mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

used perltidy to clean up the formatting for the perl scripts in the

Browse Source 
utils package and manually fixed some places where perltidy's
reformatting made it harder to read.  the options used were--

-i=4    # 4-space indentation
-l=0    # unlimited line length (for now)
-pt=2   # slightly tightened parens
-ce     # cuddled elses
-nolq   # don't outdent long quotes
-nsfs   # don't add spaces in front of semi-colons in for ( ) statements
-isbc   # only indent block comments that have whitespace in front of them
-otr    # don't place a break between a comma and an opening brace

the code will be refactored to make it possible to switch to using 
80-column line-breaks without resorting to really nasty formatting 
constructs.
This commit is contained in:
Jesse Michael
2007-03-20 21:58:38 +00:00
parent f29097e401
commit d8ae032328
11 changed files with 5115 additions and 4774 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1021
utils/Reports.pm
View File

File diff suppressed because it is too large Load Diff

61
utils/Severity.pm
View File

@@ -9,7 +9,6 @@
#
# ------------------------------------------------------------------
package Immunix::Severity;
use strict;
use Data::Dumper;
@@ -38,39 +37,49 @@ sub init ($;$) {
$self = shift;
$self->{DATABASENAME} = shift;
$self->{DEFAULT_RANK} = shift if defined $_[0];
open(DATABASE, $self->{DATABASENAME}) or die "Could not open severity db $self->{DATABASENAME}: $!\n";
open(DATABASE, $self->{DATABASENAME})
or die "Could not open severity db $self->{DATABASENAME}: $!\n";
while (<DATABASE>) {
chomp();
next if m/^\s*#/;
next if m/^\s*$/;
# leading whitespace is fine; maybe it shouldn't be?
if(/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
if (/^\s*\/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
my ($path, $read, $write, $execute) = ($1, $2, $3, $4);
if(index($path, "*") == -1) {
if (index($path, "*") == -1) {
$self->{FILES}{$path} = { r => $read, w => $write, x => $execute };
$self->{FILES}{$path} = {
r => $read,
w => $write,
x => $execute
};
} else {
my $ptr = $self->{REGEXPS};
my @pieces = split(/\//, $path);
while(my $piece = shift @pieces) {
if(index($piece, "*") != -1) {
while (my $piece = shift @pieces) {
if (index($piece, "*") != -1) {
my $path = join("/", $piece, @pieces);
my $regexp = convert_regexp($path);
$ptr->{$regexp}{SD_RANK} = { r => $read, w => $write, x => $execute };
$ptr->{$regexp}{SD_RANK} = {
r => $read,
w => $write,
x => $execute
};
last;
} else {
$ptr->{$piece} = { } unless exists $ptr->{$piece};
$ptr->{$piece} = {} unless exists $ptr->{$piece};
$ptr = $ptr->{$piece};
}
}
}
} elsif (m|^\s*CAP|) {
($resource, $severity) = split;
$self->{CAPABILITIES}{$resource}=$severity;
$self->{CAPABILITIES}{$resource} = $severity;
} else {
print "unexpected database line: $_\n";
}
@@ -112,23 +121,26 @@ sub check_subtree {
my $path = join("/", $first, @rest);
# first check if we have a literal directory match to descend into
if($tree->{$first}) {
if ($tree->{$first}) {
$sev = check_subtree($tree->{$first}, $mode, $sev, @rest);
}
# if we didn't get a severity already, check for matching globs
unless($sev) {
unless ($sev) {
# check each glob at this directory level
for my $chunk (grep { index($_, "*") != -1 } keys %{$tree}) {
# does it match the rest of our path?
if($path =~ /^$chunk$/) {
if ($path =~ /^$chunk$/) {
# if we've got a ranking, check if it's higher than current one, if any
if($tree->{$chunk}->{SD_RANK}) {
# if we've got a ranking, check if it's higher than
# current one, if any
if ($tree->{$chunk}->{SD_RANK}) {
for my $m (split(//, $mode)) {
if((! defined $sev) || $tree->{$chunk}->{SD_RANK}->{$m} > $sev) {
if ((!defined $sev)
|| $tree->{$chunk}->{SD_RANK}->{$m} > $sev)
{
$sev = $tree->{$chunk}->{SD_RANK}->{$m};
}
}
@@ -140,7 +152,6 @@ sub check_subtree {
return $sev;
}
sub handle_file ($$) {
my ($self, $resource, $mode) = @_;
@@ -154,11 +165,11 @@ sub handle_file ($$) {
# if there's a exact match for this path in the db, use that instead of
# checking the globs
if($self->{FILES}{$resource}) {
if ($self->{FILES}{$resource}) {
# check each piece of the passed mode against the db entry
for my $m (split(//, $mode)) {
if((! defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
if ((!defined $sev) || $self->{FILES}{$resource}{$m} > $sev) {
$sev = $self->{FILES}{$resource}{$m};
}
}
@@ -173,12 +184,12 @@ sub handle_file ($$) {
return (defined $sev) ? $sev : $self->{DEFAULT_RANK};
}
sub rank ($;$) {
my ($self, $resource, $mode) = @_;
if (substr($resource,0,1) eq "/") {
if (substr($resource, 0, 1) eq "/") {
return $self->handle_file($resource, $mode);
} elsif (substr($resource,0,3) eq "CAP") {
} elsif (substr($resource, 0, 3) eq "CAP") {
return $self->handle_capability($resource);
} else {
return "unexpected rank input: $resource\n";
@@ -187,16 +198,22 @@ sub rank ($;$) {
sub convert_regexp ($) {
my ($input) = shift;
# we need to convert subdomain regexps to perl regexps
my $regexp = $input;
# escape + . [ and ] characters
$regexp =~ s/(\+|\.|\[|\])/\\$1/g;
# convert ** globs to match anything
$regexp =~ s/\*\*/.SDPROF_INTERNAL_GLOB/g;
# convert * globs to match anything at current path level
$regexp =~ s/\*/[^\/]SDPROF_INTERNAL_GLOB/g;
# convert {foo,baz} to (foo|baz)
$regexp =~ y/\{\}\,/\(\)\|/ if $regexp =~ /\{.*\,.*\}/;
# twiddle the escaped * chars back
$regexp =~ s/SDPROF_INTERNAL_GLOB/\*/g;
return $regexp;

