mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 13:28:19 +00:00
Code Issues Releases Wiki Activity

aa-status: Add filter for the executable

Browse Source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-04-26 19:09:28 -07:00
parent a5852c41df
commit c065570c6f
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
binutils/aa_status.c
View File

@ -46,18 +46,21 @@ struct filter_set {
regex_t mode; regex_t mode;
regex_t profile; regex_t profile;
regex_t pid; regex_t pid;
regex_t exe;
}; };
typedef struct { typedef struct {
regex_t *mode; regex_t *mode;
regex_t *profile; regex_t *profile;
regex_t *pid; regex_t *pid;
regex_t *exe;
} filters_t; } filters_t;
static void init_filters(filters_t *filters, struct filter_set *base) { static void init_filters(filters_t *filters, struct filter_set *base) {
filters->mode = &base->mode; filters->mode = &base->mode;
filters->profile = &base->profile; filters->profile = &base->profile;
filters->pid = &base->pid; filters->pid = &base->pid;
filters->exe = &base->exe;
}; };
static void free_filters(filters_t *filters) static void free_filters(filters_t *filters)
@ -68,6 +71,8 @@ static void free_filters(filters_t *filters)
regfree(filters->profile); regfree(filters->profile);
if (filters->pid) if (filters->pid)
regfree(filters->pid); regfree(filters->pid);
if (filters->exe)
regfree(filters->exe);
} }
struct profile { struct profile {
@ -117,6 +122,7 @@ bool opt_count = false;
const char *opt_mode = ".*"; const char *opt_mode = ".*";
const char *opt_profiles = ".*"; const char *opt_profiles = ".*";
const char *opt_pid = ".*"; const char *opt_pid = ".*";
const char *opt_exe = ".*";
const char *profile_statuses[] = {"enforce", "complain", "kill", "unconfined"}; const char *profile_statuses[] = {"enforce", "complain", "kill", "unconfined"};
const char *process_statuses[] = {"enforce", "complain", "kill", "unconfined", "mixed"}; const char *process_statuses[] = {"enforce", "complain", "kill", "unconfined", "mixed"};
@ -435,6 +441,8 @@ static int filter_processes(struct process *processes,
continue; continue;
if (regexec(filters->pid, processes[i].pid, 0, NULL, 0) != 0) if (regexec(filters->pid, processes[i].pid, 0, NULL, 0) != 0)
continue; continue;
if (regexec(filters->exe, processes[i].exe, 0, NULL, 0) != 0)
continue;
if (regexec(filters->profile, processes[i].profile, 0, NULL, 0) == 0) if (regexec(filters->profile, processes[i].profile, 0, NULL, 0) == 0)
{ {
struct process *_filtered = realloc(*filtered, (*nfiltered + 1) * sizeof(**filtered)); struct process *_filtered = realloc(*filtered, (*nfiltered + 1) * sizeof(**filtered));
@ -711,6 +719,7 @@ static int usage_filters(void)
" modes: enforce, complain, kill, unconfined, mixed\n" " modes: enforce, complain, kill, unconfined, mixed\n"
" --profiles: regular expression to match displayed profile names\n" " --profiles: regular expression to match displayed profile names\n"
" --pid: regular expression to match displayed processes pids\n" " --pid: regular expression to match displayed processes pids\n"
" --exe: regular expression to match executable\n"
); );
for (i = 0; i < ARRAY_SIZE(process_statuses); i++) { for (i = 0; i < ARRAY_SIZE(process_statuses); i++) {
printf("%s%s", i ? ", " : "", process_statuses[i]); printf("%s%s", i ? ", " : "", process_statuses[i]);
@ -741,6 +750,7 @@ static int print_usage(const char *command, bool error)
" or a regular expression\n" " or a regular expression\n"
" --profiles=filter which profiles to display. see filters\n" " --profiles=filter which profiles to display. see filters\n"
" --pid=filter which processes to display. see filters\n" " --pid=filter which processes to display. see filters\n"
" --exe=filter which processes to display. see filters\n"
" --json displays multiple data points in machine-readable JSON format\n" " --json displays multiple data points in machine-readable JSON format\n"
" --pretty-json same data as --json, formatted for human consumption as well\n" " --pretty-json same data as --json, formatted for human consumption as well\n"
" --verbose (default) displays data points about loaded policy set\n" " --verbose (default) displays data points about loaded policy set\n"
@ -768,6 +778,7 @@ static int print_usage(const char *command, bool error)
#define ARG_MODE 140 #define ARG_MODE 140
#define ARG_PROFILES 141 #define ARG_PROFILES 141
#define ARG_PID 142 #define ARG_PID 142
#define ARG_EXE 143
#define ARG_VERBOSE 'v' #define ARG_VERBOSE 'v'
#define ARG_HELP 'h' #define ARG_HELP 'h'
@ -790,6 +801,7 @@ static int parse_args(int argc, char **argv)
{"show", 1, 0, ARG_SHOW}, {"show", 1, 0, ARG_SHOW},
{"profiles", 1, 0, ARG_PROFILES}, {"profiles", 1, 0, ARG_PROFILES},
{"pid", 1, 0, ARG_PID}, {"pid", 1, 0, ARG_PID},
{"exe", 1, 0, ARG_EXE},
{"mode", 1, 0, ARG_MODE}, {"mode", 1, 0, ARG_MODE},
{NULL, 0, 0, 0}, {NULL, 0, 0, 0},
}; };
@ -891,6 +903,10 @@ static int parse_args(int argc, char **argv)
case ARG_MODE: case ARG_MODE:
opt_mode = optarg; opt_mode = optarg;
break; break;
case ARG_EXE:
opt_exe = optarg;
/* default opt_mode */
break;
default: default:
dfprintf(stderr, "Error: Invalid command.\n"); dfprintf(stderr, "Error: Invalid command.\n");
@ -946,6 +962,12 @@ int main(int argc, char **argv)
ret = AA_EXIT_INTERNAL_ERROR; ret = AA_EXIT_INTERNAL_ERROR;
goto out; goto out;
} }
if (regcomp(filters.exe, opt_exe, REG_NOSUB) != 0) {
dfprintf(stderr, "Error: failed to compile exe filter '%s'\n",
opt_exe);
ret = AA_EXIT_INTERNAL_ERROR;
goto out;
}
/* check apparmor is available and we have permissions */ /* check apparmor is available and we have permissions */
ret = open_profiles(&fp); ret = open_profiles(&fp);