RGBCube/uutils-coreutils
1
Fork 0
mirror of https://github.com/RGBCube/uutils-coreutils synced 2025-07-28 03:27:44 +00:00
Code Issues Activity

selinux: add support in cp

Browse source
This commit is contained in:
Sylvestre Ledru 2025-05-01 14:59:53 +02:00
parent 55411721a8
commit e7fdd3dfba
3 changed files with 224 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/uu/cp/Cargo.toml
View file

@ -47,5 +47,5 @@ name = "cp"
path = "src/main.rs" path = "src/main.rs"
[features] [features]
feat_selinux = ["selinux"] feat_selinux = ["selinux", "uucore/selinux"]
feat_acl = ["exacl"] feat_acl = ["exacl"]

57
src/uu/cp/src/cp.rs
View file

@ -16,7 +16,7 @@ use std::path::{Path, PathBuf, StripPrefixError};
#[cfg(all(unix, not(target_os = "android")))] #[cfg(all(unix, not(target_os = "android")))]
use uucore::fsxattr::copy_xattrs; use uucore::fsxattr::copy_xattrs;
use clap::{Arg, ArgAction, ArgMatches, Command, builder::ValueParser}; use clap::{Arg, ArgAction, ArgMatches, Command, builder::ValueParser, value_parser};
use filetime::FileTime; use filetime::FileTime;
use indicatif::{ProgressBar, ProgressStyle}; use indicatif::{ProgressBar, ProgressStyle};
use quick_error::ResultExt; use quick_error::ResultExt;
@ -311,6 +311,10 @@ pub struct Options {
pub verbose: bool, pub verbose: bool,
/// `-g`, `--progress` /// `-g`, `--progress`
pub progress_bar: bool, pub progress_bar: bool,
/// -Z
pub set_selinux_context: bool,
// --context
pub context: Option<String>,
} }
impl Default for Options { impl Default for Options {
@ -337,6 +341,8 @@ impl Default for Options {
debug: false, debug: false,
verbose: false, verbose: false,
progress_bar: false, progress_bar: false,
set_selinux_context: false,
context: None,
} }
} }
} }
@ -448,6 +454,7 @@ mod options {
pub const RECURSIVE: &str = "recursive"; pub const RECURSIVE: &str = "recursive";
pub const REFLINK: &str = "reflink"; pub const REFLINK: &str = "reflink";
pub const REMOVE_DESTINATION: &str = "remove-destination"; pub const REMOVE_DESTINATION: &str = "remove-destination";
pub const SELINUX: &str = "Z";
pub const SPARSE: &str = "sparse"; pub const SPARSE: &str = "sparse";
pub const STRIP_TRAILING_SLASHES: &str = "strip-trailing-slashes"; pub const STRIP_TRAILING_SLASHES: &str = "strip-trailing-slashes";
pub const SYMBOLIC_LINK: &str = "symbolic-link"; pub const SYMBOLIC_LINK: &str = "symbolic-link";
@ -476,6 +483,7 @@ const PRESERVE_DEFAULT_VALUES: &str = if cfg!(unix) {
} else { } else {
"mode,timestamp" "mode,timestamp"
}; };
pub fn uu_app() -> Command { pub fn uu_app() -> Command {
const MODE_ARGS: &[&str] = &[ const MODE_ARGS: &[&str] = &[
options::LINK, options::LINK,
@ -709,24 +717,25 @@ pub fn uu_app() -> Command {
.value_parser(ShortcutValueParser::new(["never", "auto", "always"])) .value_parser(ShortcutValueParser::new(["never", "auto", "always"]))
.help("control creation of sparse files. See below"), .help("control creation of sparse files. See below"),
) )
// TODO: implement the following args
.arg( .arg(
Arg::new(options::COPY_CONTENTS) Arg::new(options::SELINUX)
.long(options::COPY_CONTENTS) .short('Z')
.overrides_with(options::ATTRIBUTES_ONLY) .help("set SELinux security context of destination file to default type")
.help("NotImplemented: copy contents of special files when recursive")
.action(ArgAction::SetTrue), .action(ArgAction::SetTrue),
) )
.arg( .arg(
Arg::new(options::CONTEXT) Arg::new(options::CONTEXT)
.long(options::CONTEXT) .long(options::CONTEXT)
