collect kernel config

Author: bleggett

src/checkers/kernel.rs

@@ -1,21 +1,20 @@
 use crate::helpers::{
     CheckGroup, CheckGroupResult, CheckResult,
-    CheckResultValue::{Errored, Failed, Passed}, host_executor::HostNamespaceExecutor,
+    CheckResultValue::{Errored, Failed, Passed},
+    host_executor::HostNamespaceExecutor,
 };
 
 use anyhow::{Result, bail};
 use async_trait::async_trait;
+use futures::{FutureExt, future::join_all};
 use log::debug;
 use procfs::{Current, sys::kernel};
 use std::{fs, path::PathBuf, process::Command};
-use futures::{future::join_all, FutureExt};
 
 const GROUP_IDENTIFIER: &str = "KernelChecks";
 const NAME: &str = "Kernel Checks";
 // TODO (bml) assemble actual list
-const REQUIRED_MODULES: &[&str] = &[
-    "nf_tables",
-];
+const REQUIRED_MODULES: &[&str] = &["nf_tables"];
 
 pub struct KernelChecks {
     host_executor: HostNamespaceExecutor,
@@ -29,12 +28,7 @@ impl KernelChecks {
     /// Run all the checkers asynchronously, then
     /// join and collect the results.
     pub async fn run_all(&self) -> CheckGroupResult {
-        let results = join_all([
-            self.has_modules().boxed(),
-            self.version_is_good().boxed(),
-        ])
-        .await;
-
+        let results = join_all([self.has_modules().boxed(), self.version_is_good().boxed()]).await;
 
         let mut group_result = Passed;
         for res in results.iter() {
@@ -60,9 +54,11 @@ impl KernelChecks {
         let mut result = Passed;
 
         // Get host kernel version
-        let current = self.host_executor.spawn_in_host_ns(async {
-            kernel::Version::current()
-        }).await.expect("error spawning in host");
+        let current = self
+            .host_executor
+            .spawn_in_host_ns(async { kernel::Version::current() })
+            .await
+            .expect("error spawning in host");
 
         if let Err(e) = current {
             return CheckResult::new(&name, Errored(e.to_string()));
@@ -80,18 +76,23 @@ impl KernelChecks {
         let name = String::from("Host Has Necessary Modules");
         let mut result = Passed;
 
-        let required_modules: Vec<String> = REQUIRED_MODULES.iter().map(|s| s.to_string()).collect();
+        let required_modules: Vec<String> =
+            REQUIRED_MODULES.iter().map(|s| s.to_string()).collect();
 
         // Search builtin modules
         let remaining = match self.find_builtins(&required_modules).await {
             Ok(r) => r,
-            Err(e) => return CheckResult::new(&name, Errored(format!("getting kernel builtins {e}"))),
+            Err(e) => {
+                return CheckResult::new(&name, Errored(format!("getting kernel builtins {e}")));
+            }
         };
 
         // Search loaded modules
         let remaining = match self.find_loaded(&remaining).await {
             Ok(r) => r,
-            Err(e) => return CheckResult::new(&name, Errored(format!("getting kernel modules {e}"))),
+            Err(e) => {
+                return CheckResult::new(&name, Errored(format!("getting kernel modules {e}")));
+            }
         };
         if !remaining.is_empty() {
             result = Failed(format!("missing {:?}", remaining))
@@ -107,20 +108,21 @@ impl KernelChecks {
         let mut modules_to_find: Vec<String> = required_modules.clone();
 
         // read host builtins
-        let builtins = self.host_executor.spawn_in_host_ns(async move {
-            // Get kernel version
-            let output = Command::new("uname")
-                .arg("-r")
-                .output()?;
-
-            if !output.status.success() {
-                let error_message = String::from_utf8_lossy(&output.stderr);
-                bail!("{}", error_message.to_string());
-            }
-            let kernel_version = String::from_utf8_lossy(&output.stdout).trim().to_string();
-            let path = PathBuf::from(format!("/lib/modules/{kernel_version}/modules.builtin"));
-            fs::read_to_string(path).map_err(|e| anyhow::anyhow!(e))
-        }).await??;
+        let builtins = self
+            .host_executor
+            .spawn_in_host_ns(async move {
+                // Get kernel version
+                let output = Command::new("uname").arg("-r").output()?;
+
+                if !output.status.success() {
+                    let error_message = String::from_utf8_lossy(&output.stderr);
+                    bail!("{}", error_message);
+                }
+                let kernel_version = String::from_utf8_lossy(&output.stdout).trim().to_string();
+                let path = PathBuf::from(format!("/lib/modules/{kernel_version}/modules.builtin"));
+                fs::read_to_string(path).map_err(|e| anyhow::anyhow!(e))
+            })
+            .await??;
 
         for builtin in builtins.lines() {
             let found = modules_to_find
@@ -142,16 +144,15 @@ impl KernelChecks {
     async fn find_loaded(&self, required_modules: &Vec<String>) -> Result<Vec<String>> {
         let mut modules_to_find: Vec<String> = required_modules.clone();
 
