mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

used perltidy to clean up the formatting for the perl scripts in the

Browse Source 
utils package and manually fixed some places where perltidy's
reformatting made it harder to read.  the options used were--

-i=4    # 4-space indentation
-l=0    # unlimited line length (for now)
-pt=2   # slightly tightened parens
-ce     # cuddled elses
-nolq   # don't outdent long quotes
-nsfs   # don't add spaces in front of semi-colons in for ( ) statements
-isbc   # only indent block comments that have whitespace in front of them
-otr    # don't place a break between a comma and an opening brace

the code will be refactored to make it possible to switch to using 
80-column line-breaks without resorting to really nasty formatting 
constructs.
This commit is contained in:
Jesse Michael
2007-03-20 21:58:38 +00:00
parent f29097e401
commit d8ae032328
11 changed files with 5115 additions and 4774 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2343
utils/Reports.pm
View File

File diff suppressed because it is too large Load Diff

289
utils/Severity.pm
View File

@@ -9,7 +9,6 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
package Immunix::Severity; package Immunix::Severity;
use strict; use strict;
use Data::Dumper; use Data::Dumper;
@@ -17,67 +16,77 @@ use Data::Dumper;
my ($debug) = 0; my ($debug) = 0;
sub debug { sub debug {
print @_ if $debug; print @_ if $debug;
} }
sub new { sub new {
my $self = {}; my $self = {};
$self->{DATABASENAME} = undef; $self->{DATABASENAME} = undef;
$self->{CAPABILITIES} = {}; $self->{CAPABILITIES} = {};
$self->{FILES} = {}; $self->{FILES} = {};
$self->{REGEXPS} = {}; $self->{REGEXPS} = {};
$self->{DEFAULT_RANK} = 10; $self->{DEFAULT_RANK} = 10;
bless($self); bless($self);
shift; shift;
$self->init(@_) if @_; $self->init(@_) if @_;
return $self; return $self;
} }
sub init ($;$) { sub init ($;$) {
my ($self, $resource, $read, $write, $execute, $severity); my ($self, $resource, $read, $write, $execute, $severity);
$self = shift; $self = shift;
$self->{DATABASENAME} = shift; $self->{DATABASENAME} = shift;
$self->{DEFAULT_RANK} = shift if defined $_[0]; $self->{DEFAULT_RANK} = shift if defined $_[0];
open(DATABASE, $self->{DATABASENAME}) or die "Could not open severity db $self->{DATABASENAME}: $!\n"; open(DATABASE, $self->{DATABASENAME})
while (<DATABASE>) { or die "Could not open severity db $self->{DATABASENAME}: $!\n";
chomp(); while (<DATABASE>) {
next if m/^\s*#/; chomp();
next if m/^\s*$/; next if m/^\s*#/;
# leading whitespace is fine; maybe it shouldn't be? next if m/^\s*$/;
if(/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
my ($path, $read, $write, $execute) = ($1, $2, $3, $4); # leading whitespace is fine; maybe it shouldn't be?
if (/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
if(index($path, "*") == -1) { my ($path, $read, $write, $execute) = ($1, $2, $3, $4);
$self->{FILES}{$path} = { r => $read, w => $write, x => $execute }; if (index($path, "*") == -1) {
} else { $self->{FILES}{$path} = {
r => $read,
my $ptr = $self->{REGEXPS}; w => $write,
my @pieces = split(/\//, $path); x => $execute
};
while(my $piece = shift @pieces) {
if(index($piece, "*") != -1) { } else {
my $path = join("/", $piece, @pieces);
my $regexp = convert_regexp($path); my $ptr = $self->{REGEXPS};
$ptr->{$regexp}{SD_RANK} = { r => $read, w => $write, x => $execute }; my @pieces = split(/\//, $path);
last;
} else { while (my $piece = shift @pieces) {
$ptr->{$piece} = { } unless exists $ptr->{$piece}; if (index($piece, "*") != -1) {
$ptr = $ptr->{$piece}; my $path = join("/", $piece, @pieces);
} my $regexp = convert_regexp($path);
$ptr->{$regexp}{SD_RANK} = {
r => $read,
w => $write,
x => $execute
};
last;
} else {
$ptr->{$piece} = {} unless exists $ptr->{$piece};
$ptr = $ptr->{$piece};
}
}
}
} elsif (m|^\s*CAP|) {
($resource, $severity) = split;
$self->{CAPABILITIES}{$resource} = $severity;
} else {
print "unexpected database line: $_\n";
} }
}
} elsif (m|^\s*CAP|) {
($resource, $severity) = split;
$self->{CAPABILITIES}{$resource}=$severity;
} else {
print "unexpected database line: $_\n";
} }
} close(DATABASE);
close(DATABASE); debug Dumper($self);
debug Dumper($self); return $self;
return $self;
} }
#rank: #rank:
@@ -87,7 +96,7 @@ sub init ($;$) {
# handle capability # handle capability
# if the name is in the database, return it # if the name is in the database, return it
# otherwise, send a diagnostic message to stderr and return the default # otherwise, send a diagnostic message to stderr and return the default
# #
# handle file # handle file
# initialize the current return value to 0 # initialize the current return value to 0
# loop over each entry in the database; # loop over each entry in the database;
@@ -96,110 +105,118 @@ sub init ($;$) {
# otherwise, return the maximum from the database # otherwise, return the maximum from the database
sub handle_capability ($) { sub handle_capability ($) {
my ($self, $resource) = @_; my ($self, $resource) = @_;
my $ret = $self->{CAPABILITIES}{$resource}; my $ret = $self->{CAPABILITIES}{$resource};
if (!defined($ret)) { if (!defined($ret)) {
return "unexpected capability rank input: $resource\n"; return "unexpected capability rank input: $resource\n";
} }
return $ret; return $ret;
} }
sub check_subtree { sub check_subtree {
my ($tree, $mode, $sev, $first, @rest) = @_; my ($tree, $mode, $sev, $first, @rest) = @_;
# reassemble the remaining path from this directory level # reassemble the remaining path from this directory level
my $path = join("/", $first, @rest); my $path = join("/", $first, @rest);
# first check if we have a literal directory match to descend into # first check if we have a literal directory match to descend into
if($tree->{$first}) { if ($tree->{$first}) {
$sev = check_subtree($tree->{$first}, $mode, $sev, @rest); $sev = check_subtree($tree->{$first}, $mode, $sev, @rest);
}
# if we didn't get a severity already, check for matching globs
unless($sev) {
# check each glob at this directory level
for my $chunk (grep { index($_, "*") != -1 } keys %{$tree}) {
# does it match the rest of our path?
if($path =~ /^$chunk$/) {
# if we've got a ranking, check if it's higher than current one, if any
if($tree->{$chunk}->{SD_RANK}) {
for my $m (split(//, $mode)) {
if((! defined $sev) || $tree->{$chunk}->{SD_RANK}->{$m} > $sev) {
$sev = $tree->{$chunk}->{SD_RANK}->{$m};
}
}
}
}
} }
}
return $sev; # if we didn't get a severity already, check for matching globs
unless ($sev) {
# check each glob at this directory level
for my $chunk (grep { index($_, "*") != -1 } keys %{$tree}) {
# does it match the rest of our path?
if ($path =~ /^$chunk$/) {
# if we've got a ranking, check if it's higher than
# current one, if any
if ($tree->{$chunk}->{SD_RANK}) {
for my $m (split(//, $mode)) {
if ((!defined $sev)
|| $tree->{$chunk}->{SD_RANK}->{$m} > $sev)
{
$sev = $tree->{$chunk}->{SD_RANK}->{$m};
}
}
}
}
}
}
return $sev;
} }
sub handle_file ($$) { sub handle_file ($$) {
my ($self, $resource, $mode) = @_; my ($self, $resource, $mode) = @_;
# strip off the initial / from the path we're checking # strip off the initial / from the path we're checking
$resource = substr($resource, 1); $resource = substr($resource, 1);
# break the path into directory-level chunks # break the path into directory-level chunks
my @pieces = split(/\//, $resource); my @pieces = split(/\//, $resource);
my $sev; my $sev;
# if there's a exact match for this path in the db, use that instead of # if there's a exact match for this path in the db, use that instead of
# checking the globs # checking the globs
if($self->{FILES}{$resource}) { if ($self->{FILES}{$resource}) {
# check each piece of the passed mode against the db entry
for my $m (split(//, $mode)) {
if ((!defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
$sev = $self->{FILES}{$resource}{$m};
}
}
} else {
# descend into the regexp tree looking for matches
$sev = check_subtree($self->{REGEXPS}, $mode, $sev, @pieces);
# check each piece of the passed mode against the db entry
for my $m (split(//, $mode)) {
if((! defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
$sev = $self->{FILES}{$resource}{$m};
}
} }
} else { return (defined $sev) ? $sev : $self->{DEFAULT_RANK};
# descend into the regexp tree looking for matches
$sev = check_subtree($self->{REGEXPS}, $mode, $sev, @pieces);
}
return (defined $sev) ? $sev : $self->{DEFAULT_RANK};
} }
sub rank ($;$) { sub rank ($;$) {
my ($self, $resource, $mode) = @_; my ($self, $resource, $mode) = @_;
if (substr($resource,0,1) eq "/") {
return $self->handle_file($resource, $mode); if (substr($resource, 0, 1) eq "/") {
} elsif (substr($resource,0,3) eq "CAP") { return $self->handle_file($resource, $mode);
return $self->handle_capability($resource); } elsif (substr($resource, 0, 3) eq "CAP") {
} else { return $self->handle_capability($resource);
return "unexpected rank input: $resource\n"; } else {
} return "unexpected rank input: $resource\n";
}
} }
sub convert_regexp ($) { sub convert_regexp ($) {
my ($input) = shift; my ($input) = shift;
# we need to convert subdomain regexps to perl regexps
my $regexp = $input; # we need to convert subdomain regexps to perl regexps
# escape + . [ and ] characters my $regexp = $input;
$regexp =~ s/(\+|\.|\[|\])/\\$1/g;
# convert ** globs to match anything # escape + . [ and ] characters
$regexp =~ s/\*\*/.SDPROF_INTERNAL_GLOB/g; $regexp =~ s/(\+|\.|\[|\])/\\$1/g;
# convert * globs to match anything at current path level
$regexp =~ s/\*/[^\/]SDPROF_INTERNAL_GLOB/g; # convert ** globs to match anything
# convert {foo,baz} to (foo|baz) $regexp =~ s/\*\*/.SDPROF_INTERNAL_GLOB/g;
$regexp =~ y/\{\}\,/\(\)\|/ if $regexp =~ /\{.*\,.*\}/;
# twiddle the escaped * chars back # convert * globs to match anything at current path level
$regexp =~ s/SDPROF_INTERNAL_GLOB/\*/g; $regexp =~ s/\*/[^\/]SDPROF_INTERNAL_GLOB/g;
return $regexp;
# convert {foo,baz} to (foo|baz)
$regexp =~ y/\{\}\,/\(\)\|/ if $regexp =~ /\{.*\,.*\}/;
# twiddle the escaped * chars back
$regexp =~ s/SDPROF_INTERNAL_GLOB/\*/g;
return $regexp;
} }
1; # so the require or use succeeds 1; # so the require or use succeeds

5017
utils/SubDomain.pm
View File

File diff suppressed because it is too large Load Diff

1505
utils/aa-eventd
View File

File diff suppressed because it is too large Load Diff

107
utils/audit
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@@ -39,22 +39,22 @@ textdomain("apparmor-utils");
$UI_Mode = "text"; $UI_Mode = "text";
# options variables # options variables
my $help = ''; my $help = '';
GetOptions( GetOptions(
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir."); UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1; exit 1;
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -63,62 +63,63 @@ readconfig();
# what are we profiling? # what are we profiling?
my @profiling = @ARGV; my @profiling = @ARGV;
unless(@profiling) { unless (@profiling) {
@profiling = ( UI_GetString("Please enter the program to switch to audit mode: ", "") ); @profiling = (UI_GetString("Please enter the program to switch to audit mode: ", ""));
} }
for my $profiling (@profiling) { for my $profiling (@profiling) {
next unless $profiling; next unless $profiling;
my $fqdbin; my $fqdbin;
if(-e $profiling) { if (-e $profiling) {
$fqdbin = get_full_path($profiling); $fqdbin = get_full_path($profiling);
chomp($fqdbin); chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else { } else {
$filename = getprofilefilename($fqdbin); if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
} }
# argh, skip directories if (-e $fqdbin) {
next unless -f $filename;
# skip rpm backup files my $filename;
next if $filename =~ /\.rpm(save|new)$/; if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
printf(gettext('Setting %s to audit mode.'), $fqdbin); # argh, skip directories
print "\n"; next unless -f $filename;
setprofileflags($filename, "audit");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain(); # skip rpm backup files
} else { next if $filename =~ /\.rpm(save|new)$/;
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling)); printf(gettext('Setting %s to audit mode.'), $fqdbin);
exit 1; print "\n";
setprofileflags($filename, "audit");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else { } else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling)); if ($profiling =~ /^[^\/]+$/) {
exit 1; UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
} }
}
} }
exit 0; exit 0;
sub usage { sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to audit mode ]"), $0)); UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to audit mode ]"), $0));
exit 0; exit 0;
} }

112
utils/autodep
View File

@@ -4,24 +4,23 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
use strict; use strict;
use FindBin; use FindBin;
use Getopt::Long; use Getopt::Long;
@@ -43,15 +42,15 @@ textdomain("apparmor-utils");
$UI_Mode = "text"; $UI_Mode = "text";
# options variables # options variables
my $help = ''; my $help = '';
my $force = undef; my $force = undef;
GetOptions( GetOptions(
'force' => \$force, 'force' => \$force,
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
@@ -59,10 +58,10 @@ my $sd_mountpoint = check_for_subdomain();
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
UI_Important(sprintf(gettext('Can\'t find subdomain profiles in %s.'), $profiledir)); UI_Important(sprintf(gettext('Can\'t find subdomain profiles in %s.'), $profiledir));
exit 1; exit 1;
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -71,59 +70,58 @@ readconfig();
# what are we profiling? # what are we profiling?
my @profiling = @ARGV; my @profiling = @ARGV;
unless(@profiling) { unless (@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to create a profile for: "), "") ); @profiling = (UI_GetString(gettext("Please enter the program to create a profile for: "), ""));
} }
for my $profiling (@profiling) { for my $profiling (@profiling) {
next unless $profiling; next unless $profiling;
my $fqdbin; my $fqdbin;
if(-e $profiling) { if (-e $profiling) {
$fqdbin = get_full_path($profiling); $fqdbin = get_full_path($profiling);
chomp($fqdbin); chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) {
UI_Info(sprintf(gettext('%s is currently marked as a program that should not have it\'s own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you\'re doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.'), $fqdbin));
exit 1;
}
}
if(-e $fqdbin) {
if(-e getprofilefilename($fqdbin) && !$force) {
UI_Info(sprintf(gettext('Profile for %s already exists - skipping.'), $fqdbin));
} else { } else {
autodep($fqdbin); if ($profiling !~ /\//) {
reload($fqdbin) if $sd_mountpoint; my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
} }
} else {
if($profiling =~ /^[^\/]+$/) { # make sure that the app they're requesting to profile is not marked as
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling)); # not allowed to have it's own profile
exit 1; if ($qualifiers{$fqdbin}) {
unless ($qualifiers{$fqdbin} =~ /p/) {
UI_Info(sprintf(gettext('%s is currently marked as a program that should not have it\'s own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you\'re doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.'), $fqdbin));
exit 1;
}
}
if (-e $fqdbin) {
if (-e getprofilefilename($fqdbin) && !$force) {
UI_Info(sprintf(gettext('Profile for %s already exists - skipping.'), $fqdbin));
} else {
autodep($fqdbin);
reload($fqdbin) if $sd_mountpoint;
}
} else { } else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling)); if ($profiling =~ /^[^\/]+$/) {
exit 1; UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
} }
}
} }
exit 0; exit 0;
sub usage { sub usage {
UI_Info("usage: $0 [ --force ] [ -d /path/to/profiles ]"); UI_Info("usage: $0 [ --force ] [ -d /path/to/profiles ]");
exit 0; exit 0;
} }

