Skip to content

feat: add system service allowlist policy#552

Draft
matt-dz wants to merge 1 commit into
mainfrom
matthew.deguzman/systemd-allowlist
Draft

feat: add system service allowlist policy#552
matt-dz wants to merge 1 commit into
mainfrom
matthew.deguzman/systemd-allowlist

Conversation

@matt-dz

@matt-dz matt-dz commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add a default-deny system service allowlist with read, reload, and restart actions.
  • Add the interp.AllowedSystemServices API and --allowed-services CLI flag.
  • Expose atomic service authorization through builtins.CallContext.
  • Enforce RemediationOnly centrally before builtin argument parsing.
  • Update documentation and add policy, CLI, and remediation regression tests.

Motivation

Future systemctl and journalctl builtins need granular authorization so operators can restrict which services rshell may inspect or control. Command authorization alone is too broad because enabling either command could otherwise expose every system service.

Behavior

Service grants use exact, case-sensitive matching:

mysql.service:restart+reload+read,nginx.service:read
  • mysql does not match mysql.service.
  • Service names are not normalized or resolved as aliases.
  • Empty names, whitespace, path-like names, and glob patterns are rejected.
  • Missing configuration denies all services.
  • --allow-all-commands does not bypass the service policy.
  • Service authorization requires remediation mode.
  • Multi-service requests are authorized as a complete set before execution, preventing partial operations.

Library configuration:

interp.AllowedSystemServices([]interp.SystemServiceControlGrant{
    {
        Service: "mysql.service",
        Actions: []interp.SystemServiceAction{
            interp.SystemServiceRestart,
            interp.SystemServiceReload,
            interp.SystemServiceRead,
        },
    },
})

Future builtins can enforce the policy with:

callCtx.AuthorizeSystemServices(action, services...)

This PR adds the authorization foundation only. systemctl and journalctl are not implemented yet.

Remediation Enforcement

builtins.Command.RemediationOnly is now enforced centrally by command registration before flags or help are parsed. Remediation mode is also propagated through nested builtin execution paths such as find -exec and xargs.

Testing

  • make fmt
  • go test -p 1 ./...
  • RSHELL_BASH_TEST=1 go test ./tests/ -run TestShellScenariosAgainstBash -timeout 120s
  • git diff --check
  • gofmt -l .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant