felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(aa-log): more log cleanup.

Browse source
This commit is contained in:
Alexandre Pujol 2023-10-10 23:47:31 +01:00
parent 0b412b5713
commit 11ca694af7
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
6 changed files with 24 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

1
pkg/logs/loggers.go
View file

@ -50,6 +50,7 @@ func GetApparmorLogs(file io.Reader, profile string) []string {
} }
// Clean & remove doublon in logs // Clean & remove doublon in logs
res = util.DecodeHexInString(res)
for _, aa := range regCleanLogs { for _, aa := range regCleanLogs {
res = aa.Regex.ReplaceAllLiteralString(res, aa.Repl) res = aa.Regex.ReplaceAllLiteralString(res, aa.Repl)
} }

1
pkg/logs/loggers_test.go
View file

@ -23,7 +23,6 @@ func TestGetJournalctlLogs(t *testing.T) {
want: AppArmorLogs{ want: AppArmorLogs{
{ {
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"profile": "",
"label": "gsd-xsettings", "label": "gsd-xsettings",
"operation": "dbus_method_call", "operation": "dbus_method_call",
"name": ":*", "name": ":*",

13
pkg/logs/logs.go
View file

@ -59,13 +59,14 @@ var (
`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`, `@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
`/sys/`, `@{sys}/`, `/sys/`, `@{sys}/`,
`@{PROC}@{sys}/`, `@{PROC}/sys/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`,
`pci[0-9][0-9][0-9][0-9]:[0-9][0-9]`, `@{pci_bus}`, `pci[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]`, `@{pci_bus}`,
`@{pci_bus}/([0-9][0-9][0-9][0-9]:[0-9][0-9]:[0-9a-f][0-9a-f]\.[0-9]/)+`, `@{pci}/`,
// Some system glob // Some system glob
`:1.[0-9]*`, `:*`, // dbus peer name `:1.[0-9]*`, `:*`, // dbus peer name
`@{bin}/(|ba|da)sh`, `@{bin}/{,ba,da}sh`, // collect all shell `@{bin}/(|ba|da)sh`, `@{bin}/{,ba,da}sh`, // collect all shell
`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses `@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
`[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]`, `@{uuid}`,
`[0-9][0-9][0-9][0-9][0-9][0-9]+`, `@{int}`,
// Remove basic rules from abstractions/base // Remove basic rules from abstractions/base
`(?m)^.*/etc/[^/]+so.*$`, ``, `(?m)^.*/etc/[^/]+so.*$`, ``,
@ -114,14 +115,6 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
aa[kv[0]] = strings.Trim(kv[1], `"`) aa[kv[0]] = strings.Trim(kv[1], `"`)
} }
} }
aa["profile"] = util.DecodeHex(aa["profile"])
toDecode := []string{"name", "comm"}
for _, name := range toDecode {
if value, ok := aa[name]; ok {
aa[name] = util.DecodeHex(value)
}
}
aaLogs = append(aaLogs, aa) aaLogs = append(aaLogs, aa)
} }

5
pkg/logs/logs_test.go
View file

@ -47,7 +47,6 @@ var (
refPowerProfiles = AppArmorLogs{ refPowerProfiles = AppArmorLogs{
{ {
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"profile": "",
"label": "power-profiles-daemon", "label": "power-profiles-daemon",
"operation": "dbus_method_call", "operation": "dbus_method_call",
"name": "org.freedesktop.DBus", "name": "org.freedesktop.DBus",
@ -83,7 +82,7 @@ func TestAppArmorEvents(t *testing.T) {
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"profile": "@{bin}/httpd2-prefork//vhost_foo", "profile": "@{bin}/httpd2-prefork//vhost_foo",
"operation": "rename_dest", "operation": "rename_dest",
"name": "/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg",
"comm": "httpd2-prefork", "comm": "httpd2-prefork",
"requested_mask": "wc", "requested_mask": "wc",
"denied_mask": "wc", "denied_mask": "wc",
@ -136,7 +135,6 @@ func TestAppArmorEvents(t *testing.T) {
want: AppArmorLogs{ want: AppArmorLogs{
{ {
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"profile": "",
"label": "snapd", "label": "snapd",
"operation": "dbus_method_call", "operation": "dbus_method_call",
"name": "org.freedesktop.PolicyKit1", "name": "org.freedesktop.PolicyKit1",
@ -163,7 +161,6 @@ func TestAppArmorEvents(t *testing.T) {
want: AppArmorLogs{ want: AppArmorLogs{
{ {
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"profile": "",
"label": "xdg-document-portal", "label": "xdg-document-portal",
"operation": "dbus_bind", "operation": "dbus_bind",
"name": "org.freedesktop.portal.Documents", "name": "org.freedesktop.portal.Documents",

20
pkg/util/tools.go
View file

@ -9,23 +9,27 @@ import (
"regexp" "regexp"
) )
var isHexa = regexp.MustCompile("^[0-9A-Fa-f]+$")
type RegexRepl struct { type RegexRepl struct {
Regex *regexp.Regexp Regex *regexp.Regexp
Repl string Repl string
} }
// DecodeHex decode a string if it is hexa. // DecodeHexInString decode and replace all hex value in a given string constitued of "key=value".
func DecodeHex(str string) string { func DecodeHexInString(str string) string {
if isHexa.MatchString(str) { toDecode := []string{"name", "comm", "profile"}
bs, _ := hex.DecodeString(str) for _, name := range toDecode {
return string(bs) exp := name + `=[0-9A-F]+`
re := regexp.MustCompile(exp)
str = re.ReplaceAllStringFunc(str, func(s string) string {
hexa := s[len(name)+1:]
bs, _ := hex.DecodeString(hexa)
return name + "=\"" + string(bs) + "\""
})
} }
return str return str
} }
// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty string // RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element.
func RemoveDuplicate[T comparable](inlist []T) []T { func RemoveDuplicate[T comparable](inlist []T) []T {
var empty T var empty T
list := []T{} list := []T{}

14
pkg/util/tools_test.go
View file

@ -10,7 +10,7 @@ import (
"testing" "testing"
) )
func TestDecodeHex(t *testing.T) { func TestDecodeHexInString(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
str string str string
@ -18,19 +18,19 @@ func TestDecodeHex(t *testing.T) {
}{ }{
{ {
name: "Hexa", name: "Hexa",
str: "666F6F20626172", str: `apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc"`,
want: "foo bar", want: `apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name="/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg" pid=20143 comm="httpd2-prefork" requested_mask="wc"`,
}, },
{ {
name: "Not Hexa", name: "Not Hexa",
str: "ALLOWED", str: `type=AVC msg=audit(1424425690.883:716630): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/klogd" name="var/run/nscd/passwd" pid=25333 comm="id" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`,
want: "ALLOWED", want: `type=AVC msg=audit(1424425690.883:716630): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/klogd" name="var/run/nscd/passwd" pid=25333 comm="id" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`,
}, },
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := DecodeHex(tt.str); got != tt.want { if got := DecodeHexInString(tt.str); got != tt.want {
t.Errorf("DecodeHex() = %v, want %v", got, tt.want) t.Errorf("DecodeHexInString() = %v, want %v", got, tt.want)
} }
}) })
} }