Skip to content

Commit

Permalink
NAS-130418 / Audit filesystem permissions changes (#14124)
Browse files Browse the repository at this point in the history 
This adds basic auditing for API calls that change filesystem
permissions.
  • Loading branch information
@anodos325
anodos325 authored Aug 5, 2024
1 parent d6aca09 commit 0dc6787
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 5 deletions.
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/plugins/filesystem.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def set_immutable(self, set_flag, path):
Bool('sparse'),
register=True
),
), roles=['FILESYSTEM_ATTRS_WRITE'])
), roles=['FILESYSTEM_ATTRS_WRITE'], audit='Filesystem set ZFS attributes', audit_extended=lambda data: data['path'])
@returns()
def set_zfs_attributes(self, data):
"""
Expand Down
10 changes: 6 additions & 4 deletions src/middlewared/middlewared/plugins/filesystem_/acl.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@ def path_get_acltype(self, path):
Bool('traverse', default=False)
)
),
roles=['FILESYSTEM_ATTRS_WRITE']
roles=['FILESYSTEM_ATTRS_WRITE'],
audit='Filesystem change owner', audit_extended=lambda data: data['path']
)
@returns()
@job(lock="perm_change")
Expand Down Expand Up @@ -208,7 +209,8 @@ def _strip_acl_posix1e(self, path):
Bool('traverse', default=False),
)
),
roles=['FILESYSTEM_ATTRS_WRITE']
roles=['FILESYSTEM_ATTRS_WRITE'],
audit='Filesystem set permission', audit_extended=lambda data: data['path']
)
@returns()
@job(lock="perm_change")
Expand Down Expand Up @@ -865,7 +867,7 @@ def setacl_posix1e(self, job, data):
Bool('traverse', default=False),
Bool('canonicalize', default=True)
)
), roles=['FILESYSTEM_ATTRS_WRITE']
), roles=['FILESYSTEM_ATTRS_WRITE'], audit='Filesystem set ACL', audit_extended=lambda data: data['path']
)
@returns()
@job(lock="perm_change")
Expand Down Expand Up @@ -1053,7 +1055,7 @@ def check_acl_for_entry(entry):
'options',
Bool('force', default=False),
)
), roles=['FILESYSTEM_ATTRS_WRITE'])
), roles=['FILESYSTEM_ATTRS_WRITE'], audit='Filesystem add to ACL', audit_extended=lambda data: data['path'])
@job()
def add_to_acl(self, job, data):
"""
Expand Down
55 changes: 55 additions & 0 deletions tests/api2/test_audit_permission.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
import os

from middlewared.test.integration.assets.pool import dataset
from middlewared.test.integration.utils import call
from middlewared.test.integration.utils.audit import expect_audit_method_calls

JENNY = 8675309


def test_audit_chown():
with dataset('audit_chown') as ds:
path = os.path.join('/mnt', ds)
payload = {'path': path, 'uid': JENNY}

with expect_audit_method_calls([{
'method': 'filesystem.chown',
'params': [payload],
'description': f'Filesystem change owner {path}'
}]):
call('filesystem.chown', payload, job=True)


def test_audit_setperm():
with dataset('audit_setperm') as ds:
path = os.path.join('/mnt', ds)
payload = {'path': path, 'mode': '777'}

with expect_audit_method_calls([{
'method': 'filesystem.setperm',
'params': [payload],
'description': f'Filesystem set permission {path}'
}]):
call('filesystem.setperm', payload, job=True)


def test_audit_setacl():
with dataset('audit_setacl', {'share_type': 'SMB'}) as ds:
path = os.path.join('/mnt', ds)
the_acl = call('filesystem.getacl', os.path.join('/mnt', ds))['acl']
the_acl.append({
'tag': 'USER',
'id': JENNY,
'perms': {'BASIC': 'FULL_CONTROL'},
'flags': {'BASIC': 'INHERIT'},
'type': 'ALLOW'
})

payload = {'path': path, 'dacl': the_acl}

with expect_audit_method_calls([{
'method': 'filesystem.setacl',
'params': [payload],
'description': f'Filesystem set ACL {path}'
}]):
call('filesystem.setacl', payload, job=True)

0 comments on commit 0dc6787

Please sign in to comment.