.value_name("CTX") .value_name("CTX")
.value_parser(value_parser!(String))
.help( .help(
"NotImplemented: set SELinux security context of destination file to \ "like -Z, or if CTX is specified then set the SELinux or SMACK security \
default type", context to CTX",
), )
.num_args(0..=1)
.require_equals(true)
.default_missing_value(""),
) )
// END TODO
.arg( .arg(
// The 'g' short flag is modeled after advcpmv // The 'g' short flag is modeled after advcpmv
// See this repo: https://github.com/jarun/advcpmv // See this repo: https://github.com/jarun/advcpmv
@ -739,6 +748,15 @@ pub fn uu_app() -> Command {
Note: this feature is not supported by GNU coreutils.", Note: this feature is not supported by GNU coreutils.",
), ),
) )
// TODO: implement the following args
.arg(
Arg::new(options::COPY_CONTENTS)
.long(options::COPY_CONTENTS)
.overrides_with(options::ATTRIBUTES_ONLY)
.help("NotImplemented: copy contents of special files when recursive")
.action(ArgAction::SetTrue),
)
// END TODO
.arg( .arg(
Arg::new(options::PATHS) Arg::new(options::PATHS)
.action(ArgAction::Append) .action(ArgAction::Append)
@ -971,7 +989,6 @@ impl Options {
let not_implemented_opts = vec![ let not_implemented_opts = vec![
#[cfg(not(any(windows, unix)))] #[cfg(not(any(windows, unix)))]
options::ONE_FILE_SYSTEM, options::ONE_FILE_SYSTEM,
options::CONTEXT,
#[cfg(windows)] #[cfg(windows)]
options::FORCE, options::FORCE,
]; ];
@ -1018,7 +1035,6 @@ impl Options {
return Err(Error::NotADirectory(dir.clone())); return Err(Error::NotADirectory(dir.clone()));
} }
}; };
// cp follows POSIX conventions for overriding options such as "-a", // cp follows POSIX conventions for overriding options such as "-a",
// "-d", "--preserve", and "--no-preserve". We can use clap's // "-d", "--preserve", and "--no-preserve". We can use clap's
// override-all behavior to achieve this, but there's a challenge: when // override-all behavior to achieve this, but there's a challenge: when
@ -1112,6 +1128,15 @@ impl Options {
} }
} }
// Extract the SELinux related flags and options
let set_selinux_context = matches.get_flag(options::SELINUX);
let context = if matches.contains_id(options::CONTEXT) {
matches.get_one::<String>(options::CONTEXT).cloned()
} else {
None
};
let options = Self { let options = Self {
attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY), attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY),
copy_contents: matches.get_flag(options::COPY_CONTENTS), copy_contents: matches.get_flag(options::COPY_CONTENTS),
@ -1172,6 +1197,8 @@ impl Options {
recursive, recursive,
target_dir, target_dir,
progress_bar: matches.get_flag(options::PROGRESS_BAR), progress_bar: matches.get_flag(options::PROGRESS_BAR),
set_selinux_context: set_selinux_context || context.is_some(),
context,
}; };
Ok(options) Ok(options)
@ -2422,6 +2449,12 @@ fn copy_file(
copy_attributes(source, dest, &options.attributes)?; copy_attributes(source, dest, &options.attributes)?;
} }
#[cfg(feature = "selinux")]
if options.set_selinux_context && uucore::selinux::is_selinux_enabled() {
// Set the given selinux permissions on the copied file.
uucore::selinux::set_selinux_security_context(dest, options.context.as_ref())?;
}
copied_files.insert( copied_files.insert(
FileInformation::from_path(source, options.dereference(source_in_command_line))?, FileInformation::from_path(source, options.dereference(source_in_command_line))?,
dest.to_path_buf(), dest.to_path_buf(),

