Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add label to rules #293

Merged
merged 2 commits into from
Jun 13, 2019
Merged

Add label to rules #293

merged 2 commits into from
Jun 13, 2019

Conversation

tweksteen
Copy link
Member

This PR adds a new attribute to the Rule class named "label", as suggested in #283. This attribute can be used to store further background on a rule. For instance, allow id 045e:00db label "user-preference". It is then possible use the command usbguard list-rules -l "user-preference" to only return the rules matching this label.

Worth noticing:

  • The IPC definition of listRules has been simplified to only return vector<Rule> (there is currently no client for the default_target attribute, both list-rules and dbus discard that value). If required, this could be implemented in another IPC method).
  • The "query" parameter is used directly to store the label. This could be renamed to avoid misunderstandings. I also explored the option of creating a query rule and performing the matching via appliesTo but this changes the semantic of the rule (i.e. any rule without the label would not match anymore). Happy to change this point if another approach makes more sense.
  • I dropped the check that a response is necessarily provided (with only optional/repeated fields, this might not be the case). Ideally, this should be implemented within payloadToMessage by verifying the returned value of ParseFromString. I would also suggest moving all the required field to optional at some point (reasoning at why messge type remove 'required,optional'? protocolbuffers/protobuf#2497).

@tweksteen
Add the label attribute to rule
4037434 
A new attribute is added to associate an arbitrary string to a rule.
This string can, for instance, be used to store the origin of the
rule or some contextual information about it. This attribute is not
used when testing if a rule applies to a device.
@tweksteen tweksteen force-pushed the add_label_to_rules branch from b206419 to 0d40a2a Compare May 27, 2019 13:19
@tweksteen
Add option to filter rules by label when listing
e6b2d21 
Redefine listRules IPC method to only return vector<Rule> and not
a RuleSet. The query parameter is reused for matching against the
label of the rule.
@tweksteen tweksteen force-pushed the add_label_to_rules branch from 0d40a2a to e6b2d21 Compare May 29, 2019 06:11
@coveralls
Copy link

Coverage Status

Coverage decreased (-0.1%) to 57.188% when pulling e6b2d21 on tweksteen:add_label_to_rules into f011198 on USBGuard:master.

@dkopecek dkopecek requested review from dkopecek and radosroka June 11, 2019 11:55
@dkopecek
Copy link
Member

This PR adds a new attribute to the Rule class named "label", as suggested in #283. This attribute can be used to store further background on a rule. For instance, allow id 045e:00db label "user-preference". It is then possible use the command usbguard list-rules -l "user-preference" to only return the rules matching this label.

Thanks again, this looks like an useful usability improvement.

Worth noticing:

* The IPC definition of listRules has been simplified to only return `vector<Rule>` (there is currently no client for the default_target attribute, both list-rules and dbus discard that value). If required, this could be implemented in another IPC method).

Ok, that makes sense.

* The "query" parameter is used directly to store the label. This could be renamed to avoid misunderstandings. I also explored the option of creating a query rule and performing the matching via appliesTo but this changes the semantic of the rule (i.e. any rule without the label would not match anymore). Happy to change this point if another approach makes more sense.

I have to look at the code again here, as I don't remember what was the intention. I think the query was supposed to be used to filter the result if needed.

* I dropped the check that a response is necessarily provided (with only optional/repeated fields, this might not be the case). Ideally, this should be implemented within `payloadToMessage` by verifying the returned value of ParseFromString. I would also suggest moving all the required field to optional at some point (reasoning at [protocolbuffers/protobuf#2497](https://github.com/protocolbuffers/protobuf/issues/2497)).

Ok, I've read the linked issue and agree with dropping the required/optional annotations.

@dkopecek
Copy link
Member 

* i.e. any rule without the label would not match anymore

Is this a problem? Maybe I'm not seeing the problem here. I would say this is how it should behave. i.e. list-rules should list rules that match on the attributes of the query rule:

query: match label "foo"

rule "allow id 1234:4568 label "foo" (matches)
rule "allow id 1234:4568" (does not match)
rule "allow id 1234:4568 label "bar" (does not match)
...

@tweksteen
Copy link
Member Author

Is this a problem? Maybe I'm not seeing the problem here. I would say this is how it should behave. i.e. list-rules should list rules that match on the attributes of the query rule:

It is not a problem for list-rules, which would work as expected. But it is a problem for the standard rule matching when evaluating if a device should be authorised or denied. In this case, the device rule does not contain that label and therefore does not match any rule anymore. (This was implemented within the appliesTo method of RulePrivale.cpp, there might be another way to make that work).

@dkopecek
Copy link
Member

Is this a problem? Maybe I'm not seeing the problem here. I would say this is how it should behave. i.e. list-rules should list rules that match on the attributes of the query rule:

It is not a problem for list-rules, which would work as expected. But it is a problem for the standard rule matching when evaluating if a device should be authorised or denied. In this case, the device rule does not contain that label and therefore does not match any rule anymore. (This was implemented within the appliesTo method of RulePrivale.cpp, there might be another way to make that work).

Ok, I see that now. To be honest I don't like that the list rules query parameter is now reserved and interpreted only as the label attribute value. But let's not block this feature on such a minor detail. We can meditate on it and deal with it later :-) Maybe there should be some sort of context parameter that would tell the API how to handle the "appliesTo" logic. Or the "device" and "match" rule targets [1] could be used to parametrize the applicability logic, e.g. a "match ..." rule when applied to a "device ..." rule would not invoke the matching on label attributes.

[1] https://github.com/USBGuard/usbguard/blob/master/src/Library/public/usbguard/Rule.hpp#L59

dkopecek
dkopecek approved these changes Jun 13, 2019
View reviewed changes
Copy link
Member

@dkopecek dkopecek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG(enough)TM

@dkopecek dkopecek merged commit a392e80 into USBGuard:master Jun 13, 2019
This was referenced Jun 19, 2019
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkopecek dkopecek dkopecek approved these changes

@radosroka radosroka Awaiting requested review from radosroka

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tweksteen @coveralls @dkopecek