mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
chore: various cosmetic changes.
This commit is contained in:
parent
256d4abde8
commit
aea0034fcc
16 changed files with 35 additions and 32 deletions
|
@ -3,10 +3,11 @@
|
||||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
|
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||||
|
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/1/environ r,
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/1/sched r,
|
@{PROC}/1/sched r,
|
||||||
|
@ -17,7 +18,4 @@
|
||||||
|
|
||||||
/dev/kmsg w,
|
/dev/kmsg w,
|
||||||
|
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
|
||||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
|
||||||
|
|
||||||
include if exists <abstractions/systemd-common.d>
|
include if exists <abstractions/systemd-common.d>
|
|
@ -2,7 +2,7 @@
|
||||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
|
||||||
|
|
||||||
owner /dev/shm/sway* rw,
|
owner /dev/shm/sway* rw,
|
||||||
owner /dev/shm/dunst-@{rand6} rw,
|
owner /dev/shm/dunst-@{rand6} rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
|
|
||||||
|
|
|
@ -20,6 +20,7 @@ profile avahi-autoipd @{exec_path} {
|
||||||
signal receive set=(kill,term),
|
signal receive set=(kill,term),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/avahi/avahi-autoipd.action rix,
|
/etc/avahi/avahi-autoipd.action rix,
|
||||||
|
|
||||||
include if exists <local/avahi-autoipd>
|
include if exists <local/avahi-autoipd>
|
||||||
|
|
|
@ -18,13 +18,13 @@ profile grub-probe @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}{local/,}{s,}bin/zpool rPx,
|
/{usr/,}{local/,}{s,}bin/zpool rPx,
|
||||||
@{bin}/lvm rPx,
|
|
||||||
@{bin}/lsb_release rPx -> lsb_release,
|
@{bin}/lsb_release rPx -> lsb_release,
|
||||||
|
@{bin}/lvm rPx,
|
||||||
@{bin}/udevadm rPx,
|
@{bin}/udevadm rPx,
|
||||||
|
|
||||||
/ r,
|
|
||||||
/usr/share/grub/* r,
|
/usr/share/grub/* r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
/boot/ r,
|
/boot/ r,
|
||||||
/boot/grub/themes/{,**} r,
|
/boot/grub/themes/{,**} r,
|
||||||
|
|
||||||
|
|
|
@ -56,6 +56,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
|
||||||
unix (bind,listen) type=stream addr=@xtables,
|
unix (bind,listen) type=stream addr=@xtables,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/kmod rPx,
|
@{bin}/kmod rPx,
|
||||||
@{bin}/mount rPx,
|
@{bin}/mount rPx,
|
||||||
@{bin}/systemd-run rix,
|
@{bin}/systemd-run rix,
|
||||||
|
|
|
@ -13,6 +13,7 @@ profile syncoid @{exec_path} flags=(complain) {
|
||||||
include <abstractions/perl>
|
include <abstractions/perl>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/{,ba,da}sh rix,
|
@{bin}/{,ba,da}sh rix,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/mbuffer rix,
|
@{bin}/mbuffer rix,
|
||||||
|
|
|
@ -40,7 +40,7 @@ var (
|
||||||
systemd bool
|
systemd bool
|
||||||
)
|
)
|
||||||
|
|
||||||
func aaLog(logger string, path string, profile string, rules bool) error {
|
func aaLog(logger string, path string, profile string) error {
|
||||||
var err error
|
var err error
|
||||||
var file io.Reader
|
var file io.Reader
|
||||||
|
|
||||||
|
@ -97,8 +97,8 @@ func main() {
|
||||||
logger = "systemd"
|
logger = "systemd"
|
||||||
}
|
}
|
||||||
|
|
||||||
logfile := logs.GetLogFile(path)
|
path = logs.SelectLogFile(path)
|
||||||
err := aaLog(logger, logfile, profile, rules)
|
err := aaLog(logger, path, profile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
|
@ -30,7 +30,7 @@ func Test_app(t *testing.T) {
|
||||||
logger: "auditd",
|
logger: "auditd",
|
||||||
path: "../../tests/audit.log",
|
path: "../../tests/audit.log",
|
||||||
profile: "",
|
profile: "",
|
||||||
rules: rules,
|
rules: true,
|
||||||
wantErr: false,
|
wantErr: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -60,7 +60,8 @@ func Test_app(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if err := aaLog(tt.logger, tt.path, tt.profile, tt.rules); (err != nil) != tt.wantErr {
|
rules = tt.rules
|
||||||
|
if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr {
|
||||||
t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
|
t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
# Usage: make <distribution>
|
# Usage: make package dist=<distribution>
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ prevent access to these sensitive files. Problems:
|
||||||
what is required. Here we allow everything and blacklist some paths.
|
what is required. Here we allow everything and blacklist some paths.
|
||||||
|
|
||||||
It creates even more issues when we want to use this profile in other profiles.
|
It creates even more issues when we want to use this profile in other profiles.
|
||||||
Let's take the example of `diff`. Using this rule: `/{,usr/}bin/diff rPx,` will
|
Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will
|
||||||
restrict access to the very generic and not very confined `diff` profile.
