From 3d0307a5a9731fb9598fe70c1b184d73bf03ba34 Mon Sep 17 00:00:00 2001 From: Kshitij Gupta Date: Thu, 19 Sep 2013 10:32:19 +0530 Subject: [PATCH] Added manpages for the tools, fixes from rev 59..62, some fixes from rev 58 --- Tools/aa-audit | 2 +- Tools/aa-autodep | 2 +- Tools/aa-cleanprof | 2 +- Tools/aa-complain | 2 +- Tools/aa-disable | 2 +- Tools/aa-enforce | 2 +- Tools/aa-genprof | 4 +- Tools/aa-logprof | 4 +- Tools/aa-mergeprof | 8 +- Tools/aa-unconfined | 4 +- Tools/manpages/aa-audit.pod | 39 +++++++ Tools/manpages/aa-autodep.pod | 66 ++++++++++++ Tools/manpages/aa-cleanprof.pod | 34 ++++++ Tools/manpages/aa-complain.pod | 61 +++++++++++ Tools/manpages/aa-disable.pod | 62 +++++++++++ Tools/manpages/aa-enforce.pod | 65 ++++++++++++ Tools/manpages/aa-genprof.pod | 92 +++++++++++++++++ Tools/manpages/aa-logprof.pod | 171 +++++++++++++++++++++++++++++++ Tools/manpages/aa-mergeprof.pod | 33 ++++++ Tools/manpages/aa-unconfined.pod | 64 ++++++++++++ apparmor/__init__.py | 7 +- apparmor/aa.py | 38 +++---- apparmor/ui.py | 2 +- 23 files changed, 718 insertions(+), 48 deletions(-) create mode 100644 Tools/manpages/aa-audit.pod create mode 100644 Tools/manpages/aa-autodep.pod create mode 100644 Tools/manpages/aa-cleanprof.pod create mode 100644 Tools/manpages/aa-complain.pod create mode 100644 Tools/manpages/aa-disable.pod create mode 100644 Tools/manpages/aa-enforce.pod create mode 100644 Tools/manpages/aa-genprof.pod create mode 100644 Tools/manpages/aa-logprof.pod create mode 100644 Tools/manpages/aa-mergeprof.pod create mode 100644 Tools/manpages/aa-unconfined.pod diff --git a/Tools/aa-audit b/Tools/aa-audit index 91961f109..67699906b 100644 --- a/Tools/aa-audit +++ b/Tools/aa-audit @@ -5,7 +5,7 @@ import argparse import apparmor.tools parser = argparse.ArgumentParser(description='Switch the given programs to audit mode') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('-r', '--remove', action='store_true', help='remove audit mode') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-autodep b/Tools/aa-autodep index 8c0d80baa..3677bf206 100644 --- a/Tools/aa-autodep +++ b/Tools/aa-autodep @@ -6,7 +6,7 @@ import apparmor.tools parser = argparse.ArgumentParser(description='') parser.add_argument('--force', type=str, help='override existing profile') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-cleanprof b/Tools/aa-cleanprof index 042f6cbc0..c75a1644e 100644 --- a/Tools/aa-cleanprof +++ b/Tools/aa-cleanprof @@ -5,7 +5,7 @@ import argparse import apparmor.tools parser = argparse.ArgumentParser(description='Cleanup the profiles for the given programs') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-complain b/Tools/aa-complain index 940d97874..08d7333c4 100644 --- a/Tools/aa-complain +++ b/Tools/aa-complain @@ -5,7 +5,7 @@ import argparse import apparmor.tools parser = argparse.ArgumentParser(description='Switch the given program to complain mode') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('-r', '--remove', action='store_true', help='remove complain mode') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-disable b/Tools/aa-disable index c27cd71a5..ed111eb8f 100644 --- a/Tools/aa-disable +++ b/Tools/aa-disable @@ -5,7 +5,7 @@ import argparse import apparmor.tools parser = argparse.ArgumentParser(description='Disable the profile for the given programs') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('-r', '--revert', action='store_true', help='enable the profile for the given programs') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-enforce b/Tools/aa-enforce index a1a2f7976..c87dcd2b9 100644 --- a/Tools/aa-enforce +++ b/Tools/aa-enforce @@ -5,7 +5,7 @@ import argparse import apparmor.tools parser = argparse.ArgumentParser(description='Switch the given program to enforce mode') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('-r', '--remove', action='store_true', help='switch to complain mode') parser.add_argument('program', type=str, nargs='+', help='name of program') args = parser.parse_args() diff --git a/Tools/aa-genprof b/Tools/aa-genprof index 577252354..0a573a4ef 100644 --- a/Tools/aa-genprof +++ b/Tools/aa-genprof @@ -34,8 +34,8 @@ def restore_ratelimit(): sysctl_write(ratelimit_sysctl, ratelimit_saved) parser = argparse.ArgumentParser(description='Generate profile for the given program') -parser.add_argument('-d', type=str, help='path to profiles') -parser.add_argument('-f', type=str, help='path to logfile') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') +parser.add_argument('-f', '--file', type=str, help='path to logfile') parser.add_argument('program', type=str, help='name