1351
utils/SubDomain.pm
View File

File diff suppressed because it is too large Load Diff

367
utils/aa-eventd
View File

@@ -53,9 +53,7 @@ my $syslogfile = "/var/log/messages";
# options variables
my $pidfile = '';
GetOptions(
'pidfile|p=s' => \$pidfile
);
GetOptions('pidfile|p=s' => \$pidfile);
my $DEBUG = 0;
@@ -128,12 +126,12 @@ sub errlog ($) {
sub readconfig () {
my $cfg = { };
my $cfg = {};
# record when we read the config file
$cfg->{load_time} = time;
if(open(CFG, $cfgfile)) {
if (open(CFG, $cfgfile)) {
# yank in the values we need
while (<CFG>) {
@@ -176,7 +174,7 @@ sub parsedate ($) {
sub connect_database ($) {
my $dbdir = shift;
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbdir/events.db","","");
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbdir/events.db", "", "");
# we'll do the commits ourselves so performance doesn't suck
$dbh->{AutoCommit} = 0;
@@ -188,13 +186,13 @@ sub connect_database ($) {
my %existing_tables;
my $sth = $dbh->prepare("SELECT name FROM sqlite_master WHERE type='table' ORDER BY name;");
$sth->execute;
while(my @row = $sth->fetchrow_array) {
$existing_tables{$row[0]} = 1;
while (my @row = $sth->fetchrow_array) {
$existing_tables{ $row[0] } = 1;
}
$sth->finish;
# create the info table and fill in the appropriate values for this db
unless($existing_tables{info}) {
unless ($existing_tables{info}) {
my $host = `hostname -f`;
chomp $host;
@@ -206,8 +204,9 @@ sub connect_database ($) {
}
# create the events table
unless($existing_tables{events}) {
$dbh->do("CREATE TABLE events (
unless ($existing_tables{events}) {
$dbh->do(
"CREATE TABLE events (
id INTEGER PRIMARY KEY AUTOINCREMENT,
time INTEGER NOT NULL,
counter INTEGER NOT NULL,
@@ -220,7 +219,8 @@ sub connect_database ($) {
profile,
prog,
severity INTEGER
)");
)"
);
# set up the indexes we want
my @indexes = qw(time type sdmode mode resource profile prog severity);
@@ -254,10 +254,10 @@ sub verbose_notify_handler {
my $mesg = "The following security events occured since $last:\n\n";
my @events;
if(open(V, $file)) {
while(<V>) {
if (open(V, $file)) {
while (<V>) {
chomp;
if(/^(\d+) (\d+) (.+)$/) {
if (/^(\d+) (\d+) (.+)$/) {
my ($timestamp, $counter, $logmsg) = ($1, $2, $3);
push @events, [ $timestamp, $counter ];
$mesg .= "$logmsg\n";
@@ -265,11 +265,12 @@ sub verbose_notify_handler {
}
close(V);
if(@events) {
if($DEBUG) {
if (@events) {
if ($DEBUG) {
my $count = scalar @events;
errlog "[$count events] sending verbose notification to $email.";
}
# actually send out the notification...
open(MAIL, "| sendmail -F 'AppArmor Security Notification' $email");
print MAIL "To: $email\n";
@@ -298,10 +299,10 @@ sub summary_notify_handler {
my $mesg = "The following security events occured since $last:\n\n";
my @events;
if(open(V, $file)) {
while(<V>) {
if (open(V, $file)) {
while (<V>) {
chomp;
if(/^(\d+) (\d+) (.+)$/) {
if (/^(\d+) (\d+) (.+)$/) {
my ($timestamp, $counter, $logmsg) = ($1, $2, $3);
push @events, [ $timestamp, $counter ];
$mesg .= "$logmsg\n";
@@ -309,11 +310,12 @@ sub summary_notify_handler {
}
close(V);
if(@events) {
if($DEBUG) {
if (@events) {
if ($DEBUG) {
my $count = scalar @events;
errlog "[$count events] sending summary notification to $email.";
}
# actually send out the notification...
open(MAIL, "| sendmail -F 'AppArmor Security Notification' $email");
print MAIL "To: $email\n";
@@ -338,13 +340,12 @@ sub terse_notify_handler {
my $host = `hostname -f`;
chomp $host;
my @events;
my $count = 0;
if(open(V, $file)) {
while(<V>) {
if (open(V, $file)) {
while (<V>) {
chomp;
