Multiple changes.

 * Add a configuration option for specifying allowed commands.
 * Windows: move interpolation of fleetspeak service config from repacker to installer.

Author: mol123

grr/client/grr_response_client/client_utils_common.py

@@ -9,6 +9,7 @@
 import logging
 import os
 import platform
+import shlex
 import subprocess
 import threading
 import time
@@ -146,6 +147,11 @@ def IsExecutionAllowed(cmd, args):
   the list).
   A deployment-specific list is also checked (see local/binary_whitelist.py).
   """
+  allowed_commands = map(shlex.split, config.CONFIG["Client.allowed_commands"])
+  allowed_commands = list(allowed_commands)
+  if [cmd] + list(args) in allowed_commands:
+    return True
+
   if platform.system() == "Windows":
     allowlist = [
         ("arp.exe", ["-a"]),

grr/client/grr_response_client/client_utils_test.py

@@ -24,6 +24,50 @@
 from grr.test_lib import test_lib
 
 
+class IsExecutionAllowedTest(absltest.TestCase):
+
+  def setUp(self):
+    super().setUp()
+    self.is_execution_allowed = client_utils_common.IsExecutionAllowed
+
+  def testAllowsOnlyConfiguredCommands(self):
+    with test_lib.ConfigOverrider({
+        "Client.allowed_commands": ["/usr/bin/foo"],
+    }):
+      self.assertTrue(self.is_execution_allowed("/usr/bin/foo", []))
+      self.assertFalse(self.is_execution_allowed("/usr/bin/bar", []))
+
+  def testAllowsOnlyConfiguredCommandsWithArgs(self):
+    with test_lib.ConfigOverrider({
+        "Client.allowed_commands": [
+            "/bin/foo --bar --baz",
+            "/bin/foo --quux",
+        ],
+    }):
+      self.assertTrue(self.is_execution_allowed("/bin/foo", ["--bar", "--baz"]))
+      self.assertTrue(self.is_execution_allowed("/bin/foo", ["--quux"]))
+      self.assertFalse(self.is_execution_allowed("/bin/foo", ["--norf"]))
+
+  def testAllowsOnlyConfiguredCommandsWithSimpleQuotes(self):
+    with test_lib.ConfigOverrider({
+        "Client.allowed_commands": ["'foo bar' 'baz quux'"],
+    }):
+      self.assertTrue(self.is_execution_allowed("foo bar", ["baz quux"]))
+      self.assertFalse(self.is_execution_allowed("foo bar", ["baz", "quux"]))
+      self.assertFalse(self.is_execution_allowed("foo", ["bar", "baz quux"]))
+      self.assertFalse(self.is_execution_allowed("foo", ["bar", "baz", "quux"]))
+
+  def testAllowsOnlyConfiguredCommandsWithComplexQuotes(self):
+    with test_lib.ConfigOverrider({
+        "Client.allowed_commands": [
+            "'/foo bar/\"quux norf\"/thud' -x '1 3 3 7' -y \"42\"",
+        ],
+    }):
+      command = "/foo bar/\"quux norf\"/thud"
+      args = ["-x", "1 3 3 7", "-y", "42"]
+      self.assertTrue(self.is_execution_allowed(command, args))
+
+
 class ClientUtilsTest(test_lib.GRRBaseTest):
   """Test the client utils."""
 

grr/client/grr_response_client/windows/installers.py

@@ -336,11 +336,26 @@ def _InstallBundledFleetspeak():
       command_line=f"\"{fleetspeak_client}\" -config \"{fleetspeak_config}\"")
 
 
+def _MaybeInterpolateFleetspeakServiceConfig():
+  """Interpolates the fleetspeak service config if present."""
+  fleetspeak_unsigned_config_path = os.path.join(
+      config.CONFIG["Client.install_path"],
+      config.CONFIG["Client.fleetspeak_unsigned_config_fname"])
+  template_path = f"{fleetspeak_unsigned_config_path}.in"
+  if not os.path.exists(template_path):
+    return
+  with open(template_path, "r") as source:
+    with open(fleetspeak_unsigned_config_path, "w") as dest:
+      interpolated = config.CONFIG.InterpolateValue(source.read())
+      dest.write(interpolated.replace("\\", "\\\\"))
+
+
 def _Run():
   """Installs the windows client binary."""
   _CheckForWow64()
   _StopPreviousService()
   _CopyToSystemDir()
+  _MaybeInterpolateFleetspeakServiceConfig()
 
   if not config.CONFIG["Client.fleetspeak_enabled"]:
     _InstallNanny()

grr/client_builder/grr_response_client_builder/repackers/windows.py

@@ -8,7 +8,6 @@
 import io
 import logging
 import os
-import re
 import struct
 import zipfile
 
@@ -86,22 +85,13 @@ def _GenerateFleetspeakServiceConfig(self, zip_file):
     final_fs_config_fname = config.CONFIG.Get(
         "Client.fleetspeak_unsigned_config_fname", context=self.context)
     if orig_fs_config_path.endswith(".in"):
-      logging.info("Interpolating %s", orig_fs_config_path)
-      logging.warning("Backslashes will be naively re-escaped after "
-                      "interpolation. If this is not desired, use a Fleetspeak "
-                      "config file without the '.in' extension.")
-      with utils.TempDirectory() as temp_dir:
-        temp_fs_config_path = os.path.join(temp_dir, final_fs_config_fname)
-        with io.open(orig_fs_config_path, "r") as source:
-          with io.open(temp_fs_config_path, "w") as dest:
-            interpolated = config.CONFIG.InterpolateValue(
-                source.read(), context=self.context)
-            dest.write(re.sub(r"\\", r"\\\\", interpolated))
-        self._ValidateFleetspeakServiceConfig(temp_fs_config_path)
-        zip_file.write(temp_fs_config_path, final_fs_config_fname)
+      # The interpolation has to be performed on the client, since it depends
+      # on values of environment variable.
+      final_fs_config_fname = f"{final_fs_config_fname}.in"
     else:
       self._ValidateFleetspeakServiceConfig(orig_fs_config_path)
-      zip_file.write(orig_fs_config_path, final_fs_config_fname)
+
+    zip_file.write(orig_fs_config_path, final_fs_config_fname)
 
   def _AddFleetspeakConfig(self, zip_file):
     zip_file.write(

grr/core/grr_response_core/config/client.py

@@ -249,6 +249,12 @@
     "File-name for the Fleetspeak service config generated "
     "when repacking templates.")
 
+config_lib.DEFINE_list(
+    "Client.allowed_commands",
+    default=[],
+    help="Commands that the client is allowed to execute. Each command must be "
+    "specified in the format that is supported by the Python's `shlex` module.")
+
 # osquery options.
 
 config_lib.DEFINE_string(