From 735e3529fb8b5fd265e8205a7696965f765f0aa8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Dec 2023 20:47:32 +0000 Subject: [PATCH] feat(aa-log): add support for mqueue. --- pkg/aa/mqueue.go | 14 ++++++++++++-- pkg/aa/profile.go | 2 +- pkg/aa/template.go | 5 +++++ pkg/aa/templates/profile.j2 | 19 +++++++++++++++++++ pkg/prebuild/build.go | 1 + 5 files changed, 38 insertions(+), 3 deletions(-) diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index df2c1c9e1..1469bee9d 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -4,19 +4,29 @@ package aa +import "strings" + type Mqueue struct { Qualifier Access string Type string Label string + Name string } func MqueueFromLog(log map[string]string) ApparmorRule { + mqueueType := "posix" + if strings.Contains(log["class"], "posix") { + mqueueType = "posix" + } else if strings.Contains(log["class"], "sysv") { + mqueueType = "sysv" + } return &Mqueue{ Qualifier: NewQualifierFromLog(log), - Access: maskToAccess[log["requested_mask"]], - Type: log["type"], + Access: maskToAccess[log["requested"]], + Type: mqueueType, Label: log["label"], + Name: log["name"], } } diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 9b548306c..4b13084b3 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -97,7 +97,7 @@ func (p *AppArmorProfile) AddRule(log map[string]string) { case "pivotroot": p.Rules = append(p.Rules, PivotRootFromLog(log)) } - case "mqueue": + case "posix_mqueue", "sysv_mqueue": p.Rules = append(p.Rules, MqueueFromLog(log)) case "signal": p.Rules = append(p.Rules, SignalFromLog(log)) diff --git a/pkg/aa/template.go b/pkg/aa/template.go index b61366355..710a20b1b 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -35,10 +35,14 @@ var ( "a": "w", "ac": "w", "c": "w", + "create": "create", "d": "w", + "delete": "delete", + "getattr": "getattr", "k": "k", "l": "l", "m": "rm", + "open": "open", "r": "r", "ra": "rw", "read write": "read write", @@ -49,6 +53,7 @@ var ( "rw": "rw", "send receive": "send receive", "send": "send", + "setattr": "setattr", "w": "w", "wc": "w", "wd": "w", diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.j2 index ee6bc3af2..ffc4b4acd 100644 --- a/pkg/aa/templates/profile.j2 +++ b/pkg/aa/templates/profile.j2 @@ -161,6 +161,25 @@ {{- template "comment" . -}} {{- end -}} + {{- if eq $type "Mqueue" -}} + {{- template "qualifier" . -}} + {{- "mqueue" -}} + {{- with .Access -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Type -}} + {{ " type=" }}{{ . }} + {{- end -}} + {{- with .Label -}} + {{ " label=" }}{{ . }} + {{- end -}} + {{- with .Name -}} + {{ " " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} + {{- end -}} + {{- if eq $type "Unix" -}} {{- template "qualifier" . -}} {{- "unix" -}} diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go index 9ebd4cb92..780126b2b 100644 --- a/pkg/prebuild/build.go +++ b/pkg/prebuild/build.go @@ -28,6 +28,7 @@ var ( regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 `abi/3.0`, `abi/4.0`, `# userns,`, `userns,`, + `# mqueue`, `mqueue`, }) )