apparmor/utils/aa-unconfined

#! /usr/bin/env python
# ----------------------------------------------------------------------
#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License as published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import argparse
import os
import re
import sys

import apparmor.aa as aa
import apparmor.ui as ui
import apparmor.common

# setup module translations
from apparmor.translations import init_translation
_ = init_translation()

parser = argparse.ArgumentParser(description=_("Lists unconfined processes having tcp or udp ports"))
parser.add_argument("--paranoid", action="store_true", help=_("scan all processes from /proc"))
args = parser.parse_args()

paranoid = args.paranoid

aa_mountpoint = aa.check_for_apparmor()
if not aa_mountpoint:
    raise aa.AppArmorException(_("It seems AppArmor was not started. Please enable AppArmor and try again."))

pids = []
if paranoid:
    pids = list(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))
else:
    regex_tcp_udp = re.compile(r"^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
    import subprocess
    if sys.version_info < (3, 0):
        output = subprocess.check_output("LANG=C netstat -nlp", shell=True).split("\n")
    else:
        #Python3 needs to translate a stream of bytes to string with specified encoding
        output = str(subprocess.check_output("LANG=C netstat -nlp", shell=True), encoding='utf8').split("\n")

    for line in output:
        match = regex_tcp_udp.search(line)
        if match:
            pids.append(match.groups()[4])
# We can safely remove duplicate pid's?
pids = list(map(int, set(pids)))

for pid in sorted(pids):
    try:
        prog = os.readlink("/proc/%s/exe"%pid)
    except OSError:
        continue
    attr = None
    if os.path.exists("/proc/%s/attr/current"%pid):
        with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
            for line in current:
                if line.startswith("/") or line.startswith("null"):
                    attr = line.strip()

    cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]
    pname = cmdline.split("\0")[0]
    if '/' in pname and pname != prog:
        pname = "(%s)"% pname
    else:
        pname = ""
    regex_interpreter = re.compile(r"^(/usr)?/bin/(python|perl|bash|dash|sh)$")
    if not attr:
        if regex_interpreter.search(prog):
            cmdline = re.sub(r"\x00", " ", cmdline)
            cmdline = re.sub(r"\s+$", "", cmdline).strip()

            ui.UI_Info(_("%s %s (%s) not confined")%(pid, prog, cmdline))
        else:
            if pname and pname[-1] == ')':
                pname += ' '
            ui.UI_Info(_("%s %s %snot confined")%(pid, prog, pname))
    else:
        if regex_interpreter.search(prog):
            cmdline = re.sub(r"\0", " ", cmdline)
            cmdline = re.sub(r"\s+$", "", cmdline).strip()
            ui.UI_Info(_("%s %s (%s) confined by '%s'")%(pid, prog, cmdline, attr))
        else:
            if pname and pname[-1] == ')':
                pname += ' '
            ui.UI_Info(_("%s %s %sconfined by '%s'")%(pid, prog, pname, attr))
utils/aa-*: adjust python shebang lines to ease rewriting to an alternate python if installed via the python-tools-setup.py script. 2014-02-14 14:42:19 -08:00			`#! /usr/bin/env python`
Added license headers 2013-09-28 20:43:06 +05:30			`# ----------------------------------------------------------------------`
			`# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License as published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# ----------------------------------------------------------------------`
Merged aa-audit, aa-autodep, aa-complain, aa-disable, aa-enforce to share the common code into a tools.py module. Added -r/--remove feature to aa-complain, aa-enforce, aa-audit and -r/--revert feature to aa-disable. Some other fixes from review 48..51 2013-08-26 00:23:59 +05:30			`import argparse`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`import os`
			`import re`
Fixes the TypeError associated with Python3 in calling netstat in aa-unconfined 2013-09-26 18:41:41 +05:30			`import sys`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`import apparmor.aa as aa`
			`import apparmor.ui as ui`
			`import apparmor.common`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly. 2014-02-10 22:15:05 -08:00			`# setup module translations`
Simplify the work tools and modules need to do to get the shared translations. External utilities can still use their own textdomains if they have strings that are not part of the apparmor-utils catalog. 2014-02-11 16:23:21 -08:00			`from apparmor.translations import init_translation`
			`_ = init_translation()`
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly. 2014-02-10 22:15:05 -08:00
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`parser = argparse.ArgumentParser(description=_("Lists unconfined processes having tcp or udp ports"))`
			`parser.add_argument("--paranoid", action="store_true", help=_("scan all processes from /proc"))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`args = parser.parse_args()`