if(/^(\d+) (\d+) (.+)$/) {
if (/^(\d+) (\d+) (.+)$/) {
my ($timestamp, $counter, $logmsg) = ($1, $2, $3);
push @events, [ $timestamp, $counter ];
$count++;
@@ -352,8 +353,8 @@ sub terse_notify_handler {
}
close(V);
if($count) {
if($DEBUG) {
if ($count) {
if ($DEBUG) {
errlog "[$count events] sending terse notification to $email.";
}
my $subj = "Security Report for $host.";
@@ -378,12 +379,12 @@ sub fork_into_background {
my $pid = fork;
if(not defined $pid) {
if (not defined $pid) {
# something bad happened, just log it...
errlog "couldn't fork for \"$name\": $!"
} elsif($pid == 0) {
} elsif ($pid == 0) {
# we're in the child process now...
@@ -407,11 +408,11 @@ sub process_event ($$) {
my $sth;
my ($time, $mesg);
if($logmsg =~ /^(?:type=(?:APPARMOR|UNKNOWN\[1500\]) msg=|$REdate\s+\S+\s+(?:kernel:\s+)*)audit\((\d+).\d+:\d+\): (.+)$/) {
if ($logmsg =~ /^(?:type=(?:APPARMOR|UNKNOWN\[1500\]) msg=|$REdate\s+\S+\s+(?:kernel:\s+)*)audit\((\d+).\d+:\d+\): (.+)$/) {
($time, $mesg) = ($1, $2);
# have we rolled over to another second yet?
if($time ne $lasttime) {
if ($time ne $lasttime) {
$counter = 0;
$timestamp = $time;
$lasttime = $time;
@@ -420,12 +421,13 @@ sub process_event ($$) {
($time, $mesg) = ($1, $3);
# have we rolled over to another second yet?
if($time ne $lasttime) {
if ($time ne $lasttime) {
$counter = 0;
$timestamp = parsedate($time);
$lasttime = $time;
}
} else {
# not one of ours, just return
return;
}
@@ -437,10 +439,10 @@ sub process_event ($$) {
# if we already have events in the db, make sure we don't try to re-enter
# duplicates if we start up again and parse the same logfile over again
if($last_inserted_time) {
if ($last_inserted_time) {
return if $timestamp < $last_inserted_time;
if($timestamp == $last_inserted_time) {
if ($timestamp == $last_inserted_time) {
return if $counter <= $last_inserted_counter;
}
@@ -448,37 +450,40 @@ sub process_event ($$) {
}
# workaround for syslog uglyness.
if($mesg =~ s/(PERMITTING|REJECTING|AUDITING)-SYSLOGFIX/$1/) {
if ($mesg =~ s/(PERMITTING|REJECTING|AUDITING)-SYSLOGFIX/$1/) {
$mesg =~ s/%%/%/g;
}
if($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $mode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
@@ -488,33 +493,36 @@ sub process_event ($$) {
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $link, $target, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($target, "l");
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "link", $prog, $link, $target ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
@@ -523,33 +531,36 @@ sub process_event ($$) {
push @commit_buffer, [ "link", $timestamp, $counter, $profile, $sdmode, $link, $target, $prog, $pid, $severity ];
$inserts++;
} elsif($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $attrch, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, "w");
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "attrch", $prog, $resource, $attrch ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
@@ -558,7 +569,7 @@ sub process_event ($$) {
push @commit_buffer, [ "chattr", $timestamp, $counter, $profile, $sdmode, $resource, $attrch, $prog, $pid, $severity ];
$inserts++;
} elsif(m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6);
$profile .= "^$hat" if $profile ne $hat;
@@ -566,27 +577,30 @@ sub process_event ($$) {
my $mode = "w";
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
@@ -595,40 +609,43 @@ sub process_event ($$) {
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif(/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $xattr_op, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $mode;
if($xattr_op eq "get" || $xattr_op eq "list") {
if ($xattr_op eq "get" || $xattr_op eq "list") {
$mode = "r";
} elsif($xattr_op eq "set" || $xattr_op eq "remove") {
} elsif ($xattr_op eq "set" || $xattr_op eq "remove") {
$mode = "w";
}
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
@@ -638,33 +655,36 @@ sub process_event ($$) {
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $capability, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if($sdmode eq "REJECTING") {
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank(uc("cap_$capability"));
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "capability", $prog, $capability ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
@@ -673,7 +693,7 @@ sub process_event ($$) {
push @commit_buffer, [ "capability", $timestamp, $counter, $profile, $sdmode, $capability, $prog, $pid, $severity ];
$inserts++;
} elsif($mesg =~ /LOGPROF-HINT unknown_hat (\S+) pid=(\d+) profile=(\S+) active=(\S+)/) {
} elsif ($mesg =~ /LOGPROF-HINT unknown_hat (\S+) pid=(\d+) profile=(\S+) active=(\S+)/) {
my ($uhat, $pid, $profile, $hat) = ($1, $2, $3, $4);
$profile .= "^$hat" if $profile ne $hat;
@@ -681,7 +701,7 @@ sub process_event ($$) {
push @commit_buffer, [ "unknown_hat", $timestamp, $counter, $profile, "PERMITTING", $uhat, $pid ];
$inserts++;
} elsif($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+) profile=(\S+) active=(\S+)/) {
} elsif ($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+) profile=(\S+) active=(\S+)/) {
my ($pid, $child, $profile, $hat) = ($1, $2, $3, $4);
$profile .= "^$hat" if $profile ne $hat;
@@ -689,25 +709,25 @@ sub process_event ($$) {
push @commit_buffer, [ "fork", $timestamp, $counter, $profile, "PERMITTING", $pid, $child ];
$inserts++;
} elsif($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+) newprofile=(\S+)/) {
} elsif ($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+) newprofile=(\S+)/) {
my ($pid, $newprofile) = ($1, $2);
push @commit_buffer, [ "changing_profile", $timestamp, $counter, $newprofile, "PERMITTING", $pid ];
$inserts++;
} elsif($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+)/) {
} elsif ($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+)/) {
my ($pid, $child) = ($1, $2);
push @commit_buffer, [ "fork", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid, $child ];
$inserts++;
} elsif($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+)/) {
} elsif ($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+)/) {
my $pid = $1;
push @commit_buffer, [ "changing_profile", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid ];
$inserts++;
} elsif($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
@@ -715,23 +735,26 @@ sub process_event ($$) {
my $severity = 10;
# we only do notification for enforce mode events
if($config->{verbose_freq}) {
if(($severity >= $config->{verbose_level}) ||
(($severity == -1) && $config->{verbose_unknown})) {
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if($config->{summary_freq}) {
if(($severity >= $config->{summary_level}) ||
(($severity == -1) && $config->{summary_unknown})) {
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "profile_replacement", $prog ];
}
}
if($config->{terse_freq}) {
if(($severity >= $config->{terse_level}) ||
(($severity == -1) && $config->{terse_unknown})) {
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
@@ -739,18 +762,18 @@ sub process_event ($$) {
push @commit_buffer, [ "profile_replacement", $timestamp, $counter, $profile, $sdmode, $prog, $pid, $severity ];
