From db3a63a08ca062e3290cfebc9fa130ee1cb4d34e Mon Sep 17 00:00:00 2001
From: Felix Obenhuber <felix.obenhuber@esrlabs.com>
Date: Thu, 19 Oct 2023 13:01:50 +0200
Subject: [PATCH] Deny unknown fields in selinux manifest configuration

---
 northstar-runtime/src/npk/manifest/selinux.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/northstar-runtime/src/npk/manifest/selinux.rs b/northstar-runtime/src/npk/manifest/selinux.rs
index acd59a05f..dc9c1b0ed 100644
--- a/northstar-runtime/src/npk/manifest/selinux.rs
+++ b/northstar-runtime/src/npk/manifest/selinux.rs
@@ -5,6 +5,7 @@ use crate::common::non_nul_string::NonNulString;
 
 /// SELinux configuration
 #[derive(Clone, Eq, PartialEq, Debug, Validate, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct Selinux {
     /// Default SE label (mount option context=...).
     #[validate(custom = "validate_context")]
@@ -59,3 +60,15 @@ fn validate_context_with_space() {
 fn validate_invalid_empty_context() {
     assert!(validate_context("").is_err());
 }
+
+#[test]
+fn deserialize_unknown_field() {
+    serde_json::from_str::<Selinux>(
+        "{
+        \"mount_context\": \"system_u:object_r:container_file_t:s0\",
+        \"exec\": \"system_u:object_r:container_file_t:s0\",
+        \"unknown\": \"system_u:object_r:container_file_t:s0\"
+    }",
+    )
+    .expect_err("unknown field should not be deserialized");
+}