189
tests/by-util/test_cp.rs
View file

@ -3,7 +3,7 @@
// For the full copyright and license information, please view the LICENSE // For the full copyright and license information, please view the LICENSE
// file that was distributed with this source code. // file that was distributed with this source code.
// spell-checker:ignore (flags) reflink (fs) tmpfs (linux) rlimit Rlim NOFILE clob btrfs neve ROOTDIR USERDIR procfs outfile uufs xattrs // spell-checker:ignore (flags) reflink (fs) tmpfs (linux) rlimit Rlim NOFILE clob btrfs neve ROOTDIR USERDIR procfs outfile uufs xattrs
// spell-checker:ignore bdfl hlsl IRWXO IRWXG // spell-checker:ignore bdfl hlsl IRWXO IRWXG nconfined
use uutests::at_and_ucmd; use uutests::at_and_ucmd;
use uutests::new_ucmd; use uutests::new_ucmd;
use uutests::path_concat; use uutests::path_concat;
@ -908,32 +908,32 @@ fn test_cp_arg_no_clobber_twice() {
let scene = TestScenario::new(util_name!()); let scene = TestScenario::new(util_name!());
let at = &scene.fixtures; let at = &scene.fixtures;
at.touch("source.txt"); at.touch(TEST_HELLO_WORLD_SOURCE);
scene scene
.ucmd() .ucmd()
.arg("--no-clobber") .arg("--no-clobber")
.arg("source.txt") .arg(TEST_HELLO_WORLD_SOURCE)
.arg("dest.txt") .arg(TEST_HELLO_WORLD_DEST)
.arg("--debug") .arg("--debug")
.succeeds() .succeeds()
.no_stderr(); .no_stderr();
assert_eq!(at.read("source.txt"), ""); assert_eq!(at.read(TEST_HELLO_WORLD_SOURCE), "");
at.append("source.txt", "some-content"); at.append(TEST_HELLO_WORLD_SOURCE, "some-content");
scene scene
.ucmd() .ucmd()
.arg("--no-clobber") .arg("--no-clobber")
.arg("source.txt") .arg(TEST_HELLO_WORLD_SOURCE)
.arg("dest.txt") .arg(TEST_HELLO_WORLD_DEST)
.arg("--debug") .arg("--debug")
.succeeds() .succeeds()
.stdout_contains("skipped 'dest.txt'"); .stdout_contains(format!("skipped '{}'", TEST_HELLO_WORLD_DEST));
assert_eq!(at.read("source.txt"), "some-content"); assert_eq!(at.read(TEST_HELLO_WORLD_SOURCE), "some-content");
// Should be empty as the "no-clobber" should keep // Should be empty as the "no-clobber" should keep
// the previous version // the previous version
assert_eq!(at.read("dest.txt"), ""); assert_eq!(at.read(TEST_HELLO_WORLD_DEST), "");
} }
#[test] #[test]
@ -6248,3 +6248,170 @@ fn test_cp_update_none_interactive_prompt_no() {
assert_eq!(at.read(old_file), "old content"); assert_eq!(at.read(old_file), "old content");
assert_eq!(at.read(new_file), "new content"); assert_eq!(at.read(new_file), "new content");
} }
#[cfg(feature = "feat_selinux")]
fn get_getfattr_output(f: &str) -> String {
use std::process::Command;
let getfattr_output = Command::new("getfattr")
.arg(f)
.arg("-n")
.arg("security.selinux")
.output()
.expect("Failed to run `getfattr` on the destination file");
println!("{:?}", getfattr_output);
assert!(
getfattr_output.status.success(),
"getfattr did not run successfully: {}",
String::from_utf8_lossy(&getfattr_output.stderr)
);
String::from_utf8_lossy(&getfattr_output.stdout)
.split('"')
.nth(1)
.unwrap_or("")
.to_string()
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
let args = ["-Z", "--context=unconfined_u:object_r:user_tmp_t:s0"];
at.touch(TEST_HELLO_WORLD_SOURCE);
for arg in args {
ts.ucmd()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.succeeds();
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
assert!(
selinux_perm.contains("unconfined_u"),
"Expected '{}' not found in getfattr output:\n{}",
"foo",
selinux_perm
);
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux_invalid() {
let scene = TestScenario::new(util_name!());
let at = &scene.fixtures;
at.touch(TEST_HELLO_WORLD_SOURCE);
let args = [
"--context=a",
"--context=unconfined_u:object_r:user_tmp_t:s0:a",
"--context=nconfined_u:object_r:user_tmp_t:s0",
];
for arg in args {
new_ucmd!()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.fails()
.stderr_contains("Failed to");
if at.file_exists(TEST_HELLO_WORLD_DEST) {
at.remove(TEST_HELLO_WORLD_DEST);
}
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_selinux() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
let args = ["-Z", "--context=unconfined_u:object_r:user_tmp_t:s0"];
at.touch(TEST_HELLO_WORLD_SOURCE);
for arg in args {
ts.ucmd()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.arg("--preserve=all")
.succeeds();
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm_dest = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
assert!(
selinux_perm_dest.contains("unconfined_u"),
"Expected '{}' not found in getfattr output:\n{}",
"foo",
selinux_perm_dest
);
assert_eq!(
get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_SOURCE)),
selinux_perm_dest
);
#[cfg(all(unix, not(target_os = "freebsd")))]
{
// Assert that the mode, ownership, and timestamps are preserved
// NOTICE: the ownership is not modified on the src file, because that requires root permissions
let metadata_src = at.metadata(TEST_HELLO_WORLD_SOURCE);
let metadata_dst = at.metadata(TEST_HELLO_WORLD_DEST);
assert_metadata_eq!(metadata_src, metadata_dst);
}
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_selinux_admin_context() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
let admin_context = "system_u:object_r:admin_home_t:s0";
at.touch(TEST_HELLO_WORLD_SOURCE);
let cmd_result = ts
.ucmd()
.arg("-Z")
.arg(format!("--context={admin_context}"))
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.run();
if !cmd_result.succeeded() {
println!("Skipping test: Cannot set SELinux context, system may not support this context");
return;
}
let actual_context = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
ts.ucmd()
.arg("-Z")
.arg(format!("--context={}", actual_context))
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.arg("--preserve=all")
.succeeds();
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm_dest = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
let selinux_perm_src = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_SOURCE));
// Verify that the SELinux contexts match, whatever they may be
assert_eq!(selinux_perm_src, selinux_perm_dest);
#[cfg(all(unix, not(target_os = "freebsd")))]
{
let metadata_src = at.metadata(TEST_HELLO_WORLD_SOURCE);
let metadata_dst = at.metadata(TEST_HELLO_WORLD_DEST);
assert_metadata_eq!(metadata_src, metadata_dst);
}
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}