$inserts++;
} elsif($mesg =~ /(SubDomain|AppArmor) protection removed/) {
} elsif ($mesg =~ /(SubDomain|AppArmor) protection removed/) {
push @commit_buffer, [ "removed", $timestamp, $counter, 10 ];
$inserts++;
} elsif($mesg =~ /(SubDomain|AppArmor) \(version (\S+)\) initialized/) {
} elsif ($mesg =~ /(SubDomain|AppArmor) \(version (\S+)\) initialized/) {
my $version = $1;
push @commit_buffer, [ "initialized", $timestamp, $counter, $version, 10 ];
$inserts++;
} elsif($mesg =~ /Control variable '(\S+)' changed to (\S+)/) {
} elsif ($mesg =~ /Control variable '(\S+)' changed to (\S+)/) {
my ($variable, $value) = ($1, $2);
push @commit_buffer, [ "ctrl_var", $timestamp, $counter, $variable, $value, 10 ];
@@ -765,12 +788,12 @@ sub process_event ($$) {
sub dump_events {
my ($which, @events) = @_;
if($DEBUG) {
if ($DEBUG) {
my $count = scalar @events;
errlog "dumping $count events to $which db.";
}
if(open(F, ">>$dbdir/$which.db")) {
if (open(F, ">>$dbdir/$which.db")) {
for my $event (@events) {
my @event = @$event;
print F "@event\n";
@@ -788,16 +811,16 @@ sub check_timers ($) {
my $now = time;
# make sure we commit periodically
if(($inserts > 10000) || ($now >= ($last_flush_time + $timeout))) {
if (($inserts > 10000) || ($now >= ($last_flush_time + $timeout))) {
my $last_prepare = "";
my $sth;
for my $event ( sort { $a->[0] cmp $b->[0] } @commit_buffer ) {
for my $event (sort { $a->[0] cmp $b->[0] } @commit_buffer) {
my @event = @{$event};
my $type = shift @event;
if($type ne $last_prepare) {
if ($type ne $last_prepare) {
$sth = $dbh->prepare("INSERT INTO events $templates{$type};");
$last_prepare = $type;
}
@@ -811,7 +834,7 @@ sub check_timers ($) {
# actually write all this crap to the db
$now = time;
if($DEBUG && $inserts) {
if ($DEBUG && $inserts) {
$total += $inserts;
my $delta = $now - $last_flush_time;
my $rate = int($inserts / $delta);
@@ -820,25 +843,27 @@ sub check_timers ($) {
$last_flush_time = $now;
@commit_buffer = ( );
@commit_buffer = ();
$max = 0;
$inserts = 0;
if(@verbose_buffer) {
if (@verbose_buffer) {
# if we've got verbose events, dump them
dump_events("verbose", @verbose_buffer);
# and clear out our buffer
@verbose_buffer = ( );
@verbose_buffer = ();
}
if(@terse_buffer) {
if (@terse_buffer) {
# if we've got terse events, dump them
dump_events("terse", @terse_buffer);
# and clear out our buffer
@terse_buffer = ( );
@terse_buffer = ();
}
# bail out if we don't have notification configured
@@ -852,7 +877,7 @@ sub check_timers ($) {
# if it's been changed since we last read the config file, we need to
# load the new settings
if($load_time < $mtime) {
if ($load_time < $mtime) {
errlog "Reloading changed config file.";
$config = readconfig();
}
@@ -862,9 +887,9 @@ sub check_timers ($) {
# bail out if we don't have notification configured
return unless -f $cfgfile;
if($config->{terse_freq}) {
if(($terse->{last_notify} + $config->{terse_freq}) <= $now) {
if(-f "$dbdir/terse.db") {
if ($config->{terse_freq}) {
if (($terse->{last_notify} + $config->{terse_freq}) <= $now) {
if (-f "$dbdir/terse.db") {
$DEBUG && errlog "doing terse notification...";
# get a temporary filename...
@@ -873,7 +898,7 @@ sub check_timers ($) {
# overwrite the temp file we just created...
rename("$dbdir/terse.db", $filename);
if($DEBUG) {
if ($DEBUG) {
errlog "terse file is $filename";
}
@@ -892,9 +917,9 @@ sub check_timers ($) {
}
}
if($config->{summary_freq}) {
if(($summary->{last_notify} + $config->{summary_freq}) <= $now) {
if(-f "$dbdir/summary.db") {
if ($config->{summary_freq}) {
