mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(aa-log): add support change_profile & pivot_rule

Browse Source
This commit is contained in:
Alexandre Pujol 2023-11-27 19:21:43 +00:00
parent 52278490ab
commit d4bc07895a
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
5 changed files with 105 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/aa/change_profile.go
View File

@ -5,6 +5,7 @@
package aa package aa
type ChangeProfile struct { type ChangeProfile struct {
Qualifier
ExecMode string ExecMode string
Exec string Exec string
ProfileName string ProfileName string
@ -12,9 +13,10 @@ type ChangeProfile struct {
func ChangeProfileFromLog(log map[string]string) ApparmorRule { func ChangeProfileFromLog(log map[string]string) ApparmorRule {
return &ChangeProfile{ return &ChangeProfile{
Qualifier: NewQualifierFromLog(log),
ExecMode: log["mode"], ExecMode: log["mode"],
Exec: log["exec"], Exec: log["exec"],
ProfileName: log["name"], ProfileName: log["target"],
} }
} }

40
pkg/aa/data_test.go
View File

@ -83,10 +83,44 @@ var (
MountPoint: "/var/lib/docker/overlay2/metacopy-check906831159/merged/", MountPoint: "/var/lib/docker/overlay2/metacopy-check906831159/merged/",
} }
// PivotRoot
pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/" comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"`
pivotroot1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "mount",
"profile": "systemd",
"operation": "pivotroot",
"comm": "(ostnamed)",
"name": "@{run}/systemd/mount-rootfs/",
"srcname": "@{run}/systemd/mount-rootfs/",
}
pivotroot1 = &PivotRoot{
OldRoot: "@{run}/systemd/mount-rootfs/",
NewRoot: "@{run}/systemd/mount-rootfs/",
}
pivotroot2 = &PivotRoot{
OldRoot: "@{run}/systemd/mount-rootfs/",
NewRoot: "/newroot",
TargetProfile: "brwap",
}
pivotroot3 = &PivotRoot{
NewRoot: "/newroot",
}
// Change Profile // Change Profile
changeprofile1 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap//default"} changeprofile1LogStr = `apparmor="ALLOWED" operation="change_onexec" class="file" profile="systemd" name="systemd-user" comm="(systemd)" target="systemd-user"`
changeprofile2 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap"} changeprofile1Log = map[string]string{
changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/foo", ProfileName: "brwap//default"} "apparmor": "ALLOWED",
"class": "file",
"profile": "systemd",
"operation": "change_onexec",
"comm": "(systemd)",
"name": "systemd-user",
"target": "systemd-user",
}
changeprofile1 = &ChangeProfile{ProfileName: "systemd-user"}
changeprofile2 = &ChangeProfile{ProfileName: "brwap"}
changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"}
// Signal // Signal
signal1Log = map[string]string{ signal1Log = map[string]string{

6
pkg/aa/pivot_root.go
View File

@ -14,9 +14,9 @@ type PivotRoot struct {
func PivotRootFromLog(log map[string]string) ApparmorRule { func PivotRootFromLog(log map[string]string) ApparmorRule {
return &PivotRoot{ return &PivotRoot{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
OldRoot: log["oldroot"], OldRoot: log["srcname"],
NewRoot: log["root"], NewRoot: log["name"],
TargetProfile: log["name"], TargetProfile: "",
} }
} }

30
pkg/aa/rules_test.go
View File

@ -34,6 +34,18 @@ func TestRule_FromLog(t *testing.T) {
log: mount1Log, log: mount1Log,
want: mount1, want: mount1,
}, },
{
name: "pivotroot",
fromLog: PivotRootFromLog,
log: pivotroot1Log,
want: pivotroot1,
},
{
name: "changeprofile",
fromLog: ChangeProfileFromLog,
log: changeprofile1Log,
want: changeprofile1,
},
{ {
name: "signal", name: "signal",
fromLog: SignalFromLog, fromLog: SignalFromLog,
@ -141,6 +153,18 @@ func TestRule_Less(t *testing.T) {
other: mount2, other: mount2,
want: false, want: false,
}, },
{
name: "pivot_root1",
rule: pivotroot2,
other: pivotroot1,
want: true,
},
{
name: "pivot_root2",
rule: pivotroot1,
other: pivotroot3,
want: false,
},
{ {
name: "change_profile1", name: "change_profile1",
rule: changeprofile1, rule: changeprofile1,
@ -273,6 +297,12 @@ func TestRule_Equals(t *testing.T) {
other: mount1, other: mount1,
want: true, want: true,
}, },
{
name: "pivot_root",
rule: pivotroot1,
other: pivotroot2,
want: false,
},
{ {
name: "change_profile", name: "change_profile",
rule: changeprofile1, rule: changeprofile1,

32
pkg/aa/templates/profile.j2
View File

@ -129,6 +129,38 @@
{{- template "comment" . -}} {{- template "comment" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "PivotRoot" -}}
{{- template "qualifier" . -}}
{{- "pivot_root" -}}
{{- with .OldRoot -}}
{{ " oldroot=" }}{{ . }}
{{- end -}}
{{- with .NewRoot -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .TargetProfile -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}
{{- if eq $type "ChangeProfile" -}}
{{- template "qualifier" . -}}
{{- "change_profile" -}}
{{- with .ExecMode -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Exec -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .ProfileName -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}
{{- if eq $type "Unix" -}} {{- if eq $type "Unix" -}}
{{- template "qualifier" . -}} {{- template "qualifier" . -}}
{{- "unix" -}} {{- "unix" -}}