felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(aa-log): update addrule method to new structure.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-25 00:10:12 +01:00
parent e23e10d7b7
commit 73109bb09c
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 28 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

42
pkg/aa/profile.go
View file

@ -78,6 +78,8 @@ func (p *AppArmorProfile) AddRule(log map[string]string) {
p.Flags = append(p.Flags, "mediate_deleted") p.Flags = append(p.Flags, "mediate_deleted")
} }
case "-13": case "-13":
// FIXME: -13 can be a lot of things, not only attach_disconnected
// Eg: info="User namespace creation restricted"
if !slices.Contains(p.Flags, "attach_disconnected") { if !slices.Contains(p.Flags, "attach_disconnected") {
p.Flags = append(p.Flags, "attach_disconnected") p.Flags = append(p.Flags, "attach_disconnected")
} }
@ -86,28 +88,40 @@ func (p *AppArmorProfile) AddRule(log map[string]string) {
switch log["class"] { switch log["class"] {
case "cap": case "cap":
p.Capability = append(p.Capability, NewCapability(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, CapabilityFromLog(log, noNewPrivs, fileInherit))
case "file":
p.File = append(p.File, NewFile(log, noNewPrivs, fileInherit))
case "net": case "net":
if log["family"] == "unix" { if log["family"] == "unix" {
p.Unix = append(p.Unix, NewUnix(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, UnixFromLog(log, noNewPrivs, fileInherit))
} else { } else {
p.Network = append(p.Network, NewNetwork(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, NetworkFromLog(log, noNewPrivs, fileInherit))
} }
case "signal":
p.Signal = append(p.Signal, NewSignal(log, noNewPrivs, fileInherit))
case "ptrace":
p.Ptrace = append(p.Ptrace, NewPtrace(log, noNewPrivs, fileInherit))
case "unix":
p.Unix = append(p.Unix, NewUnix(log, noNewPrivs, fileInherit))
case "mount": case "mount":
p.Mount = append(p.Mount, NewMount(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, MountFromLog(log, noNewPrivs, fileInherit))
case "remount":
p.Rules = append(p.Rules, RemountFromLog(log, noNewPrivs, fileInherit))
case "umount":
p.Rules = append(p.Rules, UmountFromLog(log, noNewPrivs, fileInherit))
case "pivot_root":
p.Rules = append(p.Rules, PivotRootFromLog(log, noNewPrivs, fileInherit))
case "change_profile":
p.Rules = append(p.Rules, RemountFromLog(log, noNewPrivs, fileInherit))
case "mqueue":
p.Rules = append(p.Rules, MqueueFromLog(log, noNewPrivs, fileInherit))
case "signal":
p.Rules = append(p.Rules, SignalFromLog(log, noNewPrivs, fileInherit))
case "ptrace":
p.Rules = append(p.Rules, PtraceFromLog(log, noNewPrivs, fileInherit))
case "namespace":
p.Rules = append(p.Rules, UsernsFromLog(log, noNewPrivs, fileInherit))
case "unix":
p.Rules = append(p.Rules, UnixFromLog(log, noNewPrivs, fileInherit))
case "file":
p.Rules = append(p.Rules, FileFromLog(log, noNewPrivs, fileInherit))
default: default:
if strings.Contains(log["operation"], "dbus") { if strings.Contains(log["operation"], "dbus") {
p.Dbus = append(p.Dbus, NewDbus(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, DbusFromLog(log, noNewPrivs, fileInherit))
} else if log["family"] == "unix" { } else if log["family"] == "unix" {
p.Unix = append(p.Unix, NewUnix(log, noNewPrivs, fileInherit)) p.Rules = append(p.Rules, UnixFromLog(log, noNewPrivs, fileInherit))
} }
} }
} }