if (($summary->{last_notify} + $config->{summary_freq}) <= $now) {
if (-f "$dbdir/summary.db") {
$DEBUG && errlog "doing summary notification...";
# get a temporary filename...
@@ -918,9 +943,9 @@ sub check_timers ($) {
}
}
if($config->{verbose_freq}) {
if(($verbose->{last_notify} + $config->{verbose_freq}) <= $now) {
if(-f "$dbdir/verbose.db") {
if ($config->{verbose_freq}) {
if (($verbose->{last_notify} + $config->{verbose_freq}) <= $now) {
if (-f "$dbdir/verbose.db") {
$DEBUG && errlog "doing verbose notification...";
# get a temporary filename...
@@ -929,7 +954,7 @@ sub check_timers ($) {
# overwrite the temp file we just created...
rename("$dbdir/verbose.db", $filename);
if($DEBUG) {
if ($DEBUG) {
errlog "verbose file is $filename";
}
@@ -954,16 +979,18 @@ sub get_last_event {
my $dbh = shift;
my ($time, $counter);
# get the oldest timestamp...
my $sth = $dbh->prepare('SELECT MAX(time) FROM events');
$sth->execute;
my @row = $sth->fetchrow_array || ( 0 );
my @row = $sth->fetchrow_array || (0);
$time = $row[0];
if($time) {
if ($time) {
# get the highest counter for this timestamp...
$sth = $dbh->prepare("SELECT MAX(counter) FROM events WHERE time = $time");
$sth->execute;
@row = $sth->fetchrow_array || ( 0 );
@row = $sth->fetchrow_array || (0);
$counter = $row[0];
}
@@ -981,12 +1008,13 @@ sub sig_handler {
errlog("Caught signal '$signame'. Exiting...");
$finished = 1;
};
}
# set up our error log without buffering
open(ERRLOG, ">>$dbdir/event-dispatch.log");
my $oldfd = select(ERRLOG); $| = 1; select($oldfd);
my $oldfd = select(ERRLOG);
$| = 1;
select($oldfd);
errlog "Starting...";
@@ -1005,11 +1033,11 @@ $SIG{CHLD} = 'IGNORE';
# Sigh, portable dates in perl sucks
eval "use Date::Parse";
if (!$@) {
$date_module = 'TimeDate'
$date_module = 'TimeDate';
} else {
eval "use Date::Manip";
if (!$@) {
$date_module = 'DateManip'
$date_module = 'DateManip';
} else {
errlog "Unable to load Date module; use either TimeDate or Date::Manip";
$finished = 1;
@@ -1017,8 +1045,8 @@ if (!$@) {
}
# if they want us to write a pid, do it
if($pidfile) {
if(open(PIDFILE, ">$pidfile")) {
if ($pidfile) {
if (open(PIDFILE, ">$pidfile")) {
print PIDFILE "$$\n";
close(PIDFILE);
}
@@ -1028,22 +1056,39 @@ my $dbh = connect_database($dbdir);
($last_inserted_time, $last_inserted_counter) = get_last_event($dbh);
my $auditlog=File::Tail->new(name=>$logfile, debug=>1, tail=>-1, interval=>1, maxinterval=>5, adjustafter=>20, errmode=>"return", ignore_noexistant=>1);
my $syslog=File::Tail->new(name=>$syslogfile, debug=>1, tail=>-1, interval=>1, maxinterval=>5, adjustafter=>20, errmode=>"return", ignore_noexistant=>1);
my $auditlog = File::Tail->new(
name => $logfile,
debug => 1,
tail => -1,
interval => 1,
maxinterval => 5,
adjustafter => 20,
errmode => "return",
ignore_noexistant => 1
);
my $syslog = File::Tail->new(
name => $syslogfile,
debug => 1,
tail => -1,
interval => 1,
maxinterval => 5,
adjustafter => 20,
errmode => "return",
ignore_noexistant => 1
);
my $line = '';
# process complete lines from the buffer...
while (not $finished) {
my ($nfound, $timeleft, @pending) =
File::Tail::select(undef, undef, undef, $timeout, ($auditlog, $syslog));
my ($nfound, $timeleft, @pending) = File::Tail::select(undef, undef, undef, $timeout, ($auditlog, $syslog));
foreach(@pending) {
foreach (@pending) {
process_event($dbh, $_->read);
}
# see if we should flush pending entries to disk and/or do notification
check_timers($dbh);
};
}
# make sure we don't exit with any pending events not written to the db
$dbh->commit || errlog "Error commiting changes: $!";