of program to profile') args = parser.parse_args() diff --git a/Tools/aa-logprof b/Tools/aa-logprof index 40251ab57..065cbe80c 100644 --- a/Tools/aa-logprof +++ b/Tools/aa-logprof @@ -6,8 +6,8 @@ import os import apparmor.aa as apparmor parser = argparse.ArgumentParser(description='Process log entries to generate profiles') -parser.add_argument('-d', type=str, help='path to profiles') -parser.add_argument('-f', type=str, help='path to logfile') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') +parser.add_argument('-f', '--file', type=str, help='path to logfile') parser.add_argument('-m', type=str, help='mark in the log to start processing after') args = parser.parse_args() diff --git a/Tools/aa-mergeprof b/Tools/aa-mergeprof index 47dd61195..b23fd0258 100644 --- a/Tools/aa-mergeprof +++ b/Tools/aa-mergeprof @@ -2,16 +2,16 @@ import argparse import sys -import cleanprof import apparmor.aa as apparmor import apparmor.cleanprofile as cleanprofile + parser = argparse.ArgumentParser(description='Perform a 3way merge on the given profiles') ##parser.add_argument('profiles', type=str, nargs=3, help='MINE BASE OTHER') parser.add_argument('mine', type=str, help='Your profile') parser.add_argument('base', type=str, help='The base profile') parser.add_argument('other', type=str, help='Other profile') -parser.add_argument('-d', type=str, help='path to profiles') +parser.add_argument('-d', '--dir', type=str, help='path to profiles') parser.add_argument('-auto', action='store_true', help='Automatically merge profiles, exits incase of *x conflicts') args = parser.parse_args() @@ -513,6 +513,4 @@ class Merge(object): # # m3 = Merge3(base, a, b) # -# sys.stdout.write(m3.merge_annotated()) - - +# sys.stdout.write(m3.merge_annotated()) \ No newline at end of file diff --git a/Tools/aa-unconfined b/Tools/aa-unconfined index 8fb1f4a94..cc9159f6d 100644 --- a/Tools/aa-unconfined +++ b/Tools/aa-unconfined @@ -6,8 +6,8 @@ import re import apparmor.aa as apparmor -parser = argparse.ArgumentParser(description='') -parser.add_argument('--paranoid', action='store_true') +parser = argparse.ArgumentParser(description='Lists unconfined processes having tcp or udp ports') +parser.add_argument('--paranoid', action='store_true', help='scan all processes from /proc') args = parser.parse_args() paranoid = args.paranoid diff --git a/Tools/manpages/aa-audit.pod b/Tools/manpages/aa-audit.pod new file mode 100644 index 000000000..d429a1559 --- /dev/null +++ b/Tools/manpages/aa-audit.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +aa-audit - set a AppArmor security profile to I mode. + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-r --remove> + + Removes the audit mode for the profile. + +=head1 DESCRIPTION + +B is used to set the audit mode for one or more profiles to audit. +In this mode security policy is enforced and all access (successes and failures) are logged to the system log. + +The I<--remove> option can be used to remove the audit mode for the profile. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-autodep.pod b/Tools/manpages/aa-autodep.pod new file mode 100644 index 000000000..d9930729d --- /dev/null +++ b/Tools/manpages/aa-autodep.pod @@ -0,0 +1,66 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-autodep - guess basic AppArmor profile requirements + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-f>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-f --force> + + Overrides any existing AppArmor profile for the executable with the generated minimal AppArmor profile. + +=head1 DESCRIPTION + +B is used to generate a minimal AppArmor profile for a set of +executables. This program will generate a profile for binary executable +as well as interpreted script programs. At a minimum aa-autodep will provide +a base profile containing a base include directive which includes basic +profile entries needed by most programs. The profile is generated by +recursively calling ldd(1) on the executables listed on the command line. + +The I<--force> option will override any existing profile for the executable with +the newly generated minimal AppArmor profile. + +=head1 BUGS + +This program does not perform full static analysis of executables, so +the profiles generated are necessarily incomplete. If you find any bugs, +please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-complain(1), aa-enforce(1), aa-disable(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-cleanprof.pod b/Tools/manpages/aa-cleanprof.pod new file mode 100644 index 000000000..88b5ea448 --- /dev/null +++ b/Tools/manpages/aa-cleanprof.pod @@ -0,0 +1,34 @@ +=pod + +=head1 NAME + +aa-cleanprof - clean an existing AppArmor security profile. + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +=head1 DESCRIPTION + +B is used to perform a cleanup on one or more profiles. +The tool removes any existing superfluous rules, reorders the rules to group +similar rules together and removes all comments. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-complain.pod b/Tools/manpages/aa-complain.pod new file mode 100644 index 000000000..e41dd886f --- /dev/null +++ b/Tools/manpages/aa-complain.pod @@ -0,0 +1,61 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-complain - set a AppArmor security profile to I mode. + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-r --remove> + + Removes the complain mode for the profile. + +=head1 DESCRIPTION + +B is used to set the enforcement mode for one or more profiles to +complain. In this mode security policy is not enforced but rather access +violations are logged to the system log. + +The I<--remove> option can be used to remove the complain mode for the profile, +setting it to enforce mode by default. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-enforce(1), aa-disable(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-disable.pod b/Tools/manpages/aa-disable.pod new file mode 100644 index 000000000..7af82f847 --- /dev/null +++ b/Tools/manpages/aa-disable.pod @@ -0,0 +1,62 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-disable - disable an AppArmor security profile + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-r --revert> + + Enables the profile and loads it. + +=head1 DESCRIPTION + +B is used to disable the enforcement mode for one or more +profiles. This command will unload the profile from the kernel and +prevent the profile from being loaded on AppArmor startup. The +I and I utilities may be used to to change this +behavior. + +The I<--revert> option can be used to enable the profile. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-enforce.pod b/Tools/manpages/aa-enforce.pod new file mode 100644 index 000000000..9577288f1 --- /dev/null +++ b/Tools/manpages/aa-enforce.pod @@ -0,0 +1,65 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-enforce - set an AppArmor security profile to I mode from +being disabled or I mode. + +=head1 SYNOPSIS + +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> + +=head1 OPTIONS + +B<-d --dir / path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-r --remove> + + Removes the enforce mode for the profile. + +=head1 DESCRIPTION + +B is used to set the enforcement mode for one or more profiles +to I. This command is only relevant in conjunction with the +I utility which sets a profile to complain mode and the +I utility which unloads and disables a profile. The default +mode for a security policy is enforce and the I utility must +be run to change this behavior. + +The I<--remove> option can be used to remove the enforce mode for the profile, +setting it to complain mode. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-complain(1), aa-disable(1), +aa_change_hat(2), and L. + +=cut diff --git a/Tools/manpages/aa-genprof.pod b/Tools/manpages/aa-genprof.pod new file mode 100644 index 000000000..d2f2e38fa --- /dev/null +++ b/Tools/manpages/aa-genprof.pod @@ -0,0 +1,92 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-genprof - profile generation utility for AppArmor + +=head1 SYNOPSIS + +BexecutableE> [I<-d /path/to/profiles>] [I<-f /path/to/logfile>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-f --file /path/to/logfile> + + Specifies the location of logfile. + Default locations are read from F. + Typical defaults are: + /var/log/audit/audit.log + /var/log/syslog + /var/log/messages + +=head1 DESCRIPTION + +When running aa-genprof, you must specify a program to profile. If the +specified program is not a fully-qualified path, aa-genprof will search $PATH +in order to find the program. + +If a profile does not exist for the program, aa-genprof will create one using +aa-autodep(1). + +Genprof will then: + + - set the profile to complain mode + + - write a mark to the system log + + - instruct the user to start the application to + be profiled in another window and exercise its functionality + +It then presents the user with two options, (S)can system log for entries +to add to profile and (F)inish. + +If the user selects (S)can or hits return, aa-genprof will parse +the complain mode logs and iterate through generated violations +using aa-logprof(1). + +After the user finishes selecting profile entries based on violations +that were detected during the program execution, aa-genprof will reload +the updated profiles in complain mode and again prompt the user for (S)can and +(D)one. This cycle can then be repeated as necessary until all application +functionality has been exercised without generating access violations. + +When the user eventually hits (F)inish, aa-genprof will set the main profile, +and any other profiles that were generated, into enforce mode and exit. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1), +aa_change_hat(2), aa-logprof(1), logprof.conf(5), and +L. + +=cut diff --git a/Tools/manpages/aa-logprof.pod b/Tools/manpages/aa-logprof.pod new file mode 100644 index 000000000..a703a4061 --- /dev/null +++ b/Tools/manpages/aa-logprof.pod @@ -0,0 +1,171 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-logprof - utility program for managing AppArmor security profiles + +=head1 SYNOPSIS + +B] [I<-f /path/to/logfile>] [I<-m Emark in logfileE>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +B<-f --file /path/to/logfile> + + Specifies the location of logfile that contains AppArmor security events. + Default locations are read from F. + Typical defaults are: + /var/log/audit/audit.log + /var/log/syslog + /var/log/messages + +B< -m --logmark "mark"> + + aa-logprof will ignore all events in the system log before the + specified mark is seen. If the mark contains spaces, it must + be surrounded with quotes to work correctly. + +=head1 DESCRIPTION + +B is an interactive tool used to review AppArmor's +complain mode output and generate new entries for AppArmor security +profiles. + +Running aa-logprof will scan the log file and if there are new AppArmor +events that are not covered by the existing profile set, the user will +be prompted with suggested modifications to augment the profile. + +When aa-logprof exits profile changes are saved to disk. If AppArmor is +running, the updated profiles are reloaded and if any processes that +generated AppArmor events are still running in the null-complain-profile, +those processes are set to run under their proper profiles. + +=head2 Responding to AppArmor Events + +B will generate a list of suggested profile changes that +the user can choose from, or they can create their own, to modifiy the +permission set of the profile so that the generated access violation +will not re-occur. + +The user is then presented with info about the access including profile, +path, old mode if there was a previous entry in the profile for this path, +new mode, the suggestion list, and given these options: + + (A)llow, (D)eny, (N)ew, (G)lob last piece, (Q)uit + +If the AppArmor profile was in complain mode when the event was generated, +the default for this option is (A)llow, otherwise, it's (D)eny. + +The suggestion list is presented as a numbered list with includes +at the top, the literal path in the middle, and the suggested globs +at the bottom. If any globs are being suggested, the shortest glob +is the selected option, otherwise, the literal path is selected. +Picking includes from the list must be done manually. + +Hitting a numbered key will change the selected option to the +corresponding numbered entry in the list. + +If the user selects (N)ew, they'll be prompted to enter their own globbed +entry to match the path. If the user-entered glob does not match the +path for this event, they'll be informed and have the option to fix it. + +If the user selects (G)lob last piece then, taking the currently selected +option, aa-logprof will remove the last path element and replace it with /*. + +If the last path element already was /*, aa-logprof will go up a directory +level and replace it with /**. + +This new globbed entry is then added to the suggestion list and marked +as the selected option. + +So /usr/share/themes/foo/bar/baz.gif can be turned into +/usr/share/themes/** by hitting "g" three times. + +If the user selects (A)llow, aa-logprof will take the current selection +and add it to the profile, deleting other entries in the profile that +are matched by the new entry. + +Adding r access to /usr/share/themes/** would delete an entry for r +access to /usr/share/themes/foo/*.gif if it exists in the profile. + +If (Q)uit is selected at this point, aa-logprof will ignore all new pending +capability and path accesses. + +After all of the path accesses have been handled, logrof will write all +updated profiles to the disk and reload them if AppArmor is running. + +=head2 New Process (Execution) Events + +If there are unhandled x accesses generated by the execve(2) of a +new process, aa-logprof