mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
chore: various cosmetic changes.
This commit is contained in:
parent
256d4abde8
commit
aea0034fcc
16 changed files with 35 additions and 32 deletions
|
@ -3,10 +3,11 @@
|
|||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/1/sched r,
|
||||
|
@ -17,7 +18,4 @@
|
|||
|
||||
/dev/kmsg w,
|
||||
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
|
||||
|
||||
include if exists <abstractions/systemd-common.d>
|
|
@ -2,7 +2,7 @@
|
|||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
|
||||
|
||||
owner /dev/shm/sway* rw,
|
||||
owner /dev/shm/dunst-@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
|
||||
|
|
|
@ -20,6 +20,7 @@ profile avahi-autoipd @{exec_path} {
|
|||
signal receive set=(kill,term),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/avahi/avahi-autoipd.action rix,
|
||||
|
||||
include if exists <local/avahi-autoipd>
|
||||
|
|
|
@ -57,7 +57,7 @@ profile grub-mkconfig @{exec_path} {
|
|||
@{bin}/umount rPx,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/which{.debianutils,} rix,
|
||||
/etc/grub.d/{**,} rix,
|
||||
/etc/grub.d/{**,} rix,
|
||||
|
||||
/boot/{**,} r,
|
||||
/boot/grub/{**,} rw,
|
||||
|
|
|
@ -18,13 +18,13 @@ profile grub-probe @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}{local/,}{s,}bin/zpool rPx,
|
||||
@{bin}/lvm rPx,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{bin}/lvm rPx,
|
||||
@{bin}/udevadm rPx,
|
||||
|
||||
/ r,
|
||||
/usr/share/grub/* r,
|
||||
|
||||
/ r,
|
||||
/boot/ r,
|
||||
/boot/grub/themes/{,**} r,
|
||||
|
||||
|
|
|
@ -56,6 +56,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
|
|||
unix (bind,listen) type=stream addr=@xtables,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/mount rPx,
|
||||
@{bin}/systemd-run rix,
|
||||
|
|
|
@ -12,7 +12,8 @@ profile syncoid @{exec_path} flags=(complain) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/perl>
|
||||
|
||||
@{exec_path} mr,
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/mbuffer rix,
|
||||
|
|
|
@ -40,7 +40,7 @@ var (
|
|||
systemd bool
|
||||
)
|
||||
|
||||
func aaLog(logger string, path string, profile string, rules bool) error {
|
||||
func aaLog(logger string, path string, profile string) error {
|
||||
var err error
|
||||
var file io.Reader
|
||||
|
||||
|
@ -97,8 +97,8 @@ func main() {
|
|||
logger = "systemd"
|
||||
}
|
||||
|
||||
logfile := logs.GetLogFile(path)
|
||||
err := aaLog(logger, logfile, profile, rules)
|
||||
path = logs.SelectLogFile(path)
|
||||
err := aaLog(logger, path, profile)
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
os.Exit(1)
|
||||
|
|
|
@ -30,7 +30,7 @@ func Test_app(t *testing.T) {
|
|||
logger: "auditd",
|
||||
path: "../../tests/audit.log",
|
||||
profile: "",
|
||||
rules: rules,
|
||||
rules: true,
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
|
@ -60,7 +60,8 @@ func Test_app(t *testing.T) {
|
|||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := aaLog(tt.logger, tt.path, tt.profile, tt.rules); (err != nil) != tt.wantErr {
|
||||
rules = tt.rules
|
||||
if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr {
|
||||
t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Usage: make <distribution>
|
||||
# Usage: make package dist=<distribution>
|
||||
|
||||
set -eu
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ prevent access to these sensitive files. Problems:
|
|||
what is required. Here we allow everything and blacklist some paths.
|
||||
|
||||
It creates even more issues when we want to use this profile in other profiles.
|
||||
Let's take the example of `diff`. Using this rule: `/{,usr/}bin/diff rPx,` will
|
||||
Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will
|
||||
restrict access to the very generic and not very confined `diff` profile.
