From 57d7f91fa89f4abfe30767213960044d6c6b05b6 Mon Sep 17 00:00:00 2001
From: Martin Liska <mliska@suse.cz>
Date: Tue, 24 Sep 2019 13:05:03 +0200
Subject: [PATCH] Come up with PAMModules check.

---
 rpmlint/checks/PAMModulesCheck.py         |  27 ++++++++++++++++++++++
 rpmlint/configdefaults.toml               |   3 +++
 rpmlint/descriptions/PAMModulesCheck.toml |   4 ++++
 test/binary/pam-module-1.0-0.x86_64.rpm   | Bin 0 -> 7932 bytes
 test/test_pam_modules.py                  |  21 +++++++++++++++++
 5 files changed, 55 insertions(+)
 create mode 100644 rpmlint/checks/PAMModulesCheck.py
 create mode 100644 rpmlint/descriptions/PAMModulesCheck.toml
 create mode 100644 test/binary/pam-module-1.0-0.x86_64.rpm
 create mode 100644 test/test_pam_modules.py

diff --git a/rpmlint/checks/PAMModulesCheck.py b/rpmlint/checks/PAMModulesCheck.py
new file mode 100644
index 00000000..733056f7
--- /dev/null
+++ b/rpmlint/checks/PAMModulesCheck.py
@@ -0,0 +1,27 @@
+import re
+
+from rpmlint.checks.AbstractCheck import AbstractCheck
+
+
+class PAMModulesCheck(AbstractCheck):
+    pam_module_re = re.compile(r'^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$')
+
+    def __init__(self, config, output):
+        super().__init__(config, output)
+        self.pam_whitelist = config.configuration['PAMModulesWhiteList']
+
+    def check(self, pkg):
+        if pkg.isSource():
+            return
+
+        files = pkg.files()
+
+        for f in files:
+            if f in pkg.ghostFiles():
+                continue
+
+            m = self.pam_module_re.match(f)
+            if m:
+                bn = m.groups()[0]
+                if bn not in self.pam_whitelist:
+                    self.output.add_info('E', pkg, 'pam-unauthorized-module', bn)
diff --git a/rpmlint/configdefaults.toml b/rpmlint/configdefaults.toml
index 045934a6..84de349c 100644
--- a/rpmlint/configdefaults.toml
+++ b/rpmlint/configdefaults.toml
@@ -283,6 +283,9 @@ ValidLicenses = []
 # Default valid license exceptions
 ValidLicenseExceptions = []
 