-        let modules = self.host_executor.spawn_in_host_ns(async move {
-            procfs::KernelModules::current()
-        }).await?;
+        let modules = self
+            .host_executor
+            .spawn_in_host_ns(async move { procfs::KernelModules::current() })
+            .await?;
 
         let modules = modules.unwrap();
 
         for (name, _) in modules.0.iter() {
-            let found = modules_to_find
-                .iter()
-                .position(|required| required == name);
+            let found = modules_to_find.iter().position(|required| required == name);
 
             if let Some(index) = found {
                 debug!("module {}", modules_to_find[index]);

src/recorders/system.rs

@@ -1,8 +1,12 @@
+use anyhow::{Result, bail};
 use async_trait::async_trait;
-use futures::FutureExt;
-use futures::future::join_all;
-use std::path::{Path, PathBuf};
-use std::process::Command;
+use flate2::read::GzDecoder;
+use futures::{FutureExt, future::join_all};
+use std::{
+    io::Read,
+    path::{Path, PathBuf},
+    process::Command,
+};
 
 use crate::helpers::{
     CheckGroup, CheckGroupResult, CheckResult,
@@ -31,6 +35,7 @@ impl SystemRecorder {
             self.record_cpuinfo().boxed(),
             self.record_cmdline().boxed(),
             self.record_grub_cfg().boxed(),
+            self.record_kernel_cfg().boxed(),
         ])
         .await;
 
@@ -92,15 +97,34 @@ impl SystemRecorder {
                     return None;
                 }
                 let name = format!("Record {}", local_file.display());
-                let output = tokio::fs::read_to_string(&local_file).await;
-                if let Err(e) = output {
-                    return Some(CheckResult::new(
+
+                let bytes = match tokio::fs::read(&local_file).await {
+                    Ok(b) => b,
+                    Err(e) => {
+                        return Some(CheckResult::new(
+                            &name,
+                            Errored(format!("failed to read {}: {e}", local_file.display())),
+                        ));
+                    }
+                };
+
+                let content = if bytes.starts_with(&[0x1f, 0x8b]) {
+                    // Gzip magic bytes detected
+                    let mut decoder = GzDecoder::new(&bytes[..]);
+                    let mut s = String::new();
+                    decoder.read_to_string(&mut s).map(|_| s)
+                } else {
+                    String::from_utf8(bytes)
+                        .map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidData, e))
+                };
+
+                match content {
+                    Ok(c) => Some(CheckResult::new_with_output(&name, Passed, Some(c))),
+                    Err(e) => Some(CheckResult::new(
                         &name,
-                        Errored(format!("failed to read {}: {e}", local_file.display())),
-                    ));
+                        Errored(format!("failed to decode {}: {e}", local_file.display())),
+                    )),
                 }
-                let output = output.unwrap();
-                Some(CheckResult::new_with_output(&name, Passed, Some(output)))
             })
             .await
             .unwrap_or_else(|_| panic!("could not record {}", file.display()))
@@ -141,6 +165,42 @@ impl SystemRecorder {
             Errored(format!("failed to find any {:?}", files)),
         )
     }
+
+    async fn record_kernel_cfg(&self) -> CheckResult {
+        let name = "Record kernel config";
+        // Get kernel version
+        //
+        let Ok(kver) = self.current_kernel_version().await else {
+            return CheckResult::new(name, Errored("failed to find kernel version".to_string()));
+        };
+
+        let files = ["/proc/config.gz", &format!("boot/config-{kver}")];
+
+        for file in files {
+            if let Some(result) = self.record_file(&PathBuf::from(file)).await {
+                return result;
+            }
+        }
+        CheckResult::new(name, Errored(format!("failed to find any {:?}", files)))
+    }
+
+    async fn current_kernel_version(&self) -> Result<String> {
+        self.host_executor
+            .spawn_in_host_ns(async {
+                let output = Command::new("uname")
+                    .arg("-r")
+                    .output()
+                    .expect("Failed to execute command");
+
+                if !output.status.success() {
+                    let error_message = String::from_utf8_lossy(&output.stderr);
+                    bail!("{}", error_message);
+                }
+
+                Ok(String::from_utf8_lossy(&output.stdout).trim().to_string())
+            })
+            .await?
+    }
 }
 
 #[async_trait]