Fix default rules to reduce overheads

author Sungbae Yoo <sungbae.yoo@samsung.com>

Thu, 3 May 2018 10:55:53 +0000 (19:55 +0900)

committer Sungbae Yoo <sungbae.yoo@samsung.com>

Mon, 14 May 2018 02:17:55 +0000 (11:17 +0900)
author Sungbae Yoo <sungbae.yoo@samsung.com>
Thu, 3 May 2018 10:55:53 +0000 (19:55 +0900)
committer Sungbae Yoo <sungbae.yoo@samsung.com>
Mon, 14 May 2018 02:17:55 +0000 (11:17 +0900)
diff --git a/plugins/base-rule-set.cpp b/plugins/base-rule-set.cpp

index a534f9f8f3659a395017c2071a0651aa21d53af3..702ae509daa29beda7f451eefc44b2e1d2b5b6ce 100644 (file)
--- a/plugins/base-rule-set.cpp
+++ b/plugins/base-rule-set.cpp
@@ -18,13 +18,125 @@
  
  #include "base-rule-set.h"
  
+namespace {
+
+const unsigned int fileReadSyscalls[] = {
+       __NR_uselib,
+       __NR_open,
+       __NR_openat,
+       __NR_stat,
+       __NR_lstat,
+#ifdef __NR_newstat
+       __NR_newstat,
+#endif
+#ifdef __NR_newlstat
+       __NR_newlstat,
+#endif
+#ifdef __NR_newfstatat
+       __NR_newfstatat,
+#endif
+#ifdef __NR_newfstat
+       __NR_newfstat,
+#endif
+       __NR_stat64,
+       __NR_lstat64,
+       __NR_fstatat64,
+       __NR_getxattr,
+       __NR_lgetxattr,
+       __NR_fgetxattr,
+       __NR_listxattr,
+       __NR_llistxattr,
+       __NR_flistxattr,
+       __NR_faccessat,
+       __NR_access,
+       __NR_chdir,
+       __NR_chroot,
+       __NR_quotactl,
+};
+
+const unsigned int fileWriteSyscalls[] = {
+       __NR_open,
+       __NR_openat,
+       __NR_creat,
+       __NR_acct,
+#ifdef __NR_swapon
+       __NR_swapon,
+#endif
+       __NR_quotactl,
+#ifdef __NR_truncate
+       __NR_truncate,
+#endif
+#ifdef __NR_truncate64
+       __NR_truncate64,
+#endif
+       __NR_renameat,
+       __NR_rename,
+       __NR_mknodat,
+       __NR_mknod,
+       __NR_mkdirat,
+       __NR_mkdir,
+       __NR_rmdir,
+       __NR_unlinkat,
+       __NR_unlink,
+       __NR_symlinkat,
+       __NR_symlink,
+       __NR_linkat,
+       __NR_link,
+};
+
+const unsigned int fileExecSyscalls[] = {
+       __NR_uselib,
+       __NR_execve,
+};
+
+const unsigned int fileChangeAttrSyscalls[] = {
+       __NR_setxattr,
+       __NR_lsetxattr,
+       __NR_fsetxattr,
+       __NR_removexattr,
+       __NR_fremovexattr,
+       __NR_lremovexattr,
+       __NR_chmod,
+       __NR_fchmod,
+       __NR_fchmodat,
+       __NR_chown,
+       __NR_lchown,
+       __NR_fchown,
+       __NR_chown32,
+       __NR_lchown32,
+       __NR_fchown32,
+       __NR_fchownat,
+       __NR_utimes,
+};
+
+void setMaskFileSystemcalls(Rule &rule, unsigned int perm)
+{
+       if (perm & Rule::Perm::r)
+               for (auto syscall : fileReadSyscalls)
+                       rule + syscall;
+
+       if (perm & Rule::Perm::w)
+               for (auto syscall : fileWriteSyscalls)
+                       rule + syscall;
+
+       if (perm & Rule::Perm::x)
+               for (auto syscall : fileExecSyscalls)
+                       rule + syscall;
+
+       if (perm & Rule::Perm::a)
+               for (auto syscall : fileChangeAttrSyscalls)
+                       rule + syscall;
+}
+
+}
+
  void BaseRuleSet::addDir(const std::vector<std::string>& dirs,
-                                               const std::string& tag, Result result)
+                                                       unsigned int perm, Result result)
  {
         for (auto dir : dirs) {
-               WatchDirRule rule(dir, Rule::Perm::r |
-                                                               Rule::Perm::w |
-                                                               Rule::Perm::x);
+               WatchDirRule rule(dir, perm);
+
+               setMaskFileSystemcalls(rule, perm);
  
                 switch (result) {
                 case FailedOnly:
@@ -36,18 +148,17 @@ void BaseRuleSet::addDir(const std::vector<std::string>& dirs,
                 default:
                         break;
                 }
-
-               add(rule << Tag(tag));
+               add(rule);
         }
  }
  
  void BaseRuleSet::addPath(const std::vector<std::string>& paths,
-                                               const std::string& tag, Result result)
+                                                       unsigned int perm, Result result)
  {
         for (auto path : paths) {
-               WatchPathRule rule(path, Rule::Perm::r |
-                                                                       Rule::Perm::w |
-                                                                       Rule::Perm::x);
+               WatchPathRule rule(path, perm);
+
+               setMaskFileSystemcalls(rule, perm);
  
                 switch (result) {
                 case FailedOnly:
@@ -59,16 +170,16 @@ void BaseRuleSet::addPath(const std::vector<std::string>& paths,
                 default:
                         break;
                 }
-
-               add(rule << Tag(tag));
+               add(rule);
         }
  }
  