|
||||
Whereas most of the time, we want to restrict `diff` to some specific file in
|
||||
our profile:
|
||||
|
@ -169,12 +169,12 @@ dynamically by the kernel. Therefore, the full range must be allowed:
|
|||
|
||||
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
|
||||
``` aa linenums="179"
|
||||
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
|
||||
@{run}/udev/data/c24[0-9]:[0-9]* r,
|
||||
@{run}/udev/data/c25[0-4]:[0-9]* r,
|
||||
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
|
||||
@{run}/udev/data/c4[0-9]*:[0-9]* r,
|
||||
@{run}/udev/data/c5[0-9]*:[0-9]* r,
|
||||
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
||||
@{run}/udev/data/c24[0-9]:@{int} r,
|
||||
@{run}/udev/data/c25[0-4]:@{int} r,
|
||||
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
|
||||
@{run}/udev/data/c4[0-9]*:@{int} r,
|
||||
@{run}/udev/data/c5[0-9]*:@{int} r,
|
||||
```
|
||||
|
||||
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
|
|
|
@ -17,7 +17,7 @@ type AppArmorProfiles map[string]*AppArmorProfile
|
|||
// ApparmorProfile represents a full apparmor profile.
|
||||
// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
|
||||
// - Some rules are not supported yet (subprofile, hat...)
|
||||
// - The structure is simplified as it only aims at writting profile, not parsing it.
|
||||
// - The structure is simplified as it only aims at writing profile, not parsing it.
|
||||
type AppArmorProfile struct {
|
||||
Preamble
|
||||
Profile
|
||||
|
|
|
@ -69,7 +69,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
|
|||
return strings.NewReader(res), nil
|
||||
}
|
||||
|
||||
func GetLogFile(path string) string {
|
||||
// SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2)
|
||||
func SelectLogFile(path string) string {
|
||||
info, err := os.Stat(filepath.Clean(path))
|
||||
if err == nil && !info.IsDir() {
|
||||
return path
|
||||
|
|
|
@ -53,7 +53,7 @@ func TestGetJournalctlLogs(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestGetLogFile(t *testing.T) {
|
||||
func TestSelectLogFile(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
path string
|
||||
|
@ -77,7 +77,7 @@ func TestGetLogFile(t *testing.T) {
|
|||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := GetLogFile(tt.path); got != tt.want {
|
||||
if got := SelectLogFile(tt.path); got != tt.want {
|
||||
t.Errorf("getLogFile() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
|
|
|
@ -19,7 +19,7 @@ var Builds = []BuildFunc{
|
|||
|
||||
var (
|
||||
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
|
||||
regFlag = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
||||
regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
||||
regProfileHeader = regexp.MustCompile(` {`)
|
||||
)
|
||||
|
||||
|
@ -28,7 +28,7 @@ type BuildFunc func(string) string
|
|||
// Set complain flag on all profiles
|
||||
func BuildComplain(profile string) string {
|
||||
flags := []string{}
|
||||
matches := regFlag.FindStringSubmatch(profile)
|
||||
matches := regFlagComplain.FindStringSubmatch(profile)
|
||||
if len(matches) != 0 {
|
||||
flags = strings.Split(matches[1], ",")
|
||||
if slices.Contains(flags, "complain") {
|
||||
|
@ -39,7 +39,7 @@ func BuildComplain(profile string) string {
|
|||
strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
|
||||
|
||||
// Remove all flags definition, then set manifest' flags
|
||||
profile = regFlag.ReplaceAllLiteralString(profile, "")
|
||||
profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||
}
|
||||
|
||||
|
|
|
@ -161,7 +161,7 @@ func SetFlags() error {
|
|||
}
|
||||
|
||||
// Remove all flags definition, then set manifest' flags
|
||||
res := regFlag.ReplaceAllLiteralString(string(content), "")
|
||||
res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
|
||||
res = regProfileHeader.ReplaceAllLiteralString(res, flags)
|
||||
if err := file.WriteFile([]byte(res)); err != nil {
|
||||
return err
|
||||
|
|
Loading…
Reference in a new issue