diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index db222633..7c7ff862 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -3,10 +3,11 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - ptrace (read), + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, + @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/1/sched r, @@ -17,7 +18,4 @@ /dev/kmsg w, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index a3d22d09..12445c2d 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + owner @{run}/user/@{uid}/wayland-@{int}.lock rk, + owner /dev/shm/sway* rw, owner /dev/shm/dunst-@{rand6} rw, - - owner @{run}/user/@{uid}/wayland-@{int}.lock rk, diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index f6ee2118..3adaf85d 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -20,6 +20,7 @@ profile avahi-autoipd @{exec_path} { signal receive set=(kill,term), @{exec_path} mr, + /etc/avahi/avahi-autoipd.action rix, include if exists diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 6a533b38..99b79aa6 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -57,7 +57,7 @@ profile grub-mkconfig @{exec_path} { @{bin}/umount rPx, @{bin}/uname rix, @{bin}/which{.debianutils,} rix, - /etc/grub.d/{**,} rix, + /etc/grub.d/{**,} rix, /boot/{**,} r, /boot/grub/{**,} rw, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6e160f1f..bc5de563 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -18,13 +18,13 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lvm rPx, @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lvm rPx, @{bin}/udevadm rPx, - / r, /usr/share/grub/* r, + / r, /boot/ r, /boot/grub/themes/{,**} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 5abc3e61..6740f9ec 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -56,6 +56,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { unix (bind,listen) type=stream addr=@xtables, @{exec_path} mr, + @{bin}/kmod rPx, @{bin}/mount rPx, @{bin}/systemd-run rix, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index b3dd29a8..f9829c87 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -12,7 +12,8 @@ profile syncoid @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, + @{bin}/{,ba,da}sh rix, @{bin}/grep rix, @{bin}/mbuffer rix, diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index fb0ea96e..2e94c62b 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -40,7 +40,7 @@ var ( systemd bool ) -func aaLog(logger string, path string, profile string, rules bool) error { +func aaLog(logger string, path string, profile string) error { var err error var file io.Reader @@ -97,8 +97,8 @@ func main() { logger = "systemd" } - logfile := logs.GetLogFile(path) - err := aaLog(logger, logfile, profile, rules) + path = logs.SelectLogFile(path) + err := aaLog(logger, path, profile) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index bbebaf8b..eb005632 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -30,7 +30,7 @@ func Test_app(t *testing.T) { logger: "auditd", path: "../../tests/audit.log", profile: "", - rules: rules, + rules: true, wantErr: false, }, { @@ -60,7 +60,8 @@ func Test_app(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := aaLog(tt.logger, tt.path, tt.profile, tt.rules); (err != nil) != tt.wantErr { + rules = tt.rules + if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr { t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/dists/build.sh b/dists/build.sh index cfa989fd..4d4e29fc 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make +# Usage: make package dist= set -eu diff --git a/docs/development/structure.md b/docs/development/structure.md index ee7cd098..a7658fbd 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -30,7 +30,7 @@ prevent access to these sensitive files. Problems: what is required. Here we allow everything and blacklist some paths. It creates even more issues when we want to use this profile in other profiles. -Let's take the example of `diff`. Using this rule: `/{,usr/}bin/diff rPx,` will +Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: @@ -169,12 +169,12 @@ dynamically by the kernel. Therefore, the full range must be allowed: [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184) ``` aa linenums="179" - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, ``` [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index ed6b8106..d906cbfa 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -17,7 +17,7 @@ type AppArmorProfiles map[string]*AppArmorProfile // ApparmorProfile represents a full apparmor profile. // Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet): // - Some rules are not supported yet (subprofile, hat...) -// - The structure is simplified as it only aims at writting profile, not parsing it. +// - The structure is simplified as it only aims at writing profile, not parsing it. type AppArmorProfile struct { Preamble Profile diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 09ae9828..04eba01c 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -69,7 +69,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { return strings.NewReader(res), nil } -func GetLogFile(path string) string { +// SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2) +func SelectLogFile(path string) string { info, err := os.Stat(filepath.Clean(path)) if err == nil && !info.IsDir() { return path diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 85a308d4..9e00b0cf 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -53,7 +53,7 @@ func TestGetJournalctlLogs(t *testing.T) { } } -func TestGetLogFile(t *testing.T) { +func TestSelectLogFile(t *testing.T) { tests := []struct { name string path string @@ -77,7 +77,7 @@ func TestGetLogFile(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if got := GetLogFile(tt.path); got != tt.want { + if got := SelectLogFile(tt.path); got != tt.want { t.Errorf("getLogFile() = %v, want %v", got, tt.want) } }) diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go index 0b43a615..53d50e3c 100644 --- a/pkg/prebuild/build.go +++ b/pkg/prebuild/build.go @@ -19,7 +19,7 @@ var Builds = []BuildFunc{ var ( regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) - regFlag = regexp.MustCompile(`flags=\(([^)]+)\)`) + regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`) regProfileHeader = regexp.MustCompile(` {`) ) @@ -28,7 +28,7 @@ type BuildFunc func(string) string // Set complain flag on all profiles func BuildComplain(profile string) string { flags := []string{} - matches := regFlag.FindStringSubmatch(profile) + matches := regFlagComplain.FindStringSubmatch(profile) if len(matches) != 0 { flags = strings.Split(matches[1], ",") if slices.Contains(flags, "complain") { @@ -39,7 +39,7 @@ func BuildComplain(profile string) string { strFlags := " flags=(" + strings.Join(flags, ",") + ") {" // Remove all flags definition, then set manifest' flags - profile = regFlag.ReplaceAllLiteralString(profile, "") + profile = regFlagComplain.ReplaceAllLiteralString(profile, "") return regProfileHeader.ReplaceAllLiteralString(profile, strFlags) } diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 9803dd5e..6751663d 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -161,7 +161,7 @@ func SetFlags() error { } // Remove all flags definition, then set manifest' flags - res := regFlag.ReplaceAllLiteralString(string(content), "") + res := regFlagComplain.ReplaceAllLiteralString(string(content), "") res = regProfileHeader.ReplaceAllLiteralString(res, flags) if err := file.WriteFile([]byte(res)); err != nil { return err