			`paranoid = args.paranoid`

Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`aa_mountpoint = aa.check_for_apparmor()`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`if not aa_mountpoint:`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`raise aa.AppArmorException(_("It seems AppArmor was not started. Please enable AppArmor and try again."))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`pids = []`
			`if paranoid:`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`pids = list(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`regex_tcp_udp = re.compile(r"^(tcp\|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*\|\d+)\s+(LISTEN\|\s+)\s+(\d+)\/(\S+)")`
rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`import subprocess`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`if sys.version_info < (3, 0):`
			`output = subprocess.check_output("LANG=C netstat -nlp", shell=True).split("\n")`
Fixes the TypeError associated with Python3 in calling netstat in aa-unconfined 2013-09-26 18:41:41 +05:30			`else:`
			`#Python3 needs to translate a stream of bytes to string with specified encoding`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`output = str(subprocess.check_output("LANG=C netstat -nlp", shell=True), encoding='utf8').split("\n")`
Only ran sed -i s/ // in ./apparmor/.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something 2013-09-22 22:51:30 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`for line in output:`
			`match = regex_tcp_udp.search(line)`
			`if match:`
			`pids.append(match.groups()[4])`
			`# We can safely remove duplicate pid's?`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`pids = list(map(int, set(pids)))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
			`for pid in sorted(pids):`
			`try:`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`prog = os.readlink("/proc/%s/exe"%pid)`
Fixed some variable name conflicts, moved some code to methods from functions. Fixes the bug in custom logfile name. 2013-12-29 15:12:30 +05:30			`except OSError:`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`continue`
			`attr = None`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`if os.path.exists("/proc/%s/attr/current"%pid):`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`with aa.open_file_read("/proc/%s/attr/current"%pid) as current:`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`for line in current:`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`if line.startswith("/") or line.startswith("null"):`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`attr = line.strip()`
Only ran sed -i s/ // in ./apparmor/.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something 2013-09-22 22:51:30 +05:30
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`pname = cmdline.split("\0")[0]`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`if '/' in pname and pname != prog:`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`pname = "(%s)"% pname`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`pname = ""`
			`regex_interpreter = re.compile(r"^(/usr)?/bin/(python\|perl\|bash\|dash\|sh)$")`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`if not attr:`
Fixes from review 52-53, merging cleanprof into apparmor/tools.py corrected enforce() and complain() to create/remove symlinks to force-complain/disable subdirs. Wrote some tests for globbing methods, segregated glob-path and glob-path-with-extension into methods in aa.py 2013-08-30 03:54:31 +05:30			`if regex_interpreter.search(prog):`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`cmdline = re.sub(r"\x00", " ", cmdline)`
			`cmdline = re.sub(r"\s+$", "", cmdline).strip()`
Fixes from review 52-53, merging cleanprof into apparmor/tools.py corrected enforce() and complain() to create/remove symlinks to force-complain/disable subdirs. Wrote some tests for globbing methods, segregated glob-path and glob-path-with-extension into methods in aa.py 2013-08-30 03:54:31 +05:30
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`ui.UI_Info(_("%s %s (%s) not confined")%(pid, prog, cmdline))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
			`if pname and pname[-1] == ')':`
			`pname += ' '`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`ui.UI_Info(_("%s %s %snot confined")%(pid, prog, pname))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
Fixes from review 52-53, merging cleanprof into apparmor/tools.py corrected enforce() and complain() to create/remove symlinks to force-complain/disable subdirs. Wrote some tests for globbing methods, segregated glob-path and glob-path-with-extension into methods in aa.py 2013-08-30 03:54:31 +05:30			`if regex_interpreter.search(prog):`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30			`cmdline = re.sub(r"\0", " ", cmdline)`
			`cmdline = re.sub(r"\s+$", "", cmdline).strip()`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`ui.UI_Info(_("%s %s (%s) confined by '%s'")%(pid, prog, cmdline, attr))`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`else:`
			`if pname and pname[-1] == ')':`
			`pname += ' '`
Fix module import errors, remove extraneous newlines AttributeError: 'module' object has no attribute 'UI_Info' AttributeError: 'module' object has no attribute 'open_file_read' AttributeError: 'module' object has no attribute 'check_for_apparmor' Signed-off-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2014-02-27 14:53:25 -08:00			`ui.UI_Info(_("%s %s %sconfined by '%s'")%(pid, prog, pname, attr))`