will display the parent profile and the target +program that's being executed and prompt the user to select and execute +modifier. These modifiers will allow a choice for the target to: have it's +own profile (px), inherit the parent's profile (ix), run unconstrained +(ux), or deny access for the target. See apparmor.d(5) for details. + +If there is a corresponding entry for the target in the qualifiers +section of /etc/apparmor/logprof.conf, the presented list will contain only the +allowed modes. + +The default option for this question is selected using this logic-- + + # if px mode is allowed and profile exists for the target + # px is default. + # else if ix mode is allowed + # ix is default + # else + # deny is default + +aa-logprof will never suggest "ux" as the default. + +=head2 ChangeHat Events + +If unknown aa_change_hat(2) events are found, the user is prompted to add a new +hat, if the events should go into the default hat for this profile based +on the corresponding entry in the defaulthat section of logprof.conf, +or if the following events that run under that hat should be denied +altogether. + +=head2 Capability Events + +If there are capability accesses, the user is shown each capability +access and asked if the capability should be allowed, denied, or if the +user wants to quit. See capability(7) for details. + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +klogd(8), auditd(8), apparmor(7), apparmor.d(5), aa_change_hat(2), +logprof.conf(5), aa-genprof(1), aa-enforce(1), aa-complain(1), +aa-disable(1), and L. + +=cut diff --git a/Tools/manpages/aa-mergeprof.pod b/Tools/manpages/aa-mergeprof.pod new file mode 100644 index 000000000..63cef3c80 --- /dev/null +++ b/Tools/manpages/aa-mergeprof.pod @@ -0,0 +1,33 @@ +=pod + +=head1 NAME + +aa-mergeprof - merge AppArmor security profiles. + +=head1 SYNOPSIS + +BmineE> IuserE> IotherE> [I<-d /path/to/profiles>]> + +=head1 OPTIONS + +B<-d --dir /path/to/profiles> + + Specifies where to look for the AppArmor security profile set. + Defaults to /etc/apparmor.d. + +=head1 DESCRIPTION + +B + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), aa_change_hat(2), aa-genprof(1), +aa-logprof(1), aa-enforce(1), aa-audit(1), aa-complain(1), +aa-disable(1), and L. + +=cut diff --git a/Tools/manpages/aa-unconfined.pod b/Tools/manpages/aa-unconfined.pod new file mode 100644 index 000000000..ca006056b --- /dev/null +++ b/Tools/manpages/aa-unconfined.pod @@ -0,0 +1,64 @@ +# This publication is intellectual property of Novell Inc. and Canonical +# Ltd. Its contents can be duplicated, either in part or in whole, provided +# that a copyright label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators +# shall be held liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. SUSE LINUX GmbH +# and Canonical Ltd. essentially adhere to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-unconfined - output a list of processes with tcp or udp ports that do +not have AppArmor profiles loaded + +=head1 SYNOPSIS + +B]> + +=head1 OPTIONS + +B<--paranoid> + + Displays all processes from F filesystem with tcp or udp ports that + do no have AppArmor profiles loaded. + +=head1 DESCRIPTION + +B will use netstat(8) to determine which processes have open +network sockets and do not have AppArmor profiles loaded into the kernel. + +=head1 BUGS + +B must be run as root to retrieve the process executable +link from the F filesystem. This program is susceptible to race +conditions of several flavours: an unlinked executable will be mishandled; +an executable started before a AppArmor profile is loaded will not +appear in the output, despite running without confinement; a process that dies +between the netstat(8) and further checks will be mishandled. This +program only lists processes using TCP and UDP. In short, this +program is unsuitable for forensics use and is provided only as an aid +to profiling all network-accessible processes in the lab. + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +netstat(8), apparmor(7), apparmor.d(5), aa_change_hat(2), and +L. + +=cut diff --git a/apparmor/__init__.py b/apparmor/__init__.py index 78f0eab34..741b464e6 100644 --- a/apparmor/__init__.py +++ b/apparmor/__init__.py @@ -3,11 +3,8 @@ import locale def init_localisation(): locale.setlocale(locale.LC_ALL, '') - cur_locale = locale.getlocale() - filename = '' - #If a correct locale has been provided set filename else let a IOError be raised by '' path - if cur_locale[0]: - filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0][0:2] + #If a correct locale has been provided set filename