exa icon indicating copy to clipboard operation
exa copied to clipboard

Published 20 hours ago verified publisher icon ogham

Add option to show security attribute and improve extended support

Open cgzones opened this issue 3 years ago • 9 comments

Add a command line option -Z/--context to show the security context of objects, similar to ls(1).

Show the actual extended attribute values on -@/--extended, instead of just their length.

In case of a symlink, show the extended attributes of the symlink itself, not the target. This matches the behavior of ls(1) and is more intuitive.

TODO:

  • test on macos (should compile)

In the future one might want to add support for SMACK security labels ("security.SMACK64").

Closes: #254 #613

exa

exa2

cgzones avatar Apr 25 '21 13:04 cgzones

The code looks good. How does it work in modes other than long? (grid, grid long, other?)

Also, if you rebase on master it should fix the failing CI check.

ariasuni avatar Apr 26 '21 21:04 ariasuni

I don’t have any knowledge of SELinux, do you have any resources about it so I could check that out and understand better what you’re doing in the code?

SELinux is a Linux Security Module (like AppArmor) providing mandatory access control. Every subject and object (process, file, network socket, ...) gets assigned a context, on which the decision whether a operation is allowed or not is based. For file type objects this context is stored as an Extended security attribute with the name security.selinux (see man:xattr(7)). An SELinux context consists of 3 or 4 parts (depending whether the SELinux policy enables MCS/MLS 1), which are separated by colons:

  • a user part, like system_u
  • a role part, like object_r
  • a type part, like shadow_t
  • and the optional level part, like s2:c1.c4 See https://wiki.gentoo.org/wiki/SELinux/Quick_introduction#Context_based_approach

cgzones avatar Jun 30 '21 17:06 cgzones

I decided to try this patch on one of my systems, there seems to be a special case for /dev and /sys that exa doesn't handle:

$ ls -lZ /
total 87
drwxr-xr-x.   2 root root system_u:object_r:bin_t        114 Jul 21 13:40 bin/
drwxr-xr-x.   4 root root system_u:object_r:boot_t        29 Jul 21 13:42 boot/
drwxr-xr-x.  18 root root system_u:object_r:device_t    4320 Jul 23 11:44 dev/
drwxr-xr-x.  63 root root system_u:object_r:etc_t        143 Jul 23 11:44 etc/
drwxr-xr-x.   3 root root system_u:object_r:home_root_t    4 Jun  7 01:35 home/
drwxr-xr-x.  12 root root system_u:object_r:lib_t         13 Jul 21 13:08 lib/
drwxr-xr-x.   6 root root system_u:object_r:lib_t        159 Jul 21 13:40 lib64/
drwxr-xr-x.   2 root root system_u:object_r:mnt_t          3 Jun  3 14:15 media/
drwxr-xr-x.   4 root root system_u:object_r:mnt_t          5 Jun 24 11:51 mnt/
drwxr-xr-x.   3 root root system_u:object_r:usr_t          4 Jun 19 00:17 opt/
dr-xr-xr-x. 476 root root system_u:object_r:proc_t         0 Jul 23 11:44 proc/
drwx------.   4 root root root:object_r:user_home_dir_t    8 Jul 21 22:37 root/
drwxr-xr-x.  19 root root system_u:object_r:var_run_t    680 Jul 23 11:44 run/
drwxr-xr-x.   2 root root system_u:object_r:bin_t        249 Jul 21 13:40 sbin/
dr-xr-xr-x.  13 root root system_u:object_r:sysfs_t        0 Jul 23 13:00 sys/
drwxrwxrwt.   6 root root system_u:object_r:tmp_t          6 Jul 23 11:46 tmp/
drwxr-xr-x.  12 root root system_u:object_r:usr_t         13 Jun  3 14:17 usr/
drwxr-xr-x.   9 root root system_u:object_r:var_t         11 Jun  3 14:15 var/

