feat(aa-log): add support change_profile & pivot_rule

2024-11-15 07:54:17 +01:00 · 2023-11-27 19:21:43 +00:00 · 2023-11-27 19:21:43 +00:00 · d4bc07895a
commit d4bc07895a
parent 52278490ab
5 changed files with 105 additions and 7 deletions
--- a/pkg/aa/change_profile.go
+++ b/pkg/aa/change_profile.go
@ -5,6 +5,7 @@
 package aa

 type ChangeProfile struct {
+	Qualifier
 	ExecMode    string
 	Exec        string
 	ProfileName string
@ -12,9 +13,10 @@ type ChangeProfile struct {

 func ChangeProfileFromLog(log map[string]string) ApparmorRule {
 	return &ChangeProfile{
+		Qualifier:   NewQualifierFromLog(log),
 		ExecMode:    log["mode"],
 		Exec:        log["exec"],
-		ProfileName: log["name"],
+		ProfileName: log["target"],
 	}
 }

--- a/pkg/aa/data_test.go
+++ b/pkg/aa/data_test.go
@ -83,10 +83,44 @@ var (
 		MountPoint:      "/var/lib/docker/overlay2/metacopy-check906831159/merged/",
 	}

+	// PivotRoot
+	pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/"  comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"`
+	pivotroot1Log    = map[string]string{
+		"apparmor":  "ALLOWED",
+		"class":     "mount",
+		"profile":   "systemd",
+		"operation": "pivotroot",
+		"comm":      "(ostnamed)",
+		"name":      "@{run}/systemd/mount-rootfs/",
+		"srcname":   "@{run}/systemd/mount-rootfs/",
+	}
+	pivotroot1 = &PivotRoot{
+		OldRoot: "@{run}/systemd/mount-rootfs/",
+		NewRoot: "@{run}/systemd/mount-rootfs/",
+	}
+	pivotroot2 = &PivotRoot{
+		OldRoot:       "@{run}/systemd/mount-rootfs/",
+		NewRoot:       "/newroot",
+		TargetProfile: "brwap",
+	}
+	pivotroot3 = &PivotRoot{
+		NewRoot: "/newroot",
+	}
+
 	// Change Profile
-	changeprofile1 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap//default"}
-	changeprofile2 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap"}
-	changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/foo", ProfileName: "brwap//default"}
+	changeprofile1LogStr = `apparmor="ALLOWED" operation="change_onexec" class="file" profile="systemd" name="systemd-user"  comm="(systemd)" target="systemd-user"`
+	changeprofile1Log    = map[string]string{
+		"apparmor":  "ALLOWED",
+		"class":     "file",
+		"profile":   "systemd",
+		"operation": "change_onexec",
+		"comm":      "(systemd)",
+		"name":      "systemd-user",
+		"target":    "systemd-user",
+	}
+	changeprofile1 = &ChangeProfile{ProfileName: "systemd-user"}
+	changeprofile2 = &ChangeProfile{ProfileName: "brwap"}
+	changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"}

 	// Signal
 	signal1Log = map[string]string{
--- a/pkg/aa/pivot_root.go
+++ b/pkg/aa/pivot_root.go
@ -14,9 +14,9 @@ type PivotRoot struct {
 func PivotRootFromLog(log map[string]string) ApparmorRule {
 	return &PivotRoot{
 		Qualifier:     NewQualifierFromLog(log),
-		OldRoot:       log["oldroot"],
-		NewRoot:       log["root"],
-		TargetProfile: log["name"],
+		OldRoot:       log["srcname"],
+		NewRoot:       log["name"],
+		TargetProfile: "",
 	}
 }

--- a/pkg/aa/rules_test.go
+++ b/pkg/aa/rules_test.go
@ -34,6 +34,18 @@ func TestRule_FromLog(t *testing.T) {
 			log:     mount1Log,
 			want:    mount1,
 		},
+		{
+			name:    "pivotroot",
+			fromLog: PivotRootFromLog,
+			log:     pivotroot1Log,
+			want:    pivotroot1,
+		},
+		{
+			name:    "changeprofile",
+			fromLog: ChangeProfileFromLog,
+			log:     changeprofile1Log,
+			want:    changeprofile1,
+		},
 		{
 			name:    "signal",
 			fromLog: SignalFromLog,
@ -141,6 +153,18 @@ func TestRule_Less(t *testing.T) {
 			other: mount2,
 			want:  false,
 		},
+		{
+			name:  "pivot_root1",
+			rule:  pivotroot2,
+			other: pivotroot1,
+			want:  true,
+		},
+		{
+			name:  "pivot_root2",
+			rule:  pivotroot1,
+			other: pivotroot3,
+			want:  false,
+		},
 		{
 			name:  "change_profile1",
 			rule:  changeprofile1,
@ -273,6 +297,12 @@ func TestRule_Equals(t *testing.T) {
 			other: mount1,
 			want:  true,
 		},
+		{
+			name:  "pivot_root",
+			rule:  pivotroot1,
+			other: pivotroot2,
+			want:  false,
+		},
 		{
 			name:  "change_profile",
 			rule:  changeprofile1,
--- a/pkg/aa/templates/profile.j2
+++ b/pkg/aa/templates/profile.j2
@ -129,6 +129,38 @@
        {{- template "comment" . -}}
    {{- end -}}

+    {{- if eq $type "PivotRoot" -}}
+        {{- template "qualifier" . -}}
+        {{- "pivot_root" -}}
+        {{- with .OldRoot -}}
+            {{ " oldroot=" }}{{ . }}
+        {{- end -}}
+        {{- with .NewRoot -}}
+            {{ " " }}{{ . }}
+        {{- end -}}
+        {{- with .TargetProfile -}}
+            {{ " -> " }}{{ . }}
+        {{- end -}}
+        {{- "," -}}
+        {{- template "comment" . -}}
+    {{- end -}}
+
+    {{- if eq $type "ChangeProfile" -}}
+        {{- template "qualifier" . -}}
+        {{- "change_profile" -}}
+        {{- with .ExecMode -}}
+            {{ " " }}{{ . }}
+        {{- end -}}
+        {{- with .Exec -}}
+            {{ " " }}{{ . }}
+        {{- end -}}
+        {{- with .ProfileName -}}
+            {{ " -> " }}{{ . }}
+        {{- end -}}
+        {{- "," -}}
+        {{- template "comment" . -}}
+    {{- end -}}
+
    {{- if eq $type "Unix" -}}
        {{- template "qualifier" . -}}
        {{- "unix" -}}