107
utils/complain
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@@ -39,22 +39,22 @@ textdomain("apparmor-utils");
$UI_Mode = "text"; $UI_Mode = "text";
# options variables # options variables
my $help = ''; my $help = '';
GetOptions( GetOptions(
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir."); UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1; exit 1;
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -63,62 +63,63 @@ readconfig();
# what are we profiling? # what are we profiling?
my @profiling = @ARGV; my @profiling = @ARGV;
unless(@profiling) { unless (@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to complain mode: "), "") ); @profiling = (UI_GetString(gettext("Please enter the program to switch to complain mode: "), ""));
} }
for my $profiling (@profiling) { for my $profiling (@profiling) {
next unless $profiling; next unless $profiling;
my $fqdbin; my $fqdbin;
if(-e $profiling) { if (-e $profiling) {
$fqdbin = get_full_path($profiling); $fqdbin = get_full_path($profiling);
chomp($fqdbin); chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else { } else {
$filename = getprofilefilename($fqdbin); if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
} }
# argh, skip directories if (-e $fqdbin) {
next unless -f $filename;
# skip rpm backup files my $filename;
next if $filename =~ /\.rpm(save|new)$/; if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
printf(gettext('Setting %s to complain mode.'), $fqdbin); # argh, skip directories
print "\n"; next unless -f $filename;
setprofileflags($filename, "complain");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain(); # skip rpm backup files
} else { next if $filename =~ /\.rpm(save|new)$/;
if($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling)); printf(gettext('Setting %s to complain mode.'), $fqdbin);
exit 1; print "\n";
setprofileflags($filename, "complain");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else { } else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling)); if ($profiling =~ /^[^\/]+$/) {
exit 1; UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
exit 1;
}
} }
}
} }
exit 0; exit 0;
sub usage { sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to complain mode ]"), $0)); UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to complain mode ]"), $0));
exit 0; exit 0;
} }

105
utils/enforce
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@@ -39,22 +39,22 @@ textdomain("apparmor-utils");
$UI_Mode = "text"; $UI_Mode = "text";
# options variables # options variables
my $help = ''; my $help = '';
GetOptions( GetOptions(
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir."); UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1; exit 1;
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -63,61 +63,62 @@ readconfig();
# what are we profiling? # what are we profiling?
my @profiling = @ARGV; my @profiling = @ARGV;
unless(@profiling) { unless (@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to enforce mode: "), "") ); @profiling = (UI_GetString(gettext("Please enter the program to switch to enforce mode: "), ""));
} }
for my $profiling (@profiling) { for my $profiling (@profiling) {
next unless $profiling; next unless $profiling;
my $fqdbin; my $fqdbin;
if(-e $profiling) { if (-e $profiling) {
$fqdbin = get_full_path($profiling); $fqdbin = get_full_path($profiling);
chomp($fqdbin); chomp($fqdbin);
} else {
if($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else { } else {
$filename = getprofilefilename($fqdbin); if ($profiling !~ /\//) {
my $which = which($profiling);
if ($which) {
$fqdbin = get_full_path($which);
}
}
} }
# argh, skip directories if (-e $fqdbin) {
next unless -f $filename; my $filename;
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
}
# skip rpm backup files # argh, skip directories
next if $filename =~ /\.rpm(save|new)$/; next unless -f $filename;
printf(gettext('Setting %s to enforce mode.'), $fqdbin); # skip rpm backup files
print "\n"; next if $filename =~ /\.rpm(save|new)$/;
setprofileflags($filename, "");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain(); printf(gettext('Setting %s to enforce mode.'), $fqdbin);
} else { print "\n";
if($profiling =~ /^[^\/]+$/) { setprofileflags($filename, "");
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1; system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else { } else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling)); if ($profiling =~ /^[^\/]+$/) {
exit 1; UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
} }
}
} }
exit 0; exit 0;
sub usage { sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"), $0)); UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"), $0));
exit 0; exit 0;
} }