23
utils/audit
View File

@@ -52,7 +52,7 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
@@ -63,8 +63,8 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString("Please enter the program to switch to audit mode: ", "") );
unless (@profiling) {
@profiling = (UI_GetString("Please enter the program to switch to audit mode: ", ""));
}
for my $profiling (@profiling) {
@@ -72,22 +72,22 @@ for my $profiling (@profiling) {
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
if ($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
if (-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
@@ -103,13 +103,14 @@ for my $profiling (@profiling) {
print "\n";
setprofileflags($filename, "audit");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}

26
utils/autodep
View File

@@ -21,7 +21,6 @@
# you may find current contact information at www.novell.com.
# ----------------------------------------------------------------------
use strict;
use FindBin;
use Getopt::Long;
@@ -60,7 +59,7 @@ my $sd_mountpoint = check_for_subdomain();
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
UI_Important(sprintf(gettext('Can\'t find subdomain profiles in %s.'), $profiledir));
exit 1;
}
@@ -71,8 +70,8 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to create a profile for: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to create a profile for: "), ""));
}
for my $profiling (@profiling) {
@@ -80,13 +79,13 @@ for my $profiling (@profiling) {
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
if ($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
if ($which) {
$fqdbin = get_full_path($which);
}
}
@@ -94,27 +93,26 @@ for my $profiling (@profiling) {
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) {
if ($qualifiers{$fqdbin}) {
unless ($qualifiers{$fqdbin} =~ /p/) {
UI_Info(sprintf(gettext('%s is currently marked as a program that should not have it\'s own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you\'re doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.'), $fqdbin));
exit 1;
}
}
if(-e $fqdbin) {
if(-e getprofilefilename($fqdbin) && !$force) {
if (-e $fqdbin) {
if (-e getprofilefilename($fqdbin) && !$force) {
UI_Info(sprintf(gettext('Profile for %s already exists - skipping.'), $fqdbin));
} else {
autodep($fqdbin);
reload($fqdbin) if $sd_mountpoint;
}
} else {
if($profiling =~ /^[^\/]+$/) {
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}

21
utils/complain
View File

@@ -52,7 +52,7 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
@@ -63,8 +63,8 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to complain mode: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to switch to complain mode: "), ""));
}
for my $profiling (@profiling) {
@@ -72,22 +72,22 @@ for my $profiling (@profiling) {
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
if ($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
if (-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
@@ -103,9 +103,10 @@ for my $profiling (@profiling) {
print "\n";
setprofileflags($filename, "complain");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {

23
utils/enforce
View File

@@ -52,7 +52,7 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
UI_Important("Can't find subdomain profiles in $profiledir.");
exit 1;
}
@@ -63,8 +63,8 @@ readconfig();
# what are we profiling?
my @profiling = @ARGV;
unless(@profiling) {
@profiling = ( UI_GetString(gettext("Please enter the program to switch to enforce mode: "), "") );
unless (@profiling) {
@profiling = (UI_GetString(gettext("Please enter the program to switch to enforce mode: "), ""));
}
for my $profiling (@profiling) {
@@ -72,21 +72,21 @@ for my $profiling (@profiling) {
next unless $profiling;
my $fqdbin;
if(-e $profiling) {
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
if ($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
if(-e $fqdbin) {
if (-e $fqdbin) {
my $filename;
if($fqdbin =~ /^$profiledir\//) {
if ($fqdbin =~ /^$profiledir\//) {
$filename = $fqdbin;
} else {
$filename = getprofilefilename($fqdbin);
@@ -102,13 +102,14 @@ for my $profiling (@profiling) {
print "\n";
setprofileflags($filename, "");
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain();
system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1")
if check_for_subdomain();
} else {
if($profiling =~ /^[^\/]+$/) {
if ($profiling =~ /^[^\/]+$/) {
UI_Info(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' as a user with the correct PATH environment set up in order to find the fully-qualified path.'), $profiling, $profiling));
exit 1;
} else {
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'). $profiling));
UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling));
exit 1;
}
}