else let an IOError be raised + filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0] try: trans = gettext.GNUTranslations(open(filename, 'rb')) except IOError: diff --git a/apparmor/aa.py b/apparmor/aa.py index d2bcc681e..39791c0ba 100644 --- a/apparmor/aa.py +++ b/apparmor/aa.py @@ -1515,8 +1515,8 @@ def ask_the_questions(): audit_toggle = 0 - q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW', - 'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY'] + q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW', + 'CMD_ABORT', 'CMD_FINISHED'] # In complain mode: events default to allow # In enforce mode: events default to deny @@ -1538,12 +1538,12 @@ def ask_the_questions(): audit_toggle = not audit_toggle audit = '' if audit_toggle: - q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF', - 'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY'] + q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_OFF', + 'CMD_ABORT', 'CMD_FINISHED'] audit = 'audit' else: - q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW', - 'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY'] + q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW', + 'CMD_ABORT', 'CMD_FINISHED', ] q['headers'] = [_('Profile'), combine_name(profile, hat), _('Capability'), audit + capability, @@ -1762,9 +1762,9 @@ def ask_the_questions(): q['headers'] += [_('Severity'), severity] q['options'] = options q['selected'] = default_option - 1 - q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_GLOB', + q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT', - 'CMD_FINISHED', 'CMD_OTHER', 'CMD_IGNORE_ENTRY'] + 'CMD_FINISHED', 'CMD_OTHER'] q['default'] = 'CMD_DENY' if aamode == 'PERMITTING': q['default'] = 'CMD_ALLOW' @@ -1915,8 +1915,8 @@ def ask_the_questions(): q['headers'] += [_('Socket Type'), sock_type] audit_toggle = 0 - q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW', - 'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY'] + q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW', + 'CMD_ABORT', 'CMD_FINISHED'] q['default'] = 'CMD_DENY' if aamode == 'PERMITTING': @@ -2078,34 +2078,25 @@ def delete_duplicates(profile, incname): deleted = 0 # Allow rules covered by denied rules shouldn't be deleted # only a subset allow rules may actually be denied -# deleted += delete_net_duplicates(profile['allow']['netdomain'], include[incname][incname]['allow']['netdomain']) -# -# deleted += delete_net_duplicates(profile['deny']['netdomain'], include[incname][incname]['deny']['netdomain']) -# -# deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow']) -# -# deleted += delete_cap_duplicates(profile['deny']['capability'], include[incname][incname]['deny']['capability']) -# -# deleted += delete_path_duplicates(profile, incname, 'allow') -# deleted += delete_path_duplicates(profile, incname, 'deny') if include.get(incname, False): deleted += delete_net_duplicates(profile['allow']['netdomain'], include[incname][incname]['allow']['netdomain']) deleted += delete_net_duplicates(profile['deny']['netdomain'], include[incname][incname]['deny']['netdomain']) - deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow']) + deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow']['capability']) deleted += delete_cap_duplicates(profile['deny']['capability'], include[incname][incname]['deny']['capability']) deleted += delete_path_duplicates(profile, incname, 'allow') deleted += delete_path_duplicates(profile, incname, 'deny') + elif filelist.get(incname, False): deleted += delete_net_duplicates(profile['allow']['netdomain'], filelist[incname][incname]['allow']['netdomain']) deleted += delete_net_duplicates(profile['deny']['netdomain'], filelist[incname][incname]['deny']['netdomain']) - deleted += delete_cap_duplicates(profile['allow']['capability'], filelist[incname][incname]['allow']) + deleted += delete_cap_duplicates(profile['allow']['capability'], filelist[incname][incname]['allow']['capability']) deleted += delete_cap_duplicates(profile['deny']['capability'], filelist[incname][incname]['deny']['capability']) @@ -2114,9 +2105,6 @@ def delete_duplicates(profile, incname): return deleted - - return deleted - def match_net_include(incname, family, type): includelist = incname[:] checked = [] diff --git a/apparmor/ui.py b/apparmor/ui.py index 2352a0e38..aa1e3645e 100644 --- a/apparmor/ui.py +++ b/apparmor/ui.py @@ -410,7 +410,7 @@ def Text_PromptUser(question): elif options and re.search('^\d$', ans): ans = int(ans) - if ans > 0 and ans < len(options): + if ans > 0 and ans <= len(options): selected = ans - 1 ans = 'XXXINVALIDXXX'