167
utils/genprof
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@@ -39,55 +39,56 @@ setlocale(LC_MESSAGES, "");
textdomain("apparmor-utils"); textdomain("apparmor-utils");
# options variables # options variables
my $help = ''; my $help = '';
GetOptions( GetOptions(
'file|f=s' => \$filename, 'file|f=s' => \$filename,
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
my $sd_mountpoint = check_for_subdomain(); my $sd_mountpoint = check_for_subdomain();
unless($sd_mountpoint) { unless ($sd_mountpoint) {
fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.")); fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
} }
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir."; fatal_error "Can't find subdomain profiles in $profiledir.";
} }
# what are we profiling? # what are we profiling?
my $profiling = shift; my $profiling = shift;
unless($profiling) { unless ($profiling) {
$profiling = UI_GetString(gettext("Please enter the program to profile: "), "") || exit 0; $profiling = UI_GetString(gettext("Please enter the program to profile: "), "")
|| exit 0;
} }
my $fqdbin; my $fqdbin;
if(-e $profiling) { if (-e $profiling) {
$fqdbin = get_full_path($profiling); $fqdbin = get_full_path($profiling);
chomp($fqdbin); chomp($fqdbin);
} else { } else {
if($profiling !~ /\//) { if ($profiling !~ /\//) {
my $which = which($profiling); my $which = which($profiling);
if($which) { if ($which) {
$fqdbin = get_full_path($which); $fqdbin = get_full_path($which);
}
} }
}
} }
unless($fqdbin && -e $fqdbin) { unless ($fqdbin && -e $fqdbin) {
if($profiling =~ /^[^\/]+$/) { if ($profiling =~ /^[^\/]+$/) {
fatal_error(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' in the other window in order to find the fully-qualified path.'), $profiling, $profiling)); fatal_error(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' in the other window in order to find the fully-qualified path.'), $profiling, $profiling));
} else { } else {
fatal_error(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling)); fatal_error(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
} }
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -95,73 +96,72 @@ readconfig();
# make sure that the app they're requesting to profile is not marked as # make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile # not allowed to have it's own profile
if($qualifiers{$fqdbin}) { if ($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) { unless ($qualifiers{$fqdbin} =~ /p/) {
fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $fqdbin)); fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $fqdbin));
} }
} }
# load all the include files # load all the include files
loadincludes(); loadincludes();
my $profilefilename = getprofilefilename($fqdbin); my $profilefilename = getprofilefilename($fqdbin);
if(-e $profilefilename) { if (-e $profilefilename) {