$ exa -lZ /
drwxr-xr-x - root system_u:object_r:bin_t       21 Jul 13:40 bin
drwxr-xr-x - root system_u:object_r:boot_t      21 Jul 13:42 boot
drwxr-xr-x - root ?                             23 Jul 11:44 dev
drwxr-xr-x - root system_u:object_r:etc_t       23 Jul 11:44 etc
drwxr-xr-x - root system_u:object_r:home_root_t  7 Jun 01:35 home
drwxr-xr-x - root system_u:object_r:lib_t       21 Jul 13:08 lib
drwxr-xr-x - root system_u:object_r:lib_t       21 Jul 13:40 lib64
drwxr-xr-x - root system_u:object_r:mnt_t        3 Jun 14:15 media
drwxr-xr-x - root system_u:object_r:mnt_t       24 Jun 11:51 mnt
drwxr-xr-x - root system_u:object_r:usr_t       19 Jun 00:17 opt
dr-xr-xr-x - root system_u:object_r:proc_t      23 Jul 11:44 proc
drwx------ - root root:object_r:user_home_dir_t 21 Jul 22:37 root
drwxr-xr-x - root system_u:object_r:var_run_t   23 Jul 11:44 run
drwxr-xr-x - root system_u:object_r:bin_t       21 Jul 13:40 sbin
dr-xr-xr-x - root ?                             23 Jul 13:00 sys
drwxrwxrwt - root system_u:object_r:tmp_t       23 Jul 11:46 tmp
drwxr-xr-x - root system_u:object_r:usr_t        3 Jun 14:17 usr
drwxr-xr-x - root system_u:object_r:var_t        3 Jun 14:15 var

$ ls -lZ /sys/
total 0
drwxr-xr-x.   2 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 block/
drwxr-xr-x.  44 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 bus/
drwxr-xr-x.  73 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 class/
drwxr-xr-x.   4 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 dev/
drwxr-xr-x.  21 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 devices/
drwxr-xr-x.   6 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 firmware/
drwxr-xr-x.   9 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 fs/
drwxr-xr-x.   2 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 hypervisor/
drwxr-xr-x.  14 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 kernel/
drwxr-xr-x. 226 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 module/
drwxr-xr-x.   3 root root system_u:object_r:sysfs_t 0 Jul 23 13:04 power/

$ exa -lZ /sys/
drwxr-xr-x - root ? 23 Jul 13:04 block
drwxr-xr-x - root ? 23 Jul 13:04 bus
drwxr-xr-x - root ? 23 Jul 13:04 class
drwxr-xr-x - root ? 23 Jul 13:04 dev
drwxr-xr-x - root ? 23 Jul 13:04 devices
drwxr-xr-x - root ? 23 Jul 13:04 firmware
drwxr-xr-x - root ? 23 Jul 13:04 fs
drwxr-xr-x - root ? 23 Jul 13:04 hypervisor
drwxr-xr-x - root ? 23 Jul 13:04 kernel
drwxr-xr-x - root ? 23 Jul 13:04 module
drwxr-xr-x - root ? 23 Jul 13:04 power

jpds avatar Jul 23 '21 12:07 jpds

I can confirm that b4504f9 is working fantastically on my SELinux enabled systems.

jpds avatar Jul 23 '21 21:07 jpds

Did you take a look at the unit tests error? Sorry for the long time between reviews, I just don’t have much time these days.

ariasuni avatar Sep 01 '21 20:09 ariasuni

@ariasuni @cgzones Hi, what's the state of this PR? Would love to see this merged.

linusg avatar Mar 18 '22 15:03 linusg

Last review for me, afterward I’d like to merge this, but the Vagrant tests aren’t up-to-date.

Thanks for reviewing.

Do you think you could either add this to this PR, or do a PR later to add them? Right now, there are tests checking the output of exa with xattrs in xtests/attributes.toml and xtests/details-view-permissions.toml.

I briefly tried to run a vagrant virtual machine with a libvirt backend, but it didn't seem to work out of the box. For me it would be easiest if the integration tests are enabled in the GitHub CI.

cgzones avatar Mar 30 '22 15:03 cgzones

I didn’t know Vagrant could use libvirt; I’ve successfully used it with Virtualbox. But these tests should obviously be in the CI in the mid/longterm (I had COVID so couldn’t really progress much on that front, anyway).

ariasuni avatar Apr 10 '22 18:04 ariasuni

Hello!

What's the status on this? Would love to see this merged. Is there any way I can help?

nnsee avatar Jul 26 '22 12:07 nnsee

I would also love to see this merged if there are no blockers.

rustysys-dev avatar Mar 27 '23 17:03 rustysys-dev

Closing this since exa is unmaintained (see https://github.com/ogham/exa/issues/1243), and this has been done in the active fork eza. Thanks anyway!

ariasuni avatar Sep 28 '23 17:09 ariasuni