Merge pull request #854 from sylvestre/kernel

Add a check of the kernel version
trifectatechfoundation · Jul 15, 2024 · 2ac8cbb · 2ac8cbb
2 parents b3b90d2 + 41aed0a
commit 2ac8cbb
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/src/common/error.rs b/src/common/error.rs
@@ -13,6 +13,7 @@ pub enum Error {
         other_user: Option<SudoString>,
     },
     SelfCheck,
+    KernelCheck,
     CommandNotFound(PathBuf),
     InvalidCommand(PathBuf),
     ChDirNotAllowed {
@@ -56,6 +57,7 @@ impl fmt::Display for Error {
             Error::SelfCheck => {
                 f.write_str("sudo must be owned by uid 0 and have the setuid bit set")
             }
+            Error::KernelCheck => f.write_str("sudo needs a Kernel >= 5.9"),
             Error::CommandNotFound(p) => write!(f, "'{}': command not found", p.display()),
             Error::InvalidCommand(p) => write!(f, "'{}': invalid command", p.display()),
             Error::UserNotFound(u) => write!(f, "user '{u}' not found"),

diff --git a/src/sudo/mod.rs b/src/sudo/mod.rs
@@ -3,6 +3,7 @@
 use crate::common::resolve::CurrentUser;
 use crate::common::{Context, Error};
 use crate::log::dev_info;
+use crate::system::kernel::kernel_check;
 use crate::system::timestamp::RecordScope;
 use crate::system::User;
 use crate::system::{time::Duration, timestamp::SessionRecordFile, Process};
@@ -84,6 +85,7 @@ fn sudo_process() -> Result<(), Error> {
     dev_info!("development logs are enabled");
 
     self_check()?;
+    kernel_check(5, 9)?;
 
     let pipeline = Pipeline {
         policy: SudoersPolicy::default(),

diff --git a/src/system/kernel.rs b/src/system/kernel.rs
@@ -0,0 +1,37 @@
+use std::ffi::CStr;
+
+use std::mem::zeroed;
+
+use crate::common::Error;
+
+pub fn kernel_check(major: u32, minor: u32) -> Result<(), Error> {
+    let mut utsname: libc::utsname = unsafe { zeroed() };
+
+    if unsafe { libc::uname(&mut utsname) } != 0 {
+        // Could not get the kernel version. Try to run anyway
+        return Ok(());
+    }
+
+    let release = unsafe { CStr::from_ptr(utsname.release.as_ptr()) }
+        .to_string_lossy()
+        .into_owned();
+
+    let version_parts: Vec<&str> = release.split('.').collect();
+
+    if version_parts.len() < 2 {
+        // Could not get the kernel version. Try to run anyway
+        return Ok(());
+    }
+
+    // Parse the major and minor version numbers
+    if let (Ok(major_version), Ok(minor_version)) = (
+        version_parts[0].parse::<u32>(),
+        version_parts[1].parse::<u32>(),
+    ) {
+        if major_version > major || (major_version == major && minor_version >= minor) {
+            return Ok(());
+        }
+    }
+
+    Err(Error::KernelCheck)
+}
diff --git a/src/system/mod.rs b/src/system/mod.rs
@@ -30,6 +30,8 @@ mod audit;
 // generalized traits for when we want to hide implementations
 pub mod interface;
 
+pub mod kernel;
+
 pub mod file;
 
 pub mod time;