$helpers{$fqdbin} = getprofileflags($profilefilename) || "enforce"; $helpers{$fqdbin} = getprofileflags($profilefilename) || "enforce";
} else { } else {
autodep($fqdbin); autodep($fqdbin);
$helpers{$fqdbin} = "enforce"; $helpers{$fqdbin} = "enforce";
} }
if($helpers{$fqdbin} eq "enforce") { if ($helpers{$fqdbin} eq "enforce") {
complain($fqdbin); complain($fqdbin);
reload($fqdbin); reload($fqdbin);
} }
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied.")); UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
my $syslog = 1; my $syslog = 1;
my $logmark = ""; my $logmark = "";
my $done_profiling = 0; my $done_profiling = 0;
$syslog = 0 if ( -e "/var/log/audit/audit.log" ); $syslog = 0 if (-e "/var/log/audit/audit.log");
while(not $done_profiling) { while (not $done_profiling) {
if ( $syslog ) { if ($syslog) {
$logmark = `date | md5sum`; $logmark = `date | md5sum`;
chomp $logmark; chomp $logmark;
$logmark = $1 if $logmark =~ /^([0-9a-f]+)/; $logmark = $1 if $logmark =~ /^([0-9a-f]+)/;
system("/bin/logger -p kern.warn 'GenProf: $logmark'"); system("/bin/logger -p kern.warn 'GenProf: $logmark'");
} else { } else {
$logmark = last_audit_entry_time(); $logmark = last_audit_entry_time();
} }
my $q = { }; my $q = {};
$q->{headers} = [ gettext("Profiling"), $fqdbin ]; $q->{headers} = [ gettext("Profiling"), $fqdbin ];
$q->{functions} = [ "CMD_SCAN", "CMD_FINISHED" ]; $q->{functions} = [ "CMD_SCAN", "CMD_FINISHED" ];
$q->{default} = "CMD_SCAN"; $q->{default} = "CMD_SCAN";
my ($ans, $arg) = UI_PromptUser($q); my ($ans, $arg) = UI_PromptUser($q);
if($ans eq "CMD_SCAN") { if ($ans eq "CMD_SCAN") {
my $lp_ret = do_logprof_pass($logmark); my $lp_ret = do_logprof_pass($logmark);
$done_profiling = 1 if $lp_ret eq "FINISHED"; $done_profiling = 1 if $lp_ret eq "FINISHED";
} else { } else {
$done_profiling = 1; $done_profiling = 1;
} }
} }
for my $p (sort keys %helpers) { for my $p (sort keys %helpers) {
if($helpers{$p} eq "enforce") { if ($helpers{$p} eq "enforce") {
enforce($p); enforce($p);
reload($p); reload($p);
} }
} }
UI_Info(gettext("Reloaded SubDomain profiles in enforce mode.")); UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
@@ -169,18 +169,17 @@ UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0; exit 0;
sub usage { sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ program to profile ]"), $0)); UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ program to profile ]"), $0));
exit 0; exit 0;
} }
sub last_audit_entry_time { sub last_audit_entry_time {
local $_ = `tail -1 /var/log/audit/audit.log`;
local $_ = `tail -1 /var/log/audit/audit.log`; my $logmark;
my $logmark; if (/^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/) {
if ( /^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/ ) { $logmark = $1;
$logmark = $1; } else {
} else { $logmark = "";
$logmark = ""; }
} return $logmark;
return $logmark; }
}

