apparmor/utils/aa-genprof

#! /usr/bin/env python
# ----------------------------------------------------------------------
#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License as published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import argparse
import atexit
import os
import re
import subprocess
import sys

import apparmor.aa as apparmor

# setup module translations
from apparmor.translations import init_translation
_ = init_translation()

def sysctl_read(path):
    value = None
    with open(path, 'r') as f_in:
        value = int(f_in.readline())
    return value

def sysctl_write(path, value):
    if not value:
        return
    with open(path, 'w') as f_out:
        f_out.write(str(value))

def last_audit_entry_time():
    out = subprocess.check_output(['tail', '-1', '/var/log/audit/audit.log'], shell=True)
    logmark = None
    if re.search('^*msg\=audit\((\d+\.\d+\:\d+).*\).*$', out):
        logmark = re.search('^*msg\=audit\((\d+\.\d+\:\d+).*\).*$', out).groups()[0]
    else:
        logmark = ''
    return logmark

def restore_ratelimit():
    sysctl_write(ratelimit_sysctl, ratelimit_saved)

parser = argparse.ArgumentParser(description=_('Generate profile for the given program'))
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
parser.add_argument('program', type=str, help=_('name of program to profile'))
args = parser.parse_args()

profiling = args.program
profiledir = args.dir
filename = args.file


if filename:
    if not os.path.isfile(filename):
        raise apparmor.AppArmorException(_('The logfile %s does not exist. Please check the path') % filename)
    else:
        apparmor.filename = filename

aa_mountpoint = apparmor.check_for_apparmor()
if not aa_mountpoint:
    raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))

if profiledir:
    apparmor.profile_dir = apparmor.get_full_path(profiledir)
    if not os.path.isdir(apparmor.profile_dir):
        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)

program = None
#if os.path.exists(apparmor.which(profiling.strip())):
if os.path.exists(profiling):
    program = apparmor.get_full_path(profiling)
else:
    if '/' not in profiling:
        which = apparmor.which(profiling)
        if which:
            program = apparmor.get_full_path(which)

if not program or not os.path.exists(program):
    if '/' not in profiling:
        raise apparmor.AppArmorException(_("Can't find %s in the system path list. If the name of the application\nis correct, please run 'which %s' as a user with correct PATH\nenvironment set up in order to find the fully-qualified path and\nuse the full path as parameter.") %(profiling, profiling))
    else:
        raise apparmor.AppArmorException(_('%s does not exists, please double-check the path.') %profiling)

# Check if the program has been marked as not allowed to have a profile
apparmor.check_qualifiers(program)

apparmor.loadincludes()

profile_filename = apparmor.get_profile_filename(program)
if os.path.exists(profile_filename):
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
else:
    apparmor.autodep(program)
    apparmor.helpers[program] = 'enforce'

if apparmor.helpers[program] == 'enforce':
    apparmor.complain(program)
    apparmor.reload(program)

# When reading from syslog, it is possible to hit the default kernel
# printk ratelimit. This will result in audit entries getting skipped,
# making profile generation inaccurate. When using genprof, disable
# the printk ratelimit, and restore it on exit.
ratelimit_sysctl = '/proc/sys/kernel/printk_ratelimit'
ratelimit_saved = sysctl_read(ratelimit_sysctl)
sysctl_write(ratelimit_sysctl, 0)

atexit.register(restore_ratelimit)

apparmor.UI_Info(_('\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:')+'\nhttp://wiki.apparmor.net/index.php/Profiles')

apparmor.UI_Important(_('Please start the application to be profiled in\nanother window and exercise its functionality now.\n\nOnce completed, select the "Scan" option below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied.'))

syslog = True
logmark = ''
done_profiling = False

if os.path.exists('/var/log/audit/audit.log'):
    syslog = False

passno = 0
while not done_profiling:
    if syslog:
        logmark = subprocess.check_output(['date | md5sum'], shell=True)
        logmark = logmark.decode('ascii').strip()
        logmark = re.search('^([0-9a-f]+)', logmark).groups()[0]
        t=subprocess.call("%s -p kern.warn 'GenProf: %s'"%(apparmor.logger, logmark), shell=True)

    else:
        logmark = last_audit_entry_time()

    q=apparmor.hasher()
    q['headers'] = [_('Profiling'), program]
    q['functions'] = ['CMD_SCAN', 'CMD_FINISHED']
    q['default'] = 'CMD_SCAN'
    ans, arg = apparmor.UI_PromptUser(q, 'noexit')

