session-lockdown-no-deny: assert that unconfined executables are platform

Reviewed-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk> Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Differential Revision: https://phabricator.apertis.org/D3773

session-lockdown-no-deny: assert that unconfined executables are platform
Reviewed-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk> Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Differential Revision: https://phabricator.apertis.org/D3773
b0d1cd20 · Simon McVittie · 79289183 · b0d1cd20
Commit b0d1cd20 authored 8 years ago by Simon McVittie
--- a/apparmor/session-lockdown/no-deny
+++ b/apparmor/session-lockdown/no-deny
@@ -97,14 +97,12 @@ def get_processes(profiles):
                    match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
                    if match:
                        processes[filename] = { 'profile' : match.group(1), \
-                                                'mode' : match.group(2) }
-                    elif p.strip() == 'unconfined' and exe in profiles:
-                        # keep only unconfined processes that have a profile defined
-                        processes[filename] = { 'profile' : exe,
-                                                'mode' : 'unconfined' }
+                                                'mode' : match.group(2),
+                                                'exe': exe }
                    elif p.strip() == 'unconfined':
-                        # this is fine: something like process 1 (systemd)
-                        print('# unconfined process {!r} {!r} has no profile, ignoring'.format(filename, exe))
+                        processes[filename] = { 'profile' : exe,
+                                                'mode' : 'unconfined',
+                                                'exe': exe }
                    else:
                        not_ok('process {} {!r} context {!r} could not be '
                               'parsed'.format(filename, exe, p))
@@ -279,6 +277,22 @@ def after_reboot():
        else:
            not_ok('{} should be in enforce mode'.format(profile))

+    # Every unconfined process must be part of the platform
+    for pid, data in sorted(processes.items()):
+        if data['mode'] == 'unconfined':
+            exe = data['exe']
+            if exe.startswith('/usr/Applications/'):
+                not_ok('built-in app {!r} should be confined'.format(exe))
+            elif exe.startswith('/Applications/'):
+                not_ok('store app {!r} should be confined'.format(exe))
+            elif exe.startswith(('/bin/', '/lib/', '/sbin/',
+                                      '/usr/bin/', '/usr/lib/', '/usr/sbin/')):
+                ok('unconfined executable {!r} is part of the '
+                   'platform'.format(exe))
+            else:
+                not_ok('mystery executable {} should be '
+                       'confined'.format(exe))
+
    saw_denial = False

    with subprocess.Popen(['aa_log_extract_tokens.pl', 'REJECTING'],