chore: various cosmetic changes.

This commit is contained in:
Alexandre Pujol 2023-09-01 19:26:52 +01:00
parent 256d4abde8
commit aea0034fcc
Failed to generate hash of commit
16 changed files with 35 additions and 32 deletions

View file

@ -3,10 +3,11 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
ptrace (read), ptrace (read),
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/1/sched r, @{PROC}/1/sched r,
@ -17,7 +18,4 @@
/dev/kmsg w, /dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
include if exists <abstractions/systemd-common.d> include if exists <abstractions/systemd-common.d>

View file

@ -2,7 +2,7 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
owner /dev/shm/sway* rw, owner /dev/shm/sway* rw,
owner /dev/shm/dunst-@{rand6} rw, owner /dev/shm/dunst-@{rand6} rw,
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,

View file

@ -20,6 +20,7 @@ profile avahi-autoipd @{exec_path} {
signal receive set=(kill,term), signal receive set=(kill,term),
@{exec_path} mr, @{exec_path} mr,
/etc/avahi/avahi-autoipd.action rix, /etc/avahi/avahi-autoipd.action rix,
include if exists <local/avahi-autoipd> include if exists <local/avahi-autoipd>

View file

@ -18,13 +18,13 @@ profile grub-probe @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{local/,}{s,}bin/zpool rPx, /{usr/,}{local/,}{s,}bin/zpool rPx,
@{bin}/lvm rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/lvm rPx,
@{bin}/udevadm rPx, @{bin}/udevadm rPx,
/ r,
/usr/share/grub/* r, /usr/share/grub/* r,
/ r,
/boot/ r, /boot/ r,
/boot/grub/themes/{,**} r, /boot/grub/themes/{,**} r,

View file

@ -56,6 +56,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
unix (bind,listen) type=stream addr=@xtables, unix (bind,listen) type=stream addr=@xtables,
@{exec_path} mr, @{exec_path} mr,
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/mount rPx, @{bin}/mount rPx,
@{bin}/systemd-run rix, @{bin}/systemd-run rix,

View file

@ -13,6 +13,7 @@ profile syncoid @{exec_path} flags=(complain) {
include <abstractions/perl> include <abstractions/perl>
@{exec_path} mr, @{exec_path} mr,
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/grep rix, @{bin}/grep rix,
@{bin}/mbuffer rix, @{bin}/mbuffer rix,

View file

@ -40,7 +40,7 @@ var (
systemd bool systemd bool
) )
func aaLog(logger string, path string, profile string, rules bool) error { func aaLog(logger string, path string, profile string) error {
var err error var err error
var file io.Reader var file io.Reader
@ -97,8 +97,8 @@ func main() {
logger = "systemd" logger = "systemd"
} }
logfile := logs.GetLogFile(path) path = logs.SelectLogFile(path)
err := aaLog(logger, logfile, profile, rules) err := aaLog(logger, path, profile)
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
os.Exit(1) os.Exit(1)

View file

@ -30,7 +30,7 @@ func Test_app(t *testing.T) {
logger: "auditd", logger: "auditd",
path: "../../tests/audit.log", path: "../../tests/audit.log",
profile: "", profile: "",
rules: rules, rules: true,
wantErr: false, wantErr: false,
}, },
{ {
@ -60,7 +60,8 @@ func Test_app(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if err := aaLog(tt.logger, tt.path, tt.profile, tt.rules); (err != nil) != tt.wantErr { rules = tt.rules
if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr {
t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
} }
}) })

View file

@ -3,7 +3,7 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Usage: make <distribution> # Usage: make package dist=<distribution>
set -eu set -eu

