230
230
return (tm, check_syslog_msg)
235
decoded = bytearray.fromhex(s).decode()
239
# abstract sockets may have trailing NULs
240
return decoded.rstrip('\0')
337
347
entry["log"] = log_re.sub("", line.rstrip())
339
349
if self.display != "seccomp" and aa_re.search(line):
340
(show, rec, msg) = self.make_apparmor_recommendation(line, snap_name)
350
(show, rec, entry["log"], msg) = self.make_apparmor_recommendation(line, snap_name, entry["log"])
342
352
entry["type"] = "AppArmor"
343
353
if msg is not None:
689
699
return (show, rec, msg)
691
def make_apparmor_recommendation(self, line, snap_name):
701
def make_apparmor_recommendation(self, line, snap_name, log):
692
702
def _convert_avc_to_type1400(line):
693
703
"""python3-libapparmor doesn't understand AVC log entries so
694
704
convert audit[...]: AVC ... to
1045
1055
elif event.net_family is not None and event.net_family == "unix":
1046
1056
# Libapparmor doesn't handle unix rules yet, so fake it
1047
addr_re = re.compile(r'.*\s+addr="([^\s]+)".*')
1057
addr_re = re.compile(r'(.*\s+addr=")([^\s]+)(")(.*)')
1048
1058
if addr_re.search(line):
1049
addr = addr_re.sub("\\1", line.rstrip())
1059
addr = addr_re.sub("\\2", line.rstrip())
1050
1060
profile_prefix = "snap.<your snap name>"
1051
1061
if event.profile is not None and event.profile.startswith("snap."):
1052
1062
profile_prefix = "snap.%s" % event.profile.split('.', 2)[1]
1053
rec.append("adjust '%s' to start with '%s.' (eg, '@%s.%s')" % (addr, profile_prefix, profile_prefix, addr[1:]))
1054
rec.append("use 'listen-stream: @%s.%s' for a socket-activated daemon" % (profile_prefix, addr[1:]))
1064
# decode abstract sockets
1065
if addr.startswith('@'):
1066
decoded = "@%s" % _aa_decode(addr[1:])
1068
log = addr_re.sub("\\1\\2\\3(%s)\\4" % decoded, log)
1071
if not addr.startswith("@%s." % profile_prefix):
1072
rec.append("adjust '%s' to start with '%s.' (eg, '@%s.%s')" % (addr, profile_prefix, profile_prefix, addr[1:]))
1073
rec.append("use 'listen-stream: @%s.%s' for a socket-activated daemon" % (profile_prefix, addr[1:]))
1055
1074
# FIXME: unix rules can span multiple lines in the snapd
1057
1076
unix_re = re.compile(
1108
1127
LibAppArmor.free_record(event)
1110
return (show, rec, msg)
1129
return (show, rec, log, msg)
1112
1131
def seccomp_ifaces_allowing_syscall(self, syscall):
1113
1132
global os_release