« back to all changes in this revision
Viewing changes to bin/snappy-security-scanlog
- browse files at revision 198
- compare with another revision
- download diff
- download tarball
- view history from revision 198
- Committer: Jamie Strandboge
- Date: 2020-06-10 17:16:35 UTC
- Revision ID: jamie@ubuntu.com-20200610171635-3d4q2a63uvstbv20
bin/snappy-security-scanlog: decode abstract sockets
added
removed
bin/snappy-security-scanlog
230
230
return (tm, check_syslog_msg)
231
231
232
232
233
def _aa_decode(s):
234
try:
235
decoded = bytearray.fromhex(s).decode()
236
except ValueError:
237
return s
238
239
# abstract sockets may have trailing NULs
240
return decoded.rstrip('\0')
241
242
233
243
class ScanLogs:
234
244
def __init__(
235
245
self,
337
347
entry["log"] = log_re.sub("", line.rstrip())
338
348
339
349
if self.display != "seccomp" and aa_re.search(line):
340
(show, rec, msg) = self.make_apparmor_recommendation(line, snap_name)
350
(show, rec, entry["log"], msg) = self.make_apparmor_recommendation(line, snap_name, entry["log"])
341
351
if show:
342
352
entry["type"] = "AppArmor"
343
353
if msg is not None:
688
698
event = None
689
699
return (show, rec, msg)
690
700
691
def make_apparmor_recommendation(self, line, snap_name):
701
def make_apparmor_recommendation(self, line, snap_name, log):
692
702
def _convert_avc_to_type1400(line):
693
703
"""python3-libapparmor doesn't understand AVC log entries so
694
704
convert audit[...]: AVC ... to
747
757
# quick exit
748
758
if not show:
749
759
LibAppArmor.free_record(event)
750
return (show, rec, msg)
760
return (show, rec, log, msg)
751
761
752
762
if (
753
763
event.operation is not None
1044
1054
1045
1055
elif event.net_family is not None and event.net_family == "unix":
1046
1056
# Libapparmor doesn't handle unix rules yet, so fake it
1047
addr_re = re.compile(r'.*\s+addr="([^\s]+)".*')
1057
addr_re = re.compile(r'(.*\s+addr=")([^\s]+)(")(.*)')
1048
1058
if addr_re.search(line):
1049
addr = addr_re.sub("\\1", line.rstrip())
1059
addr = addr_re.sub("\\2", line.rstrip())
1050
1060
profile_prefix = "snap.<your snap name>"
1051
1061
if event.profile is not None and event.profile.startswith("snap."):
1052
1062
profile_prefix = "snap.%s" % event.profile.split('.', 2)[1]
1053
rec.append("adjust '%s' to start with '%s.' (eg, '@%s.%s')" % (addr, profile_prefix, profile_prefix, addr[1:]))
1054
rec.append("use 'listen-stream: @%s.%s' for a socket-activated daemon" % (profile_prefix, addr[1:]))
1063
1064
# decode abstract sockets
1065
if addr.startswith('@'):
1066
decoded = "@%s" % _aa_decode(addr[1:])
1067
if decoded != addr:
1068
log = addr_re.sub("\\1\\2\\3(%s)\\4" % decoded, log)
1069
addr = decoded
1070
1071
if not addr.startswith("@%s." % profile_prefix):
1072
rec.append("adjust '%s' to start with '%s.' (eg, '@%s.%s')" % (addr, profile_prefix, profile_prefix, addr[1:]))
1073
rec.append("use 'listen-stream: @%s.%s' for a socket-activated daemon" % (profile_prefix, addr[1:]))
1055
1074
# FIXME: unix rules can span multiple lines in the snapd
1056
1075
# policy
1057
1076
unix_re = re.compile(
1107
1126
1108
1127
LibAppArmor.free_record(event)
1109
1128
1110
return (show, rec, msg)
1129
return (show, rec, log, msg)
1111
1130
1112
1131
def seccomp_ifaces_allowing_syscall(self, syscall):
1113
1132
global os_release
Loggerhead is a web-based interface for Breezy
Version: 2.0.1