-void BaseRuleSet::addSyscall(const std::vector<int>& syscalls,
-                                                       const std::string& tag, Result result)
+void BaseRuleSet::addSyscall(const std::vector<int>& syscalls, Result result)
  {
+       Rule rule;
+
         for (auto syscall : syscalls) {
-               SyscallRule rule(syscall);
+               rule + syscall;
  
                 switch (result) {
                 case FailedOnly:
@@ -80,16 +191,16 @@ void BaseRuleSet::addSyscall(const std::vector<int>& syscalls,
                 default:
                         break;
                 }
-
-               add(rule << Tag(tag));
         }
+
+       add(rule);
  }
  
  void BaseRuleSet::useAudit(Result result)
  {
         addPath({
                 "/tmp/.audit-trail.sock",
-       }, __func__, result);
+       }, Rule::Perm::r | Rule::Perm::w | Rule::Perm::x | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::accessFile(Result result)
@@ -112,7 +223,7 @@ void BaseRuleSet::accessFile(Result result)
  #ifdef __NR_ftruncate64
                 __NR_ftruncate64,
  #endif
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::moveFile(Result result)
@@ -129,7 +240,7 @@ void BaseRuleSet::moveFile(Result result)
  #ifdef __NR_renameat2
                 __NR_renameat2,
  #endif
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::createSpecialFile(Result result)
@@ -147,7 +258,7 @@ void BaseRuleSet::createSpecialFile(Result result)
                 __NR_mknod,
  #endif
                 __NR_mknodat,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::modifyDirectory(Result result)
@@ -160,10 +271,10 @@ void BaseRuleSet::modifyDirectory(Result result)
  #ifdef __NR_rmdir
                 __NR_rmdir,
  #endif
-       }, __func__, result);
+       }, result);
  
  #ifdef AT_REMOVEDIR
-       add(SyscallRule(__NR_unlinkat) << Tag(__func__) << Arg3() && AT_REMOVEDIR);
+       add(SyscallRule(__NR_unlinkat) << Arg3() && AT_REMOVEDIR);
  #endif
  }
  
@@ -187,7 +298,7 @@ void BaseRuleSet::changeFileDAC(Result result)
  #ifdef __NR_fchown32
                 __NR_fchown32,
  #endif
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeFileMAC(Result result)
@@ -199,7 +310,7 @@ void BaseRuleSet::changeFileMAC(Result result)
                 __NR_removexattr,
                 __NR_lremovexattr,
                 __NR_fremovexattr,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeMACPolicy(Result result)
@@ -209,7 +320,7 @@ void BaseRuleSet::changeMACPolicy(Result result)
                 "/sys/fs/smackfs",
                 "/etc/cynara",
                 "/etc/nether",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::useSysvIPC(Result result)
@@ -242,7 +353,7 @@ void BaseRuleSet::useSysvIPC(Result result)
  #ifdef __NR_ipc
                 __NR_ipc,
  #endif
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeStartupConfig(Result result)
@@ -254,7 +365,7 @@ void BaseRuleSet::changeStartupConfig(Result result)
                 "/usr/lib/systemd/system",
                 "/usr/lib/systemd/user",
                 "/usr/lib/systemd/network",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::mountDevice(Result result)
@@ -265,14 +376,14 @@ void BaseRuleSet::mountDevice(Result result)
                 __NR_umount,
  #endif
                 __NR_umount2,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeUmask(Result result)
  {
         addSyscall({
                 __NR_umask,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::createProcess(Result result)
@@ -288,37 +399,37 @@ void BaseRuleSet::createProcess(Result result)
  #ifdef __NR_vfork
                 __NR_vfork,
  #endif
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeLibraryConfig(Result result)
  {
         addPath({
                 "/etc/ld.so.conf",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::changeKernelModuleConfig(Result result)
  {
         addDir({
                 "/etc/modules-load.d",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  //TBD
  }
  
  void BaseRuleSet::useKernelModule(Result result)
  {
         addPath({
-               "/sbin/insmod",
-               "/sbin/rmmod",
-               "/sbin/modprob",
-       }, __func__, result);
+               "/usr/sbin/insmod",
+               "/usr/sbin/rmmod",
+               "/usr/sbin/modprob",
+       }, Rule::Perm::x, result);
  
