mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa-log): ensure rule access is always present.

Browse source
This commit is contained in:
Alexandre Pujol 2024-02-29 00:19:26 +00:00
parent 45a6e0bf21
commit e3daaf3d4c
Failed to generate hash of commit
6 changed files with 25 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/aa/file.go
View file

@ -15,7 +15,7 @@ func FileFromLog(log map[string]string) ApparmorRule {
return &File{ return &File{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
Path: log["name"], Path: log["name"],
Access: maskToAccess[log["requested_mask"]], Access: toAccess(log["requested_mask"]),
Target: log["target"], Target: log["target"],
} }
} }

2
pkg/aa/mqueue.go
View file

@ -23,7 +23,7 @@ func MqueueFromLog(log map[string]string) ApparmorRule {
} }
return &Mqueue{ return &Mqueue{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
Access: maskToAccess[log["requested"]], Access: toAccess(log["requested"]),
Type: mqueueType, Type: mqueueType,
Label: log["label"], Label: log["label"],
Name: log["name"], Name: log["name"],

2
pkg/aa/ptrace.go
View file

@ -13,7 +13,7 @@ type Ptrace struct {
func PtraceFromLog(log map[string]string) ApparmorRule { func PtraceFromLog(log map[string]string) ApparmorRule {
return &Ptrace{ return &Ptrace{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
Access: maskToAccess[log["requested_mask"]], Access: toAccess(log["requested_mask"]),
Peer: log["peer"], Peer: log["peer"],
} }
} }

2
pkg/aa/signal.go
View file

@ -14,7 +14,7 @@ type Signal struct {
func SignalFromLog(log map[string]string) ApparmorRule { func SignalFromLog(log map[string]string) ApparmorRule {
return &Signal{ return &Signal{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
Access: maskToAccess[log["requested_mask"]], Access: toAccess(log["requested_mask"]),
Set: log["signal"], Set: log["signal"],
Peer: log["peer"], Peer: log["peer"],
} }

29
pkg/aa/template.go
View file

@ -30,38 +30,18 @@ var (
tmplAppArmorProfile = generateTemplate() tmplAppArmorProfile = generateTemplate()
// convert apparmor requested mask to apparmor access mode // convert apparmor requested mask to apparmor access mode
// TODO: Should be a map of slice, not exhaustive yet requestedMaskToAccess = map[string]string{
maskToAccess = map[string]string{
"a": "w", "a": "w",
"ac": "w", "ac": "w",
"c": "w", "c": "w",
"create": "create",
"d": "w", "d": "w",
"delete": "delete",
"getattr": "getattr",
"k": "k",
"l": "l",
"m": "rm", "m": "rm",
"open": "open",
"r": "r",
"ra": "rw", "ra": "rw",
"read write": "read write",
"read": "read",
"readby": "readby",
"receive": "receive",
"rm": "rm",
"rw": "rw",
"send receive": "send receive",
"send": "send",
"setattr": "setattr",
"w": "w",
"wc": "w", "wc": "w",
"wd": "w", "wd": "w",
"wk": "wk",
"wr": "rw", "wr": "rw",
"wrc": "rw", "wrc": "rw",
"wrd": "rw", "wrd": "rw",
"write": "write",
"x": "rix", "x": "rix",
} }
@ -168,3 +148,10 @@ func getLetterIn(alphabet []string, in string) string {
} }
return "" return ""
} }
func toAccess(mask string) string {
if requestedMaskToAccess[mask] != "" {
return requestedMaskToAccess[mask]
}
return mask
}

2
pkg/aa/unix.go
View file

@ -20,7 +20,7 @@ type Unix struct {
func UnixFromLog(log map[string]string) ApparmorRule { func UnixFromLog(log map[string]string) ApparmorRule {
return &Unix{ return &Unix{
Qualifier: NewQualifierFromLog(log), Qualifier: NewQualifierFromLog(log),
Access: maskToAccess[log["requested_mask"]], Access: toAccess(log["requested_mask"]),
Type: log["sock_type"], Type: log["sock_type"],
Protocol: log["protocol"], Protocol: log["protocol"],
Address: log["addr"], Address: log["addr"],