    if ans == 'CMD_SCAN':
        lp_ret = apparmor.do_logprof_pass(logmark, passno)
        passno += 1
        if lp_ret == 'FINISHED':
            done_profiling = True
    else:
        done_profiling = True

for p in sorted(apparmor.helpers.keys()):
    if apparmor.helpers[p] == 'enforce':
        apparmor.enforce(p)
        apparmor.reload(p)

apparmor.UI_Info(_('\nReloaded AppArmor profiles in enforce mode.'))
apparmor.UI_Info(_('\nPlease consider contributing your new profile!\nSee the following wiki page for more information:')+'\nhttp://wiki.apparmor.net/index.php/Profiles\n')
apparmor.UI_Info(_('Finished generating profile for %s.')%program)
sys.exit(0)
utils/aa-*: adjust python shebang lines to ease rewriting to an alternate python if installed via the python-tools-setup.py script. 2014-02-14 14:42:19 -08:00			`#! /usr/bin/env python`
Added license headers 2013-09-28 20:43:06 +05:30			`# ----------------------------------------------------------------------`
			`# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License as published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# ----------------------------------------------------------------------`
Merged aa-audit, aa-autodep, aa-complain, aa-disable, aa-enforce to share the common code into a tools.py module. Added -r/--remove feature to aa-complain, aa-enforce, aa-audit and -r/--revert feature to aa-disable. Some other fixes from review 48..51 2013-08-26 00:23:59 +05:30			`import argparse`
			`import atexit`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`import os`
			`import re`
Merged aa-audit, aa-autodep, aa-complain, aa-disable, aa-enforce to share the common code into a tools.py module. Added -r/--remove feature to aa-complain, aa-enforce, aa-audit and -r/--revert feature to aa-disable. Some other fixes from review 48..51 2013-08-26 00:23:59 +05:30			`import subprocess`
			`import sys`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`import apparmor.aa as apparmor`

Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly. 2014-02-10 22:15:05 -08:00			`# setup module translations`
Simplify the work tools and modules need to do to get the shared translations. External utilities can still use their own textdomains if they have strings that are not part of the apparmor-utils catalog. 2014-02-11 16:23:21 -08:00			`from apparmor.translations import init_translation`
			`_ = init_translation()`
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly. 2014-02-10 22:15:05 -08:00
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`def sysctl_read(path):`
			`value = None`
			`with open(path, 'r') as f_in:`
			`value = int(f_in.readline())`
			`return value`

			`def sysctl_write(path, value):`
			`if not value:`
			`return`
			`with open(path, 'w') as f_out:`
			`f_out.write(str(value))`

			`def last_audit_entry_time():`
			`out = subprocess.check_output(['tail', '-1', '/var/log/audit/audit.log'], shell=True)`
			`logmark = None`
			`if re.search('^msg\=audit\((\d+\.\d+\:\d+).\).*$', out):`
			`logmark = re.search('^msg\=audit\((\d+\.\d+\:\d+).\).*$', out).groups()[0]`
			`else:`
			`logmark = ''`
			`return logmark`

			`def restore_ratelimit():`
			`sysctl_write(ratelimit_sysctl, ratelimit_saved)`

Added help messages to translate strings and a few other minor fixes 2013-09-22 15:25:20 +05:30			`parser = argparse.ArgumentParser(description=_('Generate profile for the given program'))`
			`parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))`
			`parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))`
			`parser.add_argument('program', type=str, help=_('name of program to profile'))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`args = parser.parse_args()`

			`profiling = args.program`
rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`profiledir = args.dir`
			`filename = args.file`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30
Fixed some variable name conflicts, moved some code to methods from functions. Fixes the bug in custom logfile name. 2013-12-29 15:12:30 +05:30			`if filename:`
			`if not os.path.isfile(filename):`
			`raise apparmor.AppArmorException(_('The logfile %s does not exist. Please check the path') % filename)`
			`else:`
			`apparmor.filename = filename`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`aa_mountpoint = apparmor.check_for_apparmor()`
			`if not aa_mountpoint:`
Merged aa-audit, aa-autodep, aa-complain, aa-disable, aa-enforce to share the common code into a tools.py module. Added -r/--remove feature to aa-complain, aa-enforce, aa-audit and -r/--revert feature to aa-disable. Some other fixes from review 48..51 2013-08-26 00:23:59 +05:30			`raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`if profiledir:`
			`apparmor.profile_dir = apparmor.get_full_path(profiledir)`
			`if not os.path.isdir(apparmor.profile_dir):`
rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`program = None`
			`#if os.path.exists(apparmor.which(profiling.strip())):`
			`if os.path.exists(profiling):`
			`program = apparmor.get_full_path(profiling)`
			`else:`
			`if '/' not in profiling:`
			`which = apparmor.which(profiling)`
			`if which:`
			`program = apparmor.get_full_path(which)`