43
utils/genprof
View File

@@ -51,39 +51,40 @@ GetOptions(
&usage && exit if $help;
my $sd_mountpoint = check_for_subdomain();
unless($sd_mountpoint) {
unless ($sd_mountpoint) {
fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
}
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
}
# what are we profiling?
my $profiling = shift;
unless($profiling) {
$profiling = UI_GetString(gettext("Please enter the program to profile: "), "") || exit 0;
unless ($profiling) {
$profiling = UI_GetString(gettext("Please enter the program to profile: "), "")
|| exit 0;
}
my $fqdbin;
if(-e $profiling) {
if (-e $profiling) {
$fqdbin = get_full_path($profiling);
chomp($fqdbin);
} else {
if($profiling !~ /\//) {
if ($profiling !~ /\//) {
my $which = which($profiling);
if($which) {
if ($which) {
$fqdbin = get_full_path($which);
}
}
}
unless($fqdbin && -e $fqdbin) {
if($profiling =~ /^[^\/]+$/) {
unless ($fqdbin && -e $fqdbin) {
if ($profiling =~ /^[^\/]+$/) {
fatal_error(sprintf(gettext('Can\'t find %s in the system path list. If the name of the application is correct, please run \'which %s\' in the other window in order to find the fully-qualified path.'), $profiling, $profiling));
} else {
fatal_error(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling));
@@ -95,25 +96,24 @@ readconfig();
# make sure that the app they're requesting to profile is not marked as
# not allowed to have it's own profile
if($qualifiers{$fqdbin}) {
unless($qualifiers{$fqdbin} =~ /p/) {
if ($qualifiers{$fqdbin}) {
unless ($qualifiers{$fqdbin} =~ /p/) {
fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $fqdbin));
}
}
# load all the include files
loadincludes();
my $profilefilename = getprofilefilename($fqdbin);
if(-e $profilefilename) {
if (-e $profilefilename) {
$helpers{$fqdbin} = getprofileflags($profilefilename) || "enforce";
} else {
autodep($fqdbin);
$helpers{$fqdbin} = "enforce";
}
if($helpers{$fqdbin} eq "enforce") {
if ($helpers{$fqdbin} eq "enforce") {
complain($fqdbin);
reload($fqdbin);
}
@@ -124,10 +124,10 @@ my $syslog = 1;
my $logmark = "";
my $done_profiling = 0;
$syslog = 0 if ( -e "/var/log/audit/audit.log" );
$syslog = 0 if (-e "/var/log/audit/audit.log");
while(not $done_profiling) {
if ( $syslog ) {
while (not $done_profiling) {
if ($syslog) {
$logmark = `date | md5sum`;
chomp $logmark;
$logmark = $1 if $logmark =~ /^([0-9a-f]+)/;
@@ -136,14 +136,14 @@ while(not $done_profiling) {
$logmark = last_audit_entry_time();
}
my $q = { };
my $q = {};
$q->{headers} = [ gettext("Profiling"), $fqdbin ];
$q->{functions} = [ "CMD_SCAN", "CMD_FINISHED" ];
$q->{default} = "CMD_SCAN";
my ($ans, $arg) = UI_PromptUser($q);
if($ans eq "CMD_SCAN") {
if ($ans eq "CMD_SCAN") {
my $lp_ret = do_logprof_pass($logmark);
@@ -158,7 +158,7 @@ while(not $done_profiling) {
}
for my $p (sort keys %helpers) {
if($helpers{$p} eq "enforce") {
if ($helpers{$p} eq "enforce") {
enforce($p);
reload($p);
}
@@ -174,10 +174,9 @@ sub usage {
}
sub last_audit_entry_time {
local $_ = `tail -1 /var/log/audit/audit.log`;
my $logmark;
if ( /^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/ ) {
if (/^*msg\=audit\((\d+\.\d+\:\d+).*\).*$/) {
$logmark = $1;
} else {
$logmark = "";

2
utils/logprof
View File

@@ -55,7 +55,7 @@ GetOptions(
# let's convert it to full path...
$profiledir = get_full_path($profiledir);
unless(-d $profiledir) {
unless (-d $profiledir) {
fatal_error "Can't find subdomain profiles in $profiledir.";
}

29
utils/unconfined
View File

@@ -34,7 +34,6 @@ use POSIX;
setlocale(LC_MESSAGES, "");
textdomain("apparmor-utils");
# options variables
my $paranoid = '';
my $help = '';
@@ -48,24 +47,26 @@ GetOptions(
&usage && exit if $help;
sub usage {
printf (gettext("Usage: %s [ --paranoid ]\n"), $0);
printf(gettext("Usage: %s [ --paranoid ]\n"), $0);
exit 0;
}
my $subdomainfs = check_for_subdomain();
die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.")."\n" unless $subdomainfs;
die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
unless $subdomainfs;
my @pids;
if($paranoid) {
if ($paranoid) {
opendir(PROC, "/proc") or die gettext("Can't read /proc\n");
@pids = grep { /^\d+$/ } readdir(PROC);
closedir(PROC);
} else {
if(open(NETSTAT, "/bin/netstat -nlp |")) {
while(<NETSTAT>) {
if (open(NETSTAT, "/bin/netstat -nlp |")) {
while (<NETSTAT>) {
chomp;
push @pids, $5 if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/;
push @pids, $5
if /^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)/;
}
close(NETSTAT);
}
@@ -74,15 +75,16 @@ if($paranoid) {
for my $pid (sort { $a <=> $b } @pids) {
my $prog = readlink "/proc/$pid/exe" or next;
my $attr;
if(open(CURRENT, "/proc/$pid/attr/current")) {
while(<CURRENT>) {
if (open(CURRENT, "/proc/$pid/attr/current")) {
while (<CURRENT>) {
chomp;
$attr = $_ if(/^\// || /^null/);
$attr = $_ if (/^\// || /^null/);
}
close(CURRENT);
}
if(not $attr) {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
if (not $attr) {
if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;
@@ -93,7 +95,8 @@ for my $pid (sort { $a <=> $b } @pids) {
print "$pid $prog " . gettext("not confined\n");
}
} else {
if($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
if ($prog =~ m/^(\/usr\/bin\/python|\/usr\/bin\/perl|\/bin\/bash)$/) {
#my $scriptname = (split(/\0/, `cat /proc/$pid/cmdline`))[1];
my $cmdline = `cat /proc/$pid/cmdline`;
$cmdline =~ s/\0/ /g;