Refactor: Remove wildcard-denied option from configuration and related code

- Removed "wildcard-denied" option from rootasrole.json and associated code in CLI and data structures.
- Updated CLI commands and help documentation to reflect the removal of wildcard-denied.
- Cleaned up tests and processing logic that referenced wildcard-denied.
- Adjusted capability handling to ensure proper functionality without wildcard-denied.

Author: LeChatP

.cargo/config.toml

@@ -1,5 +1,28 @@
 [alias]
 xtask = "run --package xtask --release --bin xtask --"
+test-root = [
+    "test",
+    "--workspace",
+    "--all-features",
+    "--all-targets",
+    "--config",
+    "target.\"cfg(all())\".runner=\"/usr/bin/sudo -E\"",
+    "--"
+]
+
+coverage = [
+    "--config",
+    "target.\"cfg(all())\".runner=\"/usr/bin/sudo -E\"",
+    "tarpaulin",
+    "--workspace",
+    "--all-features",
+    "--timeout",
+    "120",
+    "--exclude-files",
+    "build.rs", "xtask/src/*",
+    "-e",
+    "xtask",
+]
 
 [env]
 RAR_CFG_TYPE = "json"
@@ -22,5 +45,4 @@ RAR_ENV_SET_LIST = ""
 RAR_ENV_OVERRIDE_BEHAVIOR = "false"
 RAR_AUTHENTICATION = "perform"
 RAR_USER_CONSIDERED = "user"
-RAR_BOUNDING = "strict"
-RAR_WILDCARD_DENIED = "&|"
+RAR_BOUNDING = "strict"

Cargo.toml

@@ -51,6 +51,12 @@ name = "chsr"
 path = "src/chsr/main.rs"
 required-features = ["editor"]
 
+# Integration tests that require root privileges
+[[test]]
+name = "integration_tests"
+path = "tests/integration_tests.rs"
+required-features = ["finder"]
+
 [features]
 finder = ["pcre2", "rar-common/finder"]
 pcre2 = ["dep:pcre2", "rar-common/pcre2"]

book/src/chsr/README.md

@@ -69,7 +69,6 @@ chsr role [role_name] task [task_name] options [option] [operation]
   <b>env</b>                           Manage environment variable settings (set, whitelist, blacklist, checklist).
   <b>root</b> [policy]                 Defines when the root user (uid == 0) gets his privileges by default. (privileged, user, inherit)
   <b>bounding</b> [policy]             Defines when dropped capabilities are permanently removed in the instantiated process. (strict, ignore, inherit)
-  <b>wildcard-denied</b>               Manage chars that are denied in binary path.
   <b>timeout</b>                       Manage timeout settings (set, unset).
 
 

book/src/chsr/file-config.md

@@ -59,7 +59,6 @@ The following example shows a RootAsRole config without plugins when almost ever
     },
     "root": "privileged", // Default policy for root: privileged, user, inherit
     "bounding": "ignore", // Default policy for bounding: strict, ignore, inherit
-    "wildcard-denied": "*", // Characters denied in any binary path
     "timeout": {
       "type": "ppid", // Type of timeout: tty, ppid, uid
       "duration": "15:30:30", // Duration of the timeout in HH:MM:SS format
@@ -165,7 +164,6 @@ The following example shows a RootAsRole config without plugins when almost ever
             },
             "root": "privileged",
             "bounding": "ignore",
-            "wildcard-denied": "*",
             "timeout": {
               "type": "ppid",
               "duration": "15:30:30",
@@ -203,7 +201,6 @@ The following example shows a RootAsRole config without plugins when almost ever
         },
         "root": "privileged",
         "bounding": "ignore",
-        "wildcard-denied": "*",
         "timeout": {
           "type": "ppid",
           "duration": "15:30:30",

rar-common/src/database/options.rs

@@ -47,7 +47,6 @@ pub enum OptType {
     Env,
     Root,
     Bounding,
-    Wildcard,
     Timeout,
 }
 
