Deny unknown fields in selinux manifest configuration

esrlabs · Oct 19, 2023 · 33e1d0a · 33e1d0a
1 parent ee02529
commit 33e1d0a
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/examples/inspect/manifest.yaml b/examples/inspect/manifest.yaml
@@ -31,4 +31,5 @@ rlimits:
     hard: 20000
 suppl_groups: [src, inet]
 selinux:
-  context: unconfined_u:object_r:user_home_t:s0
+  mount_context: unconfined_u:object_r:user_home_t:s0
+  exec: unconfined_u:object_r:inspect_t:s0
diff --git a/examples/test-container/manifest.yaml b/examples/test-container/manifest.yaml
@@ -61,7 +61,8 @@ seccomp:
     clone: any # Needed for socket tests.
     clone3: any # Needed for socket tests.
 selinux:
-  context: unconfined_u:object_r:user_home_t:s0
+  mount_context: unconfined_u:object_r:user_home_t:s0
+  exec: unconfined_u:object_r:test_container_t:s0
 sockets:
   datagram:
     type: datagram

diff --git a/northstar-runtime/src/npk/manifest/selinux.rs b/northstar-runtime/src/npk/manifest/selinux.rs
@@ -5,6 +5,7 @@ use crate::common::non_nul_string::NonNulString;
 
 /// SELinux configuration
 #[derive(Clone, Eq, PartialEq, Debug, Validate, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct Selinux {
     /// Default SE label (mount option context=...).
     #[validate(custom = "validate_context")]
@@ -59,3 +60,15 @@ fn validate_context_with_space() {
 fn validate_invalid_empty_context() {
     assert!(validate_context("").is_err());
 }
+
+#[test]
+fn deserialize_unknown_field() {
+    serde_json::from_str::<Selinux>(
+        "{
+        \"mount_context\": \"system_u:object_r:container_file_t:s0\",
+        \"exec\": \"system_u:object_r:container_file_t:s0\",
+        \"unknown\": \"system_u:object_r:container_file_t:s0\"
+    }",
+    )
+    .expect_err("unknown field should not be deserialized");
+}