34
utils/logprof
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@@ -39,24 +39,24 @@ textdomain("apparmor-utils");
setup_yast(); setup_yast();
# options variables # options variables
my $help = ''; my $help = '';
my $logmark; my $logmark;
GetOptions( GetOptions(
'file|f=s' => \$filename, 'file|f=s' => \$filename,
'dir|d=s' => \$profiledir, 'dir|d=s' => \$profiledir,
'logmark|m=s' => \$logmark, 'logmark|m=s' => \$logmark,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
# let's convert it to full path... # let's convert it to full path...
$profiledir = get_full_path($profiledir); $profiledir = get_full_path($profiledir);
unless(-d $profiledir) { unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir."; fatal_error "Can't find subdomain profiles in $profiledir.";
} }
# read the settings in /etc/logprof.conf # read the settings in /etc/logprof.conf
@@ -72,7 +72,7 @@ shutdown_yast();
exit 0; exit 0;
sub usage { sub usage {
UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""), $0)); UI_Info(sprintf(gettext("usage: \%s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""), $0));
exit 0; exit 0;
} }

103
utils/unconfined
View File

@@ -4,20 +4,20 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Copyright (c) 2005 Novell, Inc. All Rights Reserved. # Copyright (c) 2005 Novell, Inc. All Rights Reserved.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation. # License as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc. # along with this program; if not, contact Novell, Inc.
# #
# To contact Novell about this file by physical or electronic mail, # To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com. # you may find current contact information at www.novell.com.
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# #
@@ -34,74 +34,77 @@ use POSIX;
setlocale(LC_MESSAGES, ""); setlocale(LC_MESSAGES, "");
textdomain("apparmor-utils"); textdomain("apparmor-utils");
# options variables # options variables
my $paranoid = ''; my $paranoid = '';
my $help = ''; my $help = '';
GetOptions( GetOptions(
'paranoid' => \$paranoid, 'paranoid' => \$paranoid,
'help|h' => \$help, 'help|h' => \$help,
); );
# tell 'em how to use it... # tell 'em how to use it...
&usage && exit if $help; &usage && exit if $help;
sub usage { sub usage {
printf (gettext("Usage: %s [ --paranoid ]\n"), $0); printf(gettext("Usage: %s [ --paranoid ]\n"), $0);
exit 0; exit 0;
} }
my $subdomainfs = check_for_subdomain(); my $subdomainfs = check_for_subdomain();
die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.")."\n" unless $subdomainfs; die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
unless $subdomainfs;
my @pids; my @pids;
if($paranoid) { if ($paranoid) {
opendir(PROC, "/proc") or die gettext("Can't read /proc\n"); opendir(PROC, "/proc") or die gettext("Can't read /proc\n");
@pids = grep { /^\d+$/ } readdir(PROC); @pids = grep { /^\d+$/ } readdir(PROC);
closedir(PROC); closedir(PROC);
} else { } else {
if(open(NETSTAT, "/bin/netstat -nlp |")) { if (open(NETSTAT, "/bin/netstat -nlp |")) {
while(<NETSTAT>) { while (<NETSTAT>) {
chomp; chomp;
push @pids, $5 if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/; push @pids, $5
if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/;
}
close(NETSTAT);
} }
close(NETSTAT);
}
} }
for my $pid (sort { $a <=> $b } @pids) { for my $pid (sort { $a <=> $b } @pids) {
my $prog = readlink "/proc/$pid/exe" or next; my $prog = readlink "/proc/$pid/exe" or next;
my $attr; my $attr;
if(open(CURRENT, "/proc/$pid/attr/current")) { if (open(CURRENT, "/proc/$pid/attr/current")) {
while(<CURRENT>) { while (<CURRENT>) {
chomp; chomp;
$attr = $_ if(/^\// || /^null/); $attr = $_ if (/^\// || /^null/);
}
close(CURRENT);
} }
close(CURRENT); if (not $attr) {
} if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
if(not $attr) {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) { #my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1]; my $cmdline = `cat /proc/$pid/cmdline`;
my $cmdline = `cat /proc/$pid/cmdline`; $cmdline =~ s/\0/ /g;
$cmdline =~ s/\0/ /g; $cmdline =~ s/\s+$//;
$cmdline =~ s/\s+$//; chomp $cmdline;
chomp $cmdline; print "$pid $prog ($cmdline) " . gettext("not confined\n");
print "$pid $prog ($cmdline) " . gettext("not confined\n"); } else {
print "$pid $prog " . gettext("not confined\n");
}
} else { } else {
print "$pid $prog " . gettext("not confined\n"); if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("confined by") . " '$attr'\n";
} else {
print "$pid $prog " . gettext("confined by") . " '$attr'\n";
}
} }
} else {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
$cmdline =~ s/\s+$//;
chomp $cmdline;
print "$pid $prog ($cmdline) " . gettext("confined by") . " '$attr'\n";
} else {
print "$pid $prog " . gettext("confined by") . " '$attr'\n";
}
}
} }