chore: various cosmetic changes.

This commit is contained in:
Alexandre Pujol 2023-09-01 19:26:52 +01:00
parent 256d4abde8
commit aea0034fcc
Failed to generate hash of commit
16 changed files with 35 additions and 32 deletions

View file

@ -3,10 +3,11 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
ptrace (read),
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
@{PROC}/1/cgroup r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@ -17,7 +18,4 @@
/dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
include if exists <abstractions/systemd-common.d>

View file

@ -2,7 +2,7 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
owner /dev/shm/sway* rw,
owner /dev/shm/dunst-@{rand6} rw,
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,

View file

@ -20,6 +20,7 @@ profile avahi-autoipd @{exec_path} {
signal receive set=(kill,term),
@{exec_path} mr,
/etc/avahi/avahi-autoipd.action rix,
include if exists <local/avahi-autoipd>

View file

@ -57,7 +57,7 @@ profile grub-mkconfig @{exec_path} {
@{bin}/umount rPx,
@{bin}/uname rix,
@{bin}/which{.debianutils,} rix,
/etc/grub.d/{**,} rix,
/etc/grub.d/{**,} rix,
/boot/{**,} r,
/boot/grub/{**,} rw,

View file

@ -18,13 +18,13 @@ profile grub-probe @{exec_path} {
@{exec_path} mr,
/{usr/,}{local/,}{s,}bin/zpool rPx,
@{bin}/lvm rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lvm rPx,
@{bin}/udevadm rPx,
/ r,
/usr/share/grub/* r,
/ r,
/boot/ r,
/boot/grub/themes/{,**} r,

View file

@ -56,6 +56,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
unix (bind,listen) type=stream addr=@xtables,
@{exec_path} mr,
@{bin}/kmod rPx,
@{bin}/mount rPx,
@{bin}/systemd-run rix,

View file

@ -12,7 +12,8 @@ profile syncoid @{exec_path} flags=(complain) {
include <abstractions/consoles>
include <abstractions/perl>
@{exec_path} mr,
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,
@{bin}/grep rix,
@{bin}/mbuffer rix,

View file

@ -40,7 +40,7 @@ var (
systemd bool
)
func aaLog(logger string, path string, profile string, rules bool) error {
func aaLog(logger string, path string, profile string) error {
var err error
var file io.Reader
@ -97,8 +97,8 @@ func main() {
logger = "systemd"
}
logfile := logs.GetLogFile(path)
err := aaLog(logger, logfile, profile, rules)
path = logs.SelectLogFile(path)
err := aaLog(logger, path, profile)
if err != nil {
fmt.Println(err)
os.Exit(1)

View file

@ -30,7 +30,7 @@ func Test_app(t *testing.T) {
logger: "auditd",
path: "../../tests/audit.log",
profile: "",
rules: rules,
rules: true,
wantErr: false,
},
{
@ -60,7 +60,8 @@ func Test_app(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := aaLog(tt.logger, tt.path, tt.profile, tt.rules); (err != nil) != tt.wantErr {
rules = tt.rules
if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr {
t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
}
})

View file

@ -3,7 +3,7 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: make <distribution>
# Usage: make package dist=<distribution>
set -eu

View file

@ -30,7 +30,7 @@ prevent access to these sensitive files. Problems:
what is required. Here we allow everything and blacklist some paths.
It creates even more issues when we want to use this profile in other profiles.
Let's take the example of `diff`. Using this rule: `/{,usr/}bin/diff rPx,` will
Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` will
restrict access to the very generic and not very confined `diff` profile.
Whereas most of the time, we want to restrict `diff` to some specific file in
our profile:
@ -169,12 +169,12 @@ dynamically by the kernel. Therefore, the full range must be allowed:
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
``` aa linenums="179"
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/c25[0-4]:[0-9]* r,
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:[0-9]* r,
@{run}/udev/data/c5[0-9]*:[0-9]* r,
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
```
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt

View file

@ -17,7 +17,7 @@ type AppArmorProfiles map[string]*AppArmorProfile
// ApparmorProfile represents a full apparmor profile.
// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
// - Some rules are not supported yet (subprofile, hat...)
// - The structure is simplified as it only aims at writting profile, not parsing it.
// - The structure is simplified as it only aims at writing profile, not parsing it.
type AppArmorProfile struct {
Preamble
Profile

View file

@ -69,7 +69,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
return strings.NewReader(res), nil
}
func GetLogFile(path string) string {
// SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2)
func SelectLogFile(path string) string {
info, err := os.Stat(filepath.Clean(path))
if err == nil && !info.IsDir() {
return path

View file

@ -53,7 +53,7 @@ func TestGetJournalctlLogs(t *testing.T) {
}
}
func TestGetLogFile(t *testing.T) {
func TestSelectLogFile(t *testing.T) {
tests := []struct {
name string
path string
@ -77,7 +77,7 @@ func TestGetLogFile(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := GetLogFile(tt.path); got != tt.want {
if got := SelectLogFile(tt.path); got != tt.want {
t.Errorf("getLogFile() = %v, want %v", got, tt.want)
}
})

View file

@ -19,7 +19,7 @@ var Builds = []BuildFunc{
var (
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
regFlag = regexp.MustCompile(`flags=\(([^)]+)\)`)
regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`)
regProfileHeader = regexp.MustCompile(` {`)
)
@ -28,7 +28,7 @@ type BuildFunc func(string) string
// Set complain flag on all profiles
func BuildComplain(profile string) string {
flags := []string{}
matches := regFlag.FindStringSubmatch(profile)
matches := regFlagComplain.FindStringSubmatch(profile)
if len(matches) != 0 {
flags = strings.Split(matches[1], ",")
if slices.Contains(flags, "complain") {
@ -39,7 +39,7 @@ func BuildComplain(profile string) string {
strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
// Remove all flags definition, then set manifest' flags
profile = regFlag.ReplaceAllLiteralString(profile, "")
profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
}

View file

@ -161,7 +161,7 @@ func SetFlags() error {
}
// Remove all flags definition, then set manifest' flags
res := regFlag.ReplaceAllLiteralString(string(content), "")
res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
res = regProfileHeader.ReplaceAllLiteralString(res, flags)
if err := file.WriteFile([]byte(res)); err != nil {
return err