			`if not program or not os.path.exists(program):`
			`if '/' not in profiling:`
rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`raise apparmor.AppArmorException(_("Can't find %s in the system path list. If the name of the application\nis correct, please run 'which %s' as a user with correct PATH\nenvironment set up in order to find the fully-qualified path and\nuse the full path as parameter.") %(profiling, profiling))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
			`raise apparmor.AppArmorException(_('%s does not exists, please double-check the path.') %profiling)`

			`# Check if the program has been marked as not allowed to have a profile`
			`apparmor.check_qualifiers(program)`

			`apparmor.loadincludes()`

			`profile_filename = apparmor.get_profile_filename(program)`
			`if os.path.exists(profile_filename):`
2013-09-23 21:00:36 +05:30			`apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
			`apparmor.autodep(program)`
			`apparmor.helpers[program] = 'enforce'`

			`if apparmor.helpers[program] == 'enforce':`
			`apparmor.complain(program)`
			`apparmor.reload(program)`

			`# When reading from syslog, it is possible to hit the default kernel`
			`# printk ratelimit. This will result in audit entries getting skipped,`
			`# making profile generation inaccurate. When using genprof, disable`
			`# the printk ratelimit, and restore it on exit.`
			`ratelimit_sysctl = '/proc/sys/kernel/printk_ratelimit'`
			`ratelimit_saved = sysctl_read(ratelimit_sysctl)`
			`sysctl_write(ratelimit_sysctl, 0)`

			`atexit.register(restore_ratelimit)`

rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`apparmor.UI_Info(_('\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:')+'\nhttp://wiki.apparmor.net/index.php/Profiles')`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`apparmor.UI_Important(_('Please start the application to be profiled in\nanother window and exercise its functionality now.\n\nOnce completed, select the "Scan" option below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied.'))`

			`syslog = True`
			`logmark = ''`
			`done_profiling = False`

			`if os.path.exists('/var/log/audit/audit.log'):`
			`syslog = False`

			`passno = 0`
			`while not done_profiling:`
			`if syslog:`
			`logmark = subprocess.check_output(['date \| md5sum'], shell=True)`
			`logmark = logmark.decode('ascii').strip()`
			`logmark = re.search('^([0-9a-f]+)', logmark).groups()[0]`
			`t=subprocess.call("%s -p kern.warn 'GenProf: %s'"%(apparmor.logger, logmark), shell=True)`

			`else:`
			`logmark = last_audit_entry_time()`
Only ran sed -i s/ // in ./apparmor/.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something 2013-09-22 22:51:30 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`q=apparmor.hasher()`
			`q['headers'] = [_('Profiling'), program]`
			`q['functions'] = ['CMD_SCAN', 'CMD_FINISHED']`
			`q['default'] = 'CMD_SCAN'`
			`ans, arg = apparmor.UI_PromptUser(q, 'noexit')`
Only ran sed -i s/ // in ./apparmor/.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something 2013-09-22 22:51:30 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`if ans == 'CMD_SCAN':`
			`lp_ret = apparmor.do_logprof_pass(logmark, passno)`
			`passno += 1`
			`if lp_ret == 'FINISHED':`
			`done_profiling = True`
			`else:`
			`done_profiling = True`

			`for p in sorted(apparmor.helpers.keys()):`
			`if apparmor.helpers[p] == 'enforce':`
Fix up some more pyflakes issues with the tools 2014-02-13 08:20:59 -08:00			`apparmor.enforce(p)`
			`apparmor.reload(p)`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`apparmor.UI_Info(_('\nReloaded AppArmor profiles in enforce mode.'))`
rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`apparmor.UI_Info(_('\nPlease consider contributing your new profile!\nSee the following wiki page for more information:')+'\nhttp://wiki.apparmor.net/index.php/Profiles\n')`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`apparmor.UI_Info(_('Finished generating profile for %s.')%program)`
			`sys.exit(0)`