +// trimmedOutput = outputStr[startIndex+len(startInspec)+1 : endIndex-1] + +// } + +// return trimmedOutput +// } diff --git a/components/compliance-service/profiles/db/store.go b/components/compliance-service/profiles/db/store.go index 58bf3a91060..93afc25d004 100644 --- a/components/compliance-service/profiles/db/store.go +++ b/components/compliance-service/profiles/db/store.go @@ -26,7 +26,7 @@ type Store struct { DB *pgdb.DB } -func (s *Store) GetProfileInfo(filename string) (string, []byte, []byte, error) { +func (s *Store) GetProfileInfo(filename string, firejailProfilePath string) (string, []byte, []byte, error) { // load profile into memory tarContent, err := ioutil.ReadFile(filename) if err != nil { @@ -52,7 +52,7 @@ func (s *Store) GetProfileInfo(filename string) (string, []byte, []byte, error) // JSON file was not pregenerated or could not be read, so delegate to inspec. if len(inspecJSON) == 0 { - inspecJSON, err = inspec.Json(filename) + inspecJSON, err = inspec.Json(filename, firejailProfilePath) if err != nil { return "", nil, nil, err } @@ -66,7 +66,7 @@ func (s *Store) GetProfileInfo(filename string) (string, []byte, []byte, error) return inspecProfile.Sha256, tarContent, inspecJSON, nil } -func (s *Store) LoadMarketProfiles(path string) error { +func (s *Store) LoadMarketProfiles(path string, firejailProfilePath string) error { logrus.Infof("Verify that latest market profiles (%s) are stored in database", path) // determine all profiles in directory @@ -83,7 +83,7 @@ func (s *Store) LoadMarketProfiles(path string) error { logrus.Debugf("Upload profile %s", diskProfile) // gather information that we need to store in postgres - sha256, tar, info, err := s.GetProfileInfo(diskProfile) + sha256, tar, info, err := s.GetProfileInfo(diskProfile, firejailProfilePath) if err != nil { // log error, and ignore profile logrus.Error(err) diff --git a/components/compliance-service/profiles/market/market.go b/components/compliance-service/profiles/market/market.go index 3019e37c4e9..d570887d891 100644 --- a/components/compliance-service/profiles/market/market.go +++ b/components/compliance-service/profiles/market/market.go @@ -85,8 +85,8 @@ func TempUpload(body io.ReadCloser, suffix string) (string, error) { return tmpWithSuffix, nil } -func CheckProfile(tmpWithSuffix string) (inspec.CheckResult, error) { +func CheckProfile(tmpWithSuffix string, firejailProfilePath string) (inspec.CheckResult, error) { defer util.TimeTrack(time.Now(), "CheckProfile") - return inspec.Check(tmpWithSuffix) + return inspec.Check(tmpWithSuffix, firejailProfilePath) } diff --git a/components/compliance-service/reporting/util/zip.go b/components/compliance-service/reporting/util/zip.go index e7a9c1a7746..bfae5ea92a6 100644 --- a/components/compliance-service/reporting/util/zip.go +++ b/components/compliance-service/reporting/util/zip.go @@ -80,7 +80,7 @@ func Zip2Path(zipPath string, extractPath string) error { } // ConvertZipToTarGz extracts the profile to a tmp dir and archives the file as a tar.gz. -func ConvertZipToTarGz(zipPath string, tarPath string) error { +func ConvertZipToTarGz(zipPath string, tarPath string, firejailPath string) error { // should we make this user specific tmpPath, err := ioutil.TempDir("", "inspec-upload") if err != nil { @@ -122,7 +122,7 @@ func ConvertZipToTarGz(zipPath string, tarPath string) error { return err } - err = inspec.Archive(tmpPath, tarPath) + err = inspec.Archive(tmpPath, tarPath, firejailPath) if err != nil { return err }