+# Default white list for PAM modules
+PAMModulesWhiteList = []
+
 # Additional warnings on specific function calls
 [WarnOnFunction]
 #[WarnOnFunction.testname]
diff --git a/rpmlint/descriptions/PAMModulesCheck.toml b/rpmlint/descriptions/PAMModulesCheck.toml
new file mode 100644
index 00000000..1d48a066
--- /dev/null
+++ b/rpmlint/descriptions/PAMModulesCheck.toml
@@ -0,0 +1,4 @@
+pam-unauthorized-module="""
+The package installs a PAM module. If the package
+is intended for inclusion the PAM module name must
+be included in the white list.
diff --git a/test/binary/pam-module-1.0-0.x86_64.rpm b/test/binary/pam-module-1.0-0.x86_64.rpm
new file mode 100644
index 0000000000000000000000000000000000000000..c5cf1910d2176d10c1c5608ce1bf9774a436a36c
GIT binary patch
literal 7932
zcmeI1dt4J&7RM)oidYpzMXA=YwYwlBWb&9KEND?cXc16UL_j*PKp@G)nFI;7TGY1U
zyFSp5_<n3F!fLDH3-MWtuUf6NidYeG@dc<@Yb#y$+%RrkcmLVHH}m=2{N_97-gD2K
zdvD-#(zK)bng<4#%tl${7M^vOIXR(F%9ZHh|9Hu;&aaMGTy{q$J?n~LK6~JP1T=KN
z71ReN?g82b8oHpbtT!m)zz+7f1L_IQEb#+S7?0VY!FZ1rP-OoI8jSaN2#V};!Hg4n
zg3~Z8r>FHSp<_rRO|vwq<8%fC%NQ7yUaw~uqd|kwT1u;?&^=}3IF6vTj8ds4IZjQI
zl%7_SMx~lI(kd0H;<QRyN9&C`f&j;?n$l=>8ki8ndayb77fyaOenRG#SwUW(+8*t~
zFnyZK<o<AHz?}hi2HY8NXTY5ScLv-UaA&}s0e1%68E|L7oq_-N47h3{?d|PLArVm1
zz_6F<CRz;Z{2DwO2@UERo^7D04-3r;8oE&31Jy}T-K3MmcO^#k6=c6BF{-a1Ms<{K
z(0nCsk~l!(W>8dDIVv%#vmpN`C4K~o>{ldy42tZv61R4+tgpmRC61K%87Ryzi;?(u
z$(}6nKO|1?U{5p`G#LvD@92r<g3^@?)rAnFcR_5E*c%k}w@cg|6!ImTAu-A+;!258
zo>2dz688c{_9}@{&Jkad7`+$7Ad}wLvmY=TkKPN#;|B`;(Q>$W04Ufy;T`HZ5ER*!
z68lTMT;c#w@ZV`CD6E%fw8Z-*9s`Q}T>(Y&#YkKyaV#kEe@EiUpr}7ucho;cvOkeH
zt;6oB1|mDkJB;^$=ITFH;vo{#pb($OJD?~&R^sata}w7}Y?S!6#Aw~n_(q8xpb(!&
z8z`DT7Zm1ptvlj;V6^{>L18U?U*xG280Pmq1q%K=cS+m;ipG~qjOGRZp3e}E#{Q^x
zVo>kIlrKHN?VM<rGnB|-alF7;aFb1RSa6m%^8zlK>^NoN?7=w0TSbnsb9M(O;1p}J
znMB59&BQsg$*#bo@)*u$=NxE+)$YwR48<{&9cLUi6HD3Q&dOVHo4}h`&I;Z{ht-ao
ztYA0WD14g3g!4wDi7`<)%ZZ$TtQOvkTtoa=df_i`StudTWTp8$h3F7D1%ncVVPqA{
z<#Ogw-o{yzCMHFNMpKNP7o4Gj&0>Z~Lea~KcnJQYLx$7=<7qK8B!qUD%&Y<#U0!)1
zGvvQJ#Ky)>z>=JzowI~QQk(^{fx!fhJS<O7W{?_JG$@{krULZc;))r?jWGtARclEj
zWl$Lyqn_p{t%@L&G)ZXHG@*jps>;A|dM(Kqv^1eNa*R@^Hp0EmsAeb@ZKM~M!1H$O
zm5)DGwxg1*5Cuj7Z;!^ncdYCBqt8q09sq&MNlhU1gAL{Va&sk*4j9c_Yyu~W92;#i
zbMdeb#6V24p(l~1OqAV!JxipVW}b3&7GtPfE>Yl&ro30pvEt<XKuoPrDl~Ee(<n%&
zzavGTT7}AWPiPb>1%ds?n&X6)G^kZ7on9y91j0t)yBeGu*M-ioS4Ua@--`P(*uW0K
zWOu%l1%=3CAr4UpF`H;o6Y}!?i{2raJVAxalPR+qmq%tqCybvE8=aDolrVAp=%{e8
z7)3k9<j7%n+u?-pf?Tu<JRA+V(P5o#va)hJMVmPhm=c{<CJT(bLzKU2?C`>vDKYDX
zFB2RZc`_#mybvzH(G#q4yVJ&jC$pUoCrDhLi7_@4kLBfKT4^WB(N30k>`f^lATrh@
zxPo(HQE|~YsgcugwBwRS;bImga4gQ#*<cUGJ9b4dp34a$nx4P|l2Vc;1qS1+(@I%P
z45Yz{gZmtg4aP^I^Aj7H3QmahaE2sRYJ;94D1y)uDvmJ_MlD5<8aM%rmQ!gB1|`E8
zC^-Li!DO>>EaqE2_XNFc^SdE6Q&Zj>Q#%+%?B%c<<$6p<s#Nf!1g+;NmLQBON&{m#
