From 1e6d7d75c9f98fe08d1c0f6ccb12615229547d80 Mon Sep 17 00:00:00 2001
From: Ana Hobden <operator@hoverbear.org>
Date: Mon, 19 Dec 2022 07:30:45 -0800
Subject: [PATCH] Do SELinux checks (#123)

* Do SELinux checks

* Add improved error message with issue link

* Improve SELinux error message

* Correct lint
---
 README.md                  |  6 ++++--
 src/error.rs               |  2 +-
 src/planner/linux/multi.rs | 28 ++++++++++++++++++----------
 src/planner/mod.rs         | 10 +++++++++-
 4 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 0085040..41ca05e 100644
--- a/README.md
+++ b/README.md
@@ -16,13 +16,15 @@ Harmonic is **pre-release and experimental**. It is not ready for you to use! *P
 
 Planned support:
 
-* [x] Multi-user x86_64 Linux with systemd init
-* [x] Multi-user aarch64 Linux with systemd init
+* [x] Multi-user x86_64 Linux with systemd init, no SELinux
+* [x] Multi-user aarch64 Linux with systemd init, no SELinux
 * [x] Multi-user x86_64 MacOS
     + Note: User deletion is currently unimplemented, you need to use a user with a secure token and `dscl . -delete /Users/_nixbuild*` where `*` is each user number.
 * [x] Multi-user aarch64 MacOS
     + Note: User deletion is currently unimplemented, you need to use a user with a secure token and `dscl . -delete /Users/_nixbuild*` where `*` is each user number.
 * [x] Valve Steam Deck
+* [ ] Multi-user x86_64 Linux with systemd init, with SELinux
+* [ ] Multi-user aarch64 Linux with systemd init, with SELinux
 * [ ] Single-user x86_64 Linux
 * [ ] Single-user aarch64 Linux
 * [ ] Others...
diff --git a/src/error.rs b/src/error.rs
index 4473f74..e02768d 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -55,7 +55,7 @@ pub enum HarmonicError {
     ),
 }
 
-pub(crate) trait HasExpectedErrors {
+pub(crate) trait HasExpectedErrors: std::error::Error + Sized + Send + Sync {
     fn expected<'a>(&'a self) -> Option<Box<dyn std::error::Error + 'a>>;
 }
 
diff --git a/src/planner/linux/multi.rs b/src/planner/linux/multi.rs
index cc8b652..dd6a046 100644
--- a/src/planner/linux/multi.rs
+++ b/src/planner/linux/multi.rs
@@ -37,6 +37,24 @@ impl Planner for LinuxMulti {
             return Err(PlannerError::NixOs);
         }
 
+        // We currently do not support SELinux
+        match Command::new("getenforce").output().await {
+            Ok(output) => {
+                let stdout_string = String::from_utf8(output.stdout).map_err(PlannerError::Utf8)?;
+                tracing::trace!(getenforce_stdout = stdout_string, "SELinux detected");
+                match stdout_string.trim() {
+                    "Enforcing" => return Err(PlannerError::SelinuxEnforcing),
+                    _ => (),
+                }
+            },
+            // The device doesn't have SELinux set up
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => (),
+            // Some unknown error
+            Err(e) => {
+                tracing::warn!(error = ?e, "Got an error checking for SELinux setting, this install may fail if SELinux is set to `Enforcing`")
+            },
+        }
+
         // For now, we don't try to repair the user's Nix install or anything special.
         if let Ok(_) = Command::new("nix-env")
             .arg("--version")
@@ -82,13 +100,3 @@ impl Into<BuiltinPlanner> for LinuxMulti {
         BuiltinPlanner::LinuxMulti(self)
     }
 }
-
-#[derive(thiserror::Error, Debug)]
-enum LinuxMultiError {
-    #[error("Error planning action")]
-    Action(
-        #[source]
-        #[from]
-        Box<dyn std::error::Error + Send + Sync>,
-    ),
-}
diff --git a/src/planner/mod.rs b/src/planner/mod.rs
index ec0310b..c14651c 100644
--- a/src/planner/mod.rs
+++ b/src/planner/mod.rs
@@ -77,7 +77,7 @@ match plan.install(None).await {
 pub mod darwin;
 pub mod linux;
 
-use std::collections::HashMap;
+use std::{collections::HashMap, string::FromUtf8Error};
 
 use crate::{
     action::{ActionError, StatefulAction},
@@ -189,6 +189,12 @@ pub enum PlannerError {
     /// A MacOS (Darwin) plist related error
     #[error(transparent)]
     Plist(#[from] plist::Error),
+    /// A Linux SELinux related error
+    #[error("This installer doesn't yet support SELinux in `Enforcing` mode. If SELinux is important to you, please see https://github.com/DeterminateSystems/harmonic/issues/124. You can also try again after setting SELinux to `Permissive` mode with `setenforce Permissive`")]
+    SelinuxEnforcing,
+    /// A UTF-8 related error
+    #[error("UTF-8 error")]
+    Utf8(#[from] FromUtf8Error),
     /// Custom planner error
     #[error("Custom planner error")]
     Custom(#[source] Box<dyn std::error::Error + Send + Sync>),
@@ -205,6 +211,8 @@ impl HasExpectedErrors for PlannerError {
             PlannerError::Action(_) => None,
             PlannerError::InstallSettings(_) => None,
             PlannerError::Plist(_) => None,
+            PlannerError::Utf8(_) => None,
+            PlannerError::SelinuxEnforcing => Some(Box::new(self)),
             PlannerError::Custom(_) => None,
             this @ PlannerError::NixOs => Some(Box::new(this)),
             this @ PlannerError::NixExists => Some(Box::new(this)),