mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-24 19:05:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix(aa-log): too much cleaning in pci path.

Browse source 
see #505
This commit is contained in:
Alexandre Pujol 2024-10-02 20:48:36 +01:00
parent 7ba556b15c
commit 3f98e86e24
Failed to generate hash of commit
3 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/logs/logs.go
View file

@ -82,7 +82,7 @@ var (
`/sys/`, `@{sys}/`, `/sys/`, `@{sys}/`,
`@{PROC}@{sys}/`, `@{PROC}/sys/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`,
`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
`@{pci_bus}/[0-9a-f:*./]*`, `@{pci}/`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
`1000`, `@{uid}`, `1000`, `@{uid}`,
// Some system glob // Some system glob

20
pkg/logs/logs_test.go
View file

@ -247,6 +247,26 @@ func TestNew(t *testing.T) {
path: filepath.Join(testdata, "audit.log"), path: filepath.Join(testdata, "audit.log"),
want: refPowerProfiles, want: refPowerProfiles,
}, },
{
name: "signal-desktop",
path: filepath.Join(testdata, "audit.log"),
want: AppArmorLogs{
{
"apparmor": "ALLOWED",
"profile": "signal-desktop",
"operation": "open",
"class": "file",
"name": "@{sys}/devices/@{pci}/boot_vga",
"comm": "signal-desktop",
"requested_mask": "r",
"denied_mask": "r",
"fsuid": "1000",
"ouid": "0",
"FSUID": "user",
"OUID": "root",
},
},
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

1
tests/testdata/logs/audit.log vendored
View file

@ -53,4 +53,5 @@ profile="sddm-greeter" operation="setsockopt" class="net" comm="sddm-greeter" f
type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17 capname="sys_rawio" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17 capname="sys_rawio"
type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace"
apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root"