zy-LH99HpTRMvgQXStFsLRXPK~(&(2C_`O1}rb&|J)P(Eh(Oz)<FVWuKhQ2F(e%Iws
zo&x**=JVG!b;5?q`olwe$n7n4`c%&i>DYiC*FBlF!t3@>IxcQV{jKhE-W31RI;zX^
zPnQ0G2c~ohoVD|8d2P}gi#%>;FPQyyNqOSaLn&`vy!64f>~q2Kj89tIu;lqSTi5zn
zKE2wLx;tB*k+UteC?kHvcm7pj<@dq@&SuOWvap`I@t`6xvaha9SW+?!UzLBdVRYwT
zk2>SFESS|lwR60^xxsHy?z5SldR0~49lq)PrmQ|9KkMq{po@bq-1OVI*L(O{a_6xM
z?TjIlbJw)&$$Ioj%E6xkmpty3xaz6xn|<arUUQDGOg9DioEzHKck-wb;<2T5XJl<b
z>h`1Odz!iA2=5E;?uo5l{N4U5ngJ_HCu%jm0Ts!UPHbIYm}MS&>%x;2?U`p(-;`CW
z53LevS~f;JsmQ?+51qZZe9nnI#7M8m=gueH`tF%9y3}J_$?CS5b2X0glrQmt*}(@K
z8%svy?f!A<<|%w^^=k=Xy&v{@=fHx$eOQ~GI<4-vnb{Viv;4&S>uy)hAMfw~NPGND
zK=hi=t4}_jhx@VhgS!=l<hR&;7G#x7Pu=~=^tm4z)613V_ak%W1t%B|-ud*olCk6*
zy!zx+L2lWQh=6qg4Zo+&I{kLnWA)Sfu@i0kyB4LH7DSa6EIEEA|MaZvC5Fwz3g62}
z%-Wt1U75XX%f9HN(R-`R%YN&c*VsUe+?xAkb>W4d@ArTAUh(>#tA8A{Bl2t?ZF8RA
zBCf5u=lR1V8T)hEpxz0C2ZrtHzU@w>*T9+>&$Y@mO>?hr4C~$ROi^U2w(HCm_N3qD
z4|BppZ#J*=-AHIR6dmc_lOGu77dr0Z`R~V-cRfFA((=n`O}A9{BKsQ-<vl+W|MA%8
zQMc-X9Q)>7%}Mf#N%gv1H7R1o?faLj$Ly-xHKVE8QWN-mR+r;nOxw_7`ex#8$%7c*
zyrJf?8>U?9T9O>J^r&B!f5gLynLh;{+CNNF_VsB$nfLsS{(bfhc@#nLSf`Jom#;UD
zJl1E})|$+U$82bncR|6Wihk<S2U>^TV-Q~ZJbQcp<)(FSbeprVF-Z1VahX0RclQeK
zBWG?O*KWJoK7L^zpSUi&YHND<Wge@H(cBj*FEx^<`_8<kTe~fP<<AcXBw6%X*2|~1
zj`+5$@1eo|Qx+WFet7eNme+?D_Strl&P?){epQw;$r|$4f^Q#j{y%>GM*oKRgrHxv
zb^8xKr5Z-W+0I>`7WP^El9Usg*3UO#>z#k^c0+$Gh7Vp;v-PB+dtLGM<7LNo>>d%<
z@?>2l)37|Vc}3vTT(9tR&LV+YF=5=C`9WB0VeH=cvWZ_!{2*lhSL=NVXQ(4%?MGD~
z`+0plZn5TBR`EK+7mX!hA8>cZtvi&tHSv9=WkczMn~9^UqB4Ew$6eo7P+TMP>#?fo
zKxJFS+3IVnu4wi33yv6qZ?e6LSDM9w_gZ_`_+Pu}-D+q)OtWt;<2P)YDkd&jQW6~f
zkECA%EUgv$PVKPl4E*+o2gAPL4RL%f=5fyc;44Z|wD-Htvlrk0;hp`fpU&%kEo@Ke
z>ACxe(VlbaR}~f~EW;x5?<iV&8lIWMOV2LtJ!<<&`CC6J!vm9#oRTFBKb2E7blir|
zdi-f@<LNDalWLP2W9tKt^nP;VH~6pfhVl5p_G6cwe||eAsIacUZ%@>Ks|Ag9VPkR>
gD~7E8oX2F}cdNBwSX%j7y8P~qL9RcF-YHZ534FtEvj6}9

literal 0
HcmV?d00001

diff --git a/test/test_pam_modules.py b/test/test_pam_modules.py
new file mode 100644
index 00000000..ec9d560e
--- /dev/null
+++ b/test/test_pam_modules.py
@@ -0,0 +1,21 @@
+import pytest
+from rpmlint.checks.PAMModulesCheck import PAMModulesCheck
+from rpmlint.filter import Filter
+
+from Testing import CONFIG, get_tested_package
+
+
+@pytest.fixture(scope='function', autouse=True)
+def pammodulecheck():
+    CONFIG.info = True
+    output = Filter(CONFIG)
+    test = PAMModulesCheck(CONFIG, output)
+    return output, test
+
+
+@pytest.mark.parametrize('package', ['binary/pam-module'])
+def test_pam_modules(tmpdir, package, pammodulecheck):
+    output, test = pammodulecheck
+    test.check(get_tested_package(package, tmpdir))
+    out = output.print_results(output.results)
+    assert 'E: pam-unauthorized-module pam-module.so' in out