|
restrict access to the very generic and not very confined `diff` profile.
|
||||||
Whereas most of the time, we want to restrict `diff` to some specific file in
|
Whereas most of the time, we want to restrict `diff` to some specific file in
|
||||||
our profile:
|
our profile:
|
||||||
|
@ -169,12 +169,12 @@ dynamically by the kernel. Therefore, the full range must be allowed:
|
||||||
|
|
||||||
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
|
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
|
||||||
``` aa linenums="179"
|
``` aa linenums="179"
|
||||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
||||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
@{run}/udev/data/c24[0-9]:@{int} r,
|
||||||
@{run}/udev/data/c25[0-4]:[0-9]* r,
|
@{run}/udev/data/c25[0-4]:@{int} r,
|
||||||
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
|
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
|
||||||
@{run}/udev/data/c4[0-9]*:[0-9]* r,
|
@{run}/udev/data/c4[0-9]*:@{int} r,
|
||||||
@{run}/udev/data/c5[0-9]*:[0-9]* r,
|
@{run}/udev/data/c5[0-9]*:@{int} r,
|
||||||
```
|
```
|
||||||
|
|
||||||
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||||
|
|
|
@ -17,7 +17,7 @@ type AppArmorProfiles map[string]*AppArmorProfile
|
||||||
// ApparmorProfile represents a full apparmor profile.
|
// ApparmorProfile represents a full apparmor profile.
|
||||||
// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
|
// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
|
||||||
// - Some rules are not supported yet (subprofile, hat...)
|
// - Some rules are not supported yet (subprofile, hat...)
|
||||||
// - The structure is simplified as it only aims at writting profile, not parsing it.
|
// - The structure is simplified as it only aims at writing profile, not parsing it.
|
||||||
type AppArmorProfile struct {
|
type AppArmorProfile struct {
|
||||||
Preamble
|
Preamble
|
||||||
Profile
|
Profile
|
||||||
|
|
|
@ -69,7 +69,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
|
||||||
return strings.NewReader(res), nil
|
return strings.NewReader(res), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetLogFile(path string) string {
|
// SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2)
|
||||||
|
func SelectLogFile(path string) string {
|
||||||
info, err := os.Stat(filepath.Clean(path))
|
info, err := os.Stat(filepath.Clean(path))
|
||||||
if err == nil && !info.IsDir() {
|
if err == nil && !info.IsDir() {
|
||||||
return path
|
return path
|
||||||
|
|
|
@ -53,7 +53,7 @@ func TestGetJournalctlLogs(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestGetLogFile(t *testing.T) {
|
func TestSelectLogFile(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
path string
|
path string
|
||||||
|
@ -77,7 +77,7 @@ func TestGetLogFile(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if got := GetLogFile(tt.path); got != tt.want {
|
if got := SelectLogFile(tt.path); got != tt.want {
|
||||||
t.Errorf("getLogFile() = %v, want %v", got, tt.want)
|
t.Errorf("getLogFile() = %v, want %v", got, tt.want)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -19,7 +19,7 @@ var Builds = []BuildFunc{
|
||||||
|
|
||||||
var (
|
var (
|
||||||
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
|
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
|
||||||
regFlag = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
||||||
regProfileHeader = regexp.MustCompile(` {`)
|
regProfileHeader = regexp.MustCompile(` {`)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -28,7 +28,7 @@ type BuildFunc func(string) string
|
||||||
// Set complain flag on all profiles
|
// Set complain flag on all profiles
|
||||||
func BuildComplain(profile string) string {
|
func BuildComplain(profile string) string {
|
||||||
flags := []string{}
|
flags := []string{}
|
||||||
matches := regFlag.FindStringSubmatch(profile)
|
matches := regFlagComplain.FindStringSubmatch(profile)
|
||||||
if len(matches) != 0 {
|
if len(matches) != 0 {
|
||||||
flags = strings.Split(matches[1], ",")
|
flags = strings.Split(matches[1], ",")
|
||||||
if slices.Contains(flags, "complain") {
|
if slices.Contains(flags, "complain") {
|
||||||
|
@ -39,7 +39,7 @@ func BuildComplain(profile string) string {
|
||||||
strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
|
strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
|
||||||
|
|
||||||
// Remove all flags definition, then set manifest' flags
|
// Remove all flags definition, then set manifest' flags
|
||||||
profile = regFlag.ReplaceAllLiteralString(profile, "")
|
profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
|
||||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -161,7 +161,7 @@ func SetFlags() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove all flags definition, then set manifest' flags
|
// Remove all flags definition, then set manifest' flags
|
||||||
res := regFlag.ReplaceAllLiteralString(string(content), "")
|
res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
|
||||||
res = regProfileHeader.ReplaceAllLiteralString(res, flags)
|
res = regProfileHeader.ReplaceAllLiteralString(res, flags)
|
||||||
if err := file.WriteFile([]byte(res)); err != nil {
|
if err := file.WriteFile([]byte(res)); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
Loading…
Reference in a new issue