View file

@ -30,7 +30,7 @@ prevent access to these sensitive files. Problems:
what is required. Here we allow everything and blacklist some paths. what is required. Here we allow everything and blacklist some paths.
It creates even more issues when we want to use this profile in other profiles. It creates even more issues when we want to use this profile in other profiles.
Let's take the example of `diff`. Using this rule: `/{,usr/}bin/diff rPx,` will Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will
restrict access to the very generic and not very confined `diff` profile. restrict access to the very generic and not very confined `diff` profile.
Whereas most of the time, we want to restrict `diff` to some specific file in Whereas most of the time, we want to restrict `diff` to some specific file in
our profile: our profile:
@ -169,12 +169,12 @@ dynamically by the kernel. Therefore, the full range must be allowed:
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184) [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
``` aa linenums="179" ``` aa linenums="179"
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:[0-9]* r, @{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:[0-9]* r, @{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:[0-9]* r, @{run}/udev/data/c5[0-9]*:@{int} r,
``` ```
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt

View file

@ -17,7 +17,7 @@ type AppArmorProfiles map[string]*AppArmorProfile
// ApparmorProfile represents a full apparmor profile. // ApparmorProfile represents a full apparmor profile.
// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet): // Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
// - Some rules are not supported yet (subprofile, hat...) // - Some rules are not supported yet (subprofile, hat...)
// - The structure is simplified as it only aims at writting profile, not parsing it. // - The structure is simplified as it only aims at writing profile, not parsing it.
type AppArmorProfile struct { type AppArmorProfile struct {
Preamble Preamble
Profile Profile

View file

@ -69,7 +69,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
return strings.NewReader(res), nil return strings.NewReader(res), nil
} }
func GetLogFile(path string) string { // SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2)
func SelectLogFile(path string) string {
info, err := os.Stat(filepath.Clean(path)) info, err := os.Stat(filepath.Clean(path))
if err == nil && !info.IsDir() { if err == nil && !info.IsDir() {
return path return path

View file

@ -53,7 +53,7 @@ func TestGetJournalctlLogs(t *testing.T) {
} }
} }
func TestGetLogFile(t *testing.T) { func TestSelectLogFile(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
path string path string
@ -77,7 +77,7 @@ func TestGetLogFile(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := GetLogFile(tt.path); got != tt.want { if got := SelectLogFile(tt.path); got != tt.want {
t.Errorf("getLogFile() = %v, want %v", got, tt.want) t.Errorf("getLogFile() = %v, want %v", got, tt.want)
} }
}) })

View file

@ -19,7 +19,7 @@ var Builds = []BuildFunc{
var ( var (
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
regFlag = regexp.MustCompile(`flags=\(([^)]+)\)`) regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`)
regProfileHeader = regexp.MustCompile(` {`) regProfileHeader = regexp.MustCompile(` {`)
) )
@ -28,7 +28,7 @@ type BuildFunc func(string) string
// Set complain flag on all profiles // Set complain flag on all profiles
func BuildComplain(profile string) string { func BuildComplain(profile string) string {
flags := []string{} flags := []string{}
matches := regFlag.FindStringSubmatch(profile) matches := regFlagComplain.FindStringSubmatch(profile)
if len(matches) != 0 { if len(matches) != 0 {
flags = strings.Split(matches[1], ",") flags = strings.Split(matches[1], ",")
if slices.Contains(flags, "complain") { if slices.Contains(flags, "complain") {
@ -39,7 +39,7 @@ func BuildComplain(profile string) string {
strFlags := " flags=(" + strings.Join(flags, ",") + ") {" strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
// Remove all flags definition, then set manifest' flags // Remove all flags definition, then set manifest' flags
profile = regFlag.ReplaceAllLiteralString(profile, "") profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags) return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
} }

View file

@ -161,7 +161,7 @@ func SetFlags() error {
} }
// Remove all flags definition, then set manifest' flags // Remove all flags definition, then set manifest' flags
res := regFlag.ReplaceAllLiteralString(string(content), "") res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
res = regProfileHeader.ReplaceAllLiteralString(res, flags) res = regProfileHeader.ReplaceAllLiteralString(res, flags)
if err := file.WriteFile([]byte(res)); err != nil { if err := file.WriteFile([]byte(res)); err != nil {
return err return err