         addSyscall({
                 __NR_init_module,
                 __NR_finit_module,
                 __NR_delete_module,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::changeAliases(Result result)
@@ -326,14 +437,14 @@ void BaseRuleSet::changeAliases(Result result)
         addPath({
                 "/etc/aliases",
                 "/etc/postfix",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::debugging(Result result)
  {
         addSyscall({
                 __NR_ptrace,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::useContainer(Result result)
@@ -341,22 +452,22 @@ void BaseRuleSet::useContainer(Result result)
         addSyscall({
                 __NR_unshare,
                 __NR_setns,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::execSpecialCommand(Result result)
  {
-       addPath({
-               "/sbin/",
-       }, __func__, result);
+       addDir({
+               "/usr/sbin/",
+       }, Rule::Perm::x, result);
  }
  
  void BaseRuleSet::changeTime(Result result)
  {
         addPath({
-               "/etc/localtime",
+               "/opt/etc/localtime",
                 "/etc/sysconfig/clock",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  
         addSyscall({
                 __NR_adjtimex,
@@ -366,30 +477,31 @@ void BaseRuleSet::changeTime(Result result)
  #endif
                 __NR_clock_settime,
                 __NR_clock_adjtime,
-       }, __func__, result);
+       }, result);
  }
  
  void BaseRuleSet::loginUser(Result result)
  {
         addPath({
-               "/var/run/utmp",
-               "/var/run/btmp",
-               "/var/run/wtmp",
-       }, __func__, result);
+               "/run/utmp",
+               "/run/btmp",
+               "/run/wtmp",
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::modifyUser(Result result)
  {
         addPath({
-               "/etc/group",
-               "/etc/passwd",
-               "/etc/gshadow",
-               "/etc/shadow",
-       }, __func__, result);
+               "/opt/etc/group",
+               "/opt/etc/passwd",
+               "/opt/etc/gshadow",
+               "/opt/etc/shadow",
+               "/opt/etc/.pwd.lock",
+       }, Rule::Perm::w | Rule::Perm::a, result);
  
         addDir({
                 "/etc/security",
-       }, __func__, result);
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
  
  void BaseRuleSet::switchUser(Result result)
@@ -427,10 +539,10 @@ void BaseRuleSet::switchUser(Result result)
  #ifdef __NR_setfsgid32
                 __NR_setfsgid32,
  #endif
-       }, __func__, result);
+       }, result);
  
-       add(SyscallRule(__NR_execve) << Tag(__func__) << (Uid() != 0) << EUid(0));
-       add(SyscallRule(__NR_execve) << Tag(__func__) << (Gid() != 0) << EGid(0));
+       add(SyscallRule(__NR_execve) << (Uid() != 0) << EUid(0));
+       add(SyscallRule(__NR_execve) << (Gid() != 0) << EGid(0));
  }
  
  void BaseRuleSet::changeNetConfig(Result result)
@@ -439,11 +551,16 @@ void BaseRuleSet::changeNetConfig(Result result)
                 "/etc/hosts",
                 "/etc/system-release",
                 "/etc/sysconfig/network",
-       }, __func__, result);
+               "/opt/etc/resolv.conf",
+               "/opt/etc/p2psupp.conf",
+               "/opt/etc/sysinfo/tizenid",
+               "/opt/etc/version",
+       }, Rule::Perm::w | Rule::Perm::a, result);
  
         addDir({
                 "/etc/sysconfig/network-scripts",
                 "/etc/wpa_supplicant",
                 "/etc/wifi-direct",
-       }, __func__, result);
+               "/opt/etc/wpa_supplicant",
+       }, Rule::Perm::w | Rule::Perm::a, result);
  }
diff --git a/plugins/base-rule-set.h b/plugins/base-rule-set.h

index c675acbd20d7762947abd388e58dbe8da76f4f28..19d282a289b69b6ada49af8721ea81bd73b27d7d 100644 (file)
--- a/plugins/base-rule-set.h
+++ b/plugins/base-rule-set.h
@@ -62,12 +62,11 @@ protected:
         void changeNetConfig(Result result = All);
  
  private:
-       void addDir(const std::vector<std::string>& paths,
-                                       const std::string& tag, Result result);
-       void addPath(const std::vector<std::string>& paths,
-                                       const std::string& tag, Result result);
-       void addSyscall(const std::vector<int>& syscalls,
-                                       const std::string& tag, Result result);
+       void addDir(const std::vector<std::string>& dirs, unsigned int perm,
+                                       Result result);
+       void addPath(const std::vector<std::string>& paths, unsigned int perm,
+                                       Result result);
+       void addSyscall(const std::vector<int>& syscalls, Result result);
  };
  
  #endif /*__AUDIT_BASE_RULE_SET_H__*/
author	Sungbae Yoo <sungbae.yoo@samsung.com>
	Thu, 3 May 2018 10:55:53 +0000 (19:55 +0900)
committer	Sungbae Yoo <sungbae.yoo@samsