mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 13:05:46 +00:00
e815ae0ec4
Some checks are pending
checklocks / checklocks (push) Waiting to run
CodeQL / Analyze (go) (push) Waiting to run
Dockerfile build / deploy (push) Waiting to run
CI / licenses (push) Waiting to run
CI / check_mergeability (push) Blocked by required conditions
CI / staticcheck (386, windows) (push) Waiting to run
CI / staticcheck (amd64, darwin) (push) Waiting to run
CI / staticcheck (amd64, linux) (push) Waiting to run
CI / staticcheck (amd64, windows) (push) Waiting to run
CI / cross (386, linux) (push) Waiting to run
CI / notify_slack (push) Blocked by required conditions
CI / cross (arm, 5, linux) (push) Waiting to run
CI / race-root-integration (1/4) (push) Waiting to run
CI / race-root-integration (2/4) (push) Waiting to run
CI / race-root-integration (3/4) (push) Waiting to run
CI / race-root-integration (4/4) (push) Waiting to run
CI / test (-coverprofile=/tmp/coverage.out, amd64) (push) Waiting to run
CI / cross (arm, 7, linux) (push) Waiting to run
CI / test (-race, amd64, 1/3) (push) Waiting to run
CI / test (-race, amd64, 2/3) (push) Waiting to run
CI / test (-race, amd64, 3/3) (push) Waiting to run
CI / test (386) (push) Waiting to run
CI / windows (push) Waiting to run
CI / privileged (push) Waiting to run
CI / ios (push) Waiting to run
CI / vm (push) Waiting to run
CI / race-build (push) Waiting to run
CI / fuzz (push) Waiting to run
CI / depaware (push) Waiting to run
CI / go_generate (push) Waiting to run
CI / cross (amd64, darwin) (push) Waiting to run
CI / cross (amd64, freebsd) (push) Waiting to run
CI / cross (amd64, openbsd) (push) Waiting to run
CI / cross (amd64, windows) (push) Waiting to run
CI / cross (arm64, darwin) (push) Waiting to run
CI / cross (arm64, linux) (push) Waiting to run
CI / cross (arm64, windows) (push) Waiting to run
CI / cross (loong64, linux) (push) Waiting to run
CI / crossmin (amd64, plan9) (push) Waiting to run
CI / crossmin (ppc64, aix) (push) Waiting to run
CI / android (push) Waiting to run
CI / wasm (push) Waiting to run
CI / tailscale_go (push) Waiting to run
CI / go_mod_tidy (push) Waiting to run
In this PR, we update the syspolicy package to utilize syspolicy/rsop under the hood, and remove syspolicy.CachingHandler, syspolicy.windowsHandler and related code which is no longer used. We mark the syspolicy.Handler interface and RegisterHandler/SetHandlerForTest functions as deprecated, but keep them temporarily until they are no longer used in other repos. We also update the package to register setting definitions for all existing policy settings and to register the Registry-based, Windows-specific policy stores when running on Windows. Finally, we update existing internal and external tests to use the new API and add a few more tests and benchmarks. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
93 lines
3.3 KiB
Go
93 lines
3.3 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package syspolicy
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os/user"
|
|
|
|
"tailscale.com/util/syspolicy/internal"
|
|
"tailscale.com/util/syspolicy/rsop"
|
|
"tailscale.com/util/syspolicy/setting"
|
|
"tailscale.com/util/syspolicy/source"
|
|
"tailscale.com/util/testenv"
|
|
)
|
|
|
|
func init() {
|
|
// On Windows, we should automatically register the Registry-based policy
|
|
// store for the device. If we are running in a user's security context
|
|
// (e.g., we're the GUI), we should also register the Registry policy store for
|
|
// the user. In the future, we should register (and unregister) user policy
|
|
// stores whenever a user connects to (or disconnects from) the local backend.
|
|
// This ensures the backend is aware of the user's policy settings and can send
|
|
// them to the GUI/CLI/Web clients on demand or whenever they change.
|
|
//
|
|
// Other platforms, such as macOS, iOS and Android, should register their
|
|
// platform-specific policy stores via [RegisterStore]
|
|
// (or [RegisterHandler] until they implement the [source.Store] interface).
|
|
//
|
|
// External code, such as the ipnlocal package, may choose to register
|
|
// additional policy stores, such as config files and policies received from
|
|
// the control plane.
|
|
internal.Init.MustDefer(func() error {
|
|
// Do not register or use default policy stores during tests.
|
|
// Each test should set up its own necessary configurations.
|
|
if testenv.InTest() {
|
|
return nil
|
|
}
|
|
return configureSyspolicy(nil)
|
|
})
|
|
}
|
|
|
|
// configureSyspolicy configures syspolicy for use on Windows,
|
|
// either in test or regular builds depending on whether tb has a non-nil value.
|
|
func configureSyspolicy(tb internal.TB) error {
|
|
const localSystemSID = "S-1-5-18"
|
|
// Always create and register a machine policy store that reads
|
|
// policy settings from the HKEY_LOCAL_MACHINE registry hive.
|
|
machineStore, err := source.NewMachinePlatformPolicyStore()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create the machine policy store: %v", err)
|
|
}
|
|
if tb == nil {
|
|
_, err = rsop.RegisterStore("Platform", setting.DeviceScope, machineStore)
|
|
} else {
|
|
_, err = rsop.RegisterStoreForTest(tb, "Platform", setting.DeviceScope, machineStore)
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// Check whether the current process is running as Local System or not.
|
|
u, err := user.Current()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if u.Uid == localSystemSID {
|
|
return nil
|
|
}
|
|
// If it's not a Local System's process (e.g., it's the GUI rather than the tailscaled service),
|
|
// we should create and use a policy store for the current user that reads
|
|
// policy settings from that user's registry hive (HKEY_CURRENT_USER).
|
|
userStore, err := source.NewUserPlatformPolicyStore(0)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create the current user's policy store: %v", err)
|
|
}
|
|
if tb == nil {
|
|
_, err = rsop.RegisterStore("Platform", setting.CurrentUserScope, userStore)
|
|
} else {
|
|
_, err = rsop.RegisterStoreForTest(tb, "Platform", setting.CurrentUserScope, userStore)
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// And also set [setting.CurrentUserScope] as the [setting.DefaultScope], so [GetString],
|
|
// [GetVisibility] and similar functions would be returning a merged result
|
|
// of the machine's and user's policies.
|
|
if !setting.SetDefaultScope(setting.CurrentUserScope) {
|
|
return errors.New("current scope already set")
|
|
}
|
|
return nil
|
|
}
|