@@ -260,8 +259,6 @@ pub struct Opt {
     pub bounding: Option<SBounding>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub authentication: Option<SAuthentication>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub wildcard_denied: Option<String>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub timeout: Option<STimeout>,
     #[serde(default, flatten)]
@@ -278,7 +275,6 @@ impl Opt {
         root: Option<SPrivileged>,
         bounding: Option<SBounding>,
         authentication: Option<SAuthentication>,
-        #[builder(into)] wildcard_denied: Option<String>,
         timeout: Option<STimeout>,
         #[builder(default)] _extra_fields: Map<String, Value>,
     ) -> Self {
@@ -289,7 +285,6 @@ impl Opt {
             root,
             bounding,
             authentication,
-            wildcard_denied,
             timeout,
             _extra_fields,
         }
@@ -344,7 +339,6 @@ impl Opt {
                     )
                     .build(),
             )
-            .wildcard_denied(env!("RAR_WILDCARD_DENIED"))
             .build()
     }
 }
@@ -357,7 +351,6 @@ impl Default for Opt {
             root: Some(SPrivileged::default()),
             bounding: Some(SBounding::default()),
             authentication: None,
-            wildcard_denied: None,
             timeout: None,
             _extra_fields: Map::default(),
             level: Level::Default,
@@ -897,15 +890,6 @@ impl OptStack {
                 })
                 .map(|(_, authentication)| authentication),
             )
-            .maybe_wildcard_denied(
-                self.find_in_options(|opt| {
-                    opt.wildcard_denied
-                        .borrow()
-                        .as_ref()
-                        .map(|wildcard| (opt.level, wildcard.clone()))
-                })
-                .map(|(_, wildcard)| wildcard),
-            )
             .maybe_timeout(
                 self.find_in_options(|opt| opt.timeout.clone().map(|timeout| (opt.level, timeout)))
                     .map(|(_, timeout)| timeout),
@@ -1061,7 +1045,6 @@ mod tests {
                                         .duration(Duration::minutes(3))
                                         .build(),
                                 )
-                                .wildcard_denied("c")
                                 .build()
                             })
                             .build(),
@@ -1087,7 +1070,6 @@ mod tests {
                                 .duration(Duration::minutes(2))
                                 .build(),
                         )
-                        .wildcard_denied("b")
                         .build()
                     })
                     .build(),
@@ -1113,7 +1095,6 @@ mod tests {
                         .duration(Duration::minutes(1))
                         .build(),
                 )
-                .wildcard_denied("a")
                 .build()
             })
             .build();
@@ -1178,7 +1159,6 @@ mod tests {
             global_options.timeout.as_ref().unwrap().type_field.unwrap(),
             TimestampType::TTY
         );
-        assert_eq!(global_options.wildcard_denied.as_ref().unwrap(), "a");
         let opt = OptStack::from_role(config.clone().role("test").unwrap()).to_opt();
         let role_options = opt.as_ref().borrow();
         assert_eq!(
@@ -1222,7 +1202,6 @@ mod tests {
             role_options.timeout.as_ref().unwrap().type_field.unwrap(),
             TimestampType::PPID
         );
-        assert_eq!(role_options.wildcard_denied.as_ref().unwrap(), "b");
         let opt = OptStack::from_task(config.task("test", 1).unwrap()).to_opt();
         let task_options = opt.as_ref().borrow();
         assert_eq!(
@@ -1269,7 +1248,6 @@ mod tests {
             task_options.timeout.as_ref().unwrap().type_field.unwrap(),
             TimestampType::TTY
         );
-        assert_eq!(task_options.wildcard_denied.as_ref().unwrap(), "c");
     }
 
     #[test]

rar-common/src/database/structs.rs

@@ -709,7 +709,6 @@ mod tests {
                 "root": "privileged",
                 "bounding": "ignore",
                 "authentication": "skip",
-                "wildcard-denied": "wildcards",
                 "timeout": {
                     "type": "ppid",
                     "duration": "00:05:00"
@@ -786,7 +785,6 @@ mod tests {
         assert!(options.root.as_ref().unwrap().is_privileged());
         assert!(options.bounding.as_ref().unwrap().is_ignore());
         assert_eq!(options.authentication, Some(SAuthentication::Skip));
-        assert_eq!(options.wildcard_denied.as_ref().unwrap(), "wildcards");
 
         let timeout = options.timeout.as_ref().unwrap();
         assert_eq!(timeout.type_field, Some(TimestampType::PPID));
@@ -859,7 +857,6 @@ mod tests {
                 },
                 "allow-root": false,
                 "allow-bounding": false,
-                "wildcard-denied": "wildcards",
                 "timeout": {
                     "type": "ppid",
                     "duration": "00:05:00",
@@ -975,7 +972,6 @@ mod tests {
                 "root": "privileged",
                 "bounding": "ignore",
                 "authentication": "skip",
-                "wildcard-denied": "wildcards",
                 "timeout": {
                     "type": "ppid",
                     "duration": "00:05:00"
@@ -1042,7 +1038,6 @@ mod tests {
         assert!(options.root.as_ref().unwrap().is_privileged());
         assert!(options.bounding.as_ref().unwrap().is_ignore());
         assert_eq!(options.authentication, Some(SAuthentication::Skip));
-        assert_eq!(options.wildcard_denied.as_ref().unwrap(), "wildcards");
 
         let timeout = options.timeout.as_ref().unwrap();
         assert_eq!(timeout.type_field, Some(TimestampType::PPID));
@@ -1153,7 +1148,6 @@ mod tests {
                 .root(SPrivileged::Privileged)
                 .bounding(SBounding::Ignore)
                 .authentication(SAuthentication::Skip)
-                .wildcard_denied("wildcards")
                 .timeout(
                     STimeout::builder()
                         .type_field(TimestampType::PPID)