mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(aa-log): only clean a few log keys, resolve more variables.
fix #382
This commit is contained in:
parent
018073638b
commit
3b82cc36ba
3 changed files with 41 additions and 20 deletions
|
@ -104,7 +104,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
|
||||||
|
|
||||||
var res strings.Builder
|
var res strings.Builder
|
||||||
for _, log := range logs {
|
for _, log := range logs {
|
||||||
res.WriteString(log.Message + "\n")
|
res.WriteString(log.Message)
|
||||||
|
res.WriteString("\n")
|
||||||
}
|
}
|
||||||
return strings.NewReader(res.String()), nil
|
return strings.NewReader(res.String()), nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,13 +31,24 @@ const (
|
||||||
var (
|
var (
|
||||||
quoted bool
|
quoted bool
|
||||||
isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`)
|
isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`)
|
||||||
hex = `[0-9a-fA-F]`
|
_hex = `[0-9a-fA-F]`
|
||||||
|
_int = `[0-9]`
|
||||||
regCleanLogs = util.ToRegexRepl([]string{
|
regCleanLogs = util.ToRegexRepl([]string{
|
||||||
// Clean apparmor log file
|
// Clean apparmor log file
|
||||||
`.*apparmor="`, `apparmor="`,
|
`.*apparmor="`, `apparmor="`,
|
||||||
`(peer_|)pid=[0-9]*\s`, " ",
|
`(peer_|)pid=[0-9]*\s`, " ",
|
||||||
`\x1d`, " ",
|
`\x1d`, " ",
|
||||||
|
|
||||||
|
// Remove basic rules from abstractions/base
|
||||||
|
`(?m)^.*/etc/[^/]+so.*$`, ``,
|
||||||
|
`(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``,
|
||||||
|
`(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``,
|
||||||
|
`(?m)^.*/usr/share/locale[^/]?/.*$`, ``,
|
||||||
|
`(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``,
|
||||||
|
`(?m)^.*/dev/(null|zero|full|log).*$`, ``,
|
||||||
|
`(?m)^.*/dev/(u|)random.*$`, ``,
|
||||||
|
})
|
||||||
|
regResolveLogs = util.ToRegexRepl([]string{
|
||||||
// Resolve classic user variables
|
// Resolve classic user variables
|
||||||
`/home/[^/]+/.cache`, `@{user_cache_dirs}`,
|
`/home/[^/]+/.cache`, `@{user_cache_dirs}`,
|
||||||
`/home/[^/]+/.config`, `@{user_config_dirs}`,
|
`/home/[^/]+/.config`, `@{user_config_dirs}`,
|
||||||
|
@ -47,38 +58,42 @@ var (
|
||||||
`/home/[^/]+/.local/lib`, `@{user_lib_dirs}`,
|
`/home/[^/]+/.local/lib`, `@{user_lib_dirs}`,
|
||||||
`/home/[^/]+/.ssh`, `@{HOME}/@{XDG_SSH_DIR}`,
|
`/home/[^/]+/.ssh`, `@{HOME}/@{XDG_SSH_DIR}`,
|
||||||
`/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`,
|
`/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`,
|
||||||
`/home/[^/]+`, `@{HOME}`,
|
`/home/[^/]+/`, `@{HOME}/`,
|
||||||
|
|
||||||
// Resolve classic system variables
|
// Resolve classic system variables
|
||||||
`/usr/lib(|32|64|exec)`, `@{lib}`,
|
`/usr/(lib|lib32|lib64|libexec)`, `@{lib}`,
|
||||||
`/usr/(|s)bin`, `@{bin}`,
|
`/usr/(bin|sbin)`, `@{bin}`,
|
||||||
`x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`,
|
`x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`,
|
||||||
`/usr/etc/`, `@{etc_ro}/`,
|
`/usr/etc/`, `@{etc_ro}/`,
|
||||||
|
`/var/run/`, `@{run}/`,
|
||||||
`/run/`, `@{run}/`,
|
`/run/`, `@{run}/`,
|
||||||
`user/[0-9]*/`, `user/@{uid}/`,
|
`user/[0-9]*/`, `user/@{uid}/`,
|
||||||
|
`/tmp/user/@{uid}/`, `@{tmp}/`,
|
||||||
`/proc/`, `@{PROC}/`,
|
`/proc/`, `@{PROC}/`,
|
||||||
`@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`,
|
`@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`,
|
||||||
`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
|
`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
|
||||||
`/sys/`, `@{sys}/`,
|
`/sys/`, `@{sys}/`,
|
||||||
`@{PROC}@{sys}/`, `@{PROC}/sys/`,
|
`@{PROC}@{sys}/`, `@{PROC}/sys/`,
|
||||||
`pci` + strings.Repeat(hex, 4) + `:` + strings.Repeat(hex, 2), `@{pci_bus}`,
|
`pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`,
|
||||||
|
`1000`, `@{pid}`,
|
||||||
|
|
||||||
// Some system glob
|
// Some system glob
|
||||||
`:1.[0-9]*`, `:*`, // dbus peer name
|
`:1.[0-9]*`, `:*`, // dbus peer name
|
||||||
`@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell
|
`@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell
|
||||||
`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
|
`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
|
||||||
strings.Repeat(hex, 64), `@{hex64}`,
|
|
||||||
strings.Repeat(hex, 32), `@{hex32}`,
|
|
||||||
strings.Repeat(hex, 8) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 12), `@{uuid}`,
|
|
||||||
|
|
||||||
// Remove basic rules from abstractions/base
|
// int, hex, uuid
|
||||||
`(?m)^.*/etc/[^/]+so.*$`, ``,
|
strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`,
|
||||||
`(?m)^.*@{lib}/[^/]+so.*$`, ``,
|
strings.Repeat(_int, 64), `@{int64}`,
|
||||||
`(?m)^.*@{lib}/locale/.*$`, ``,
|
strings.Repeat(_hex, 64), `@{hex64}`,
|
||||||
`(?m)^.*/usr/share/locale[^/]?/.*$`, ``,
|
strings.Repeat(_hex, 38), `@{hex38}`,
|
||||||
`(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``,
|
strings.Repeat(_int, 32), `@{int32}`,
|
||||||
`(?m)^.*/dev/(null|zero|full|log).*$`, ``,
|
strings.Repeat(_hex, 32), `@{hex32}`,
|
||||||
`(?m)^.*/dev/(u|)random.*$`, ``,
|
strings.Repeat(_int, 16), `@{int16}`,
|
||||||
|
strings.Repeat(_hex, 16), `@{hex16}`,
|
||||||
|
strings.Repeat(_int, 10), `@{int10}`,
|
||||||
|
strings.Repeat(_int, 8), `@{int8}`,
|
||||||
|
strings.Repeat(_int, 6), `@{int6}`,
|
||||||
})
|
})
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -107,6 +122,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
|
||||||
|
|
||||||
// Parse log into ApparmorLog struct
|
// Parse log into ApparmorLog struct
|
||||||
aaLogs := make(AppArmorLogs, 0)
|
aaLogs := make(AppArmorLogs, 0)
|
||||||
|
toClean := []string{"profile", "name", "target"}
|
||||||
for _, log := range logs {
|
for _, log := range logs {
|
||||||
quoted = false
|
quoted = false
|
||||||
tmp := strings.FieldsFunc(log, splitQuoted)
|
tmp := strings.FieldsFunc(log, splitQuoted)
|
||||||
|
@ -115,7 +131,11 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
|
||||||
for _, item := range tmp {
|
for _, item := range tmp {
|
||||||
kv := strings.Split(item, "=")
|
kv := strings.Split(item, "=")
|
||||||
if len(kv) >= 2 {
|
if len(kv) >= 2 {
|
||||||
aa[kv[0]] = strings.Trim(kv[1], `"`)
|
key, value := kv[0], kv[1]
|
||||||
|
if slices.Contains(toClean, key) {
|
||||||
|
value = regResolveLogs.Replace(kv[1])
|
||||||
|
}
|
||||||
|
aa[key] = strings.Trim(value, `"`)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
aaLogs = append(aaLogs, aa)
|
aaLogs = append(aaLogs, aa)
|
||||||
|
|
|
@ -57,7 +57,7 @@ var (
|
||||||
"interface": "org.freedesktop.DBus",
|
"interface": "org.freedesktop.DBus",
|
||||||
"member": "AddMatch",
|
"member": "AddMatch",
|
||||||
"peer_label": "dbus-daemon",
|
"peer_label": "dbus-daemon",
|
||||||
"exe": "@{bin}/dbus-daemon",
|
"exe": "/usr/bin/dbus-daemon",
|
||||||
"sauid": "102",
|
"sauid": "102",
|
||||||
"hostname": "?",
|
"hostname": "?",
|
||||||
"addr": "?",
|
"addr": "?",
|
||||||
|
@ -145,7 +145,7 @@ func TestAppArmorEvents(t *testing.T) {
|
||||||
"interface": "org.freedesktop.PolicyKit1.Authority",
|
"interface": "org.freedesktop.PolicyKit1.Authority",
|
||||||
"member": "CheckAuthorization",
|
"member": "CheckAuthorization",
|
||||||
"peer_label": "polkitd",
|
"peer_label": "polkitd",
|
||||||
"exe": "@{bin}/dbus-daemon",
|
"exe": "/usr/bin/dbus-daemon",
|
||||||
"sauid": "102",
|
"sauid": "102",
|
||||||
"hostname": "?",
|
"hostname": "?",
|
||||||
"addr": "?",
|
"addr": "?",
|
||||||
|
|
Loading…
Reference in a new issue