Skip to content
Snippets Groups Projects
Commit b0d1cd20 authored by Simon McVittie's avatar Simon McVittie
Browse files

session-lockdown-no-deny: assert that unconfined executables are platform


Reviewed-by: default avatarSjoerd Simons <sjoerd.simons@collabora.co.uk>
Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3773
parent 79289183
No related branches found
No related tags found
No related merge requests found
......@@ -97,14 +97,12 @@ def get_processes(profiles):
match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
if match:
processes[filename] = { 'profile' : match.group(1), \
'mode' : match.group(2) }
elif p.strip() == 'unconfined' and exe in profiles:
# keep only unconfined processes that have a profile defined
processes[filename] = { 'profile' : exe,
'mode' : 'unconfined' }
'mode' : match.group(2),
'exe': exe }
elif p.strip() == 'unconfined':
# this is fine: something like process 1 (systemd)
print('# unconfined process {!r} {!r} has no profile, ignoring'.format(filename, exe))
processes[filename] = { 'profile' : exe,
'mode' : 'unconfined',
'exe': exe }
else:
not_ok('process {} {!r} context {!r} could not be '
'parsed'.format(filename, exe, p))
......@@ -279,6 +277,22 @@ def after_reboot():
else:
not_ok('{} should be in enforce mode'.format(profile))
# Every unconfined process must be part of the platform
for pid, data in sorted(processes.items()):
if data['mode'] == 'unconfined':
exe = data['exe']
if exe.startswith('/usr/Applications/'):
not_ok('built-in app {!r} should be confined'.format(exe))
elif exe.startswith('/Applications/'):
not_ok('store app {!r} should be confined'.format(exe))
elif exe.startswith(('/bin/', '/lib/', '/sbin/',
'/usr/bin/', '/usr/lib/', '/usr/sbin/')):
ok('unconfined executable {!r} is part of the '
'platform'.format(exe))
else:
not_ok('mystery executable {} should be '
'confined'.format(exe))
saw_denial = False
with subprocess.Popen(['aa_log_extract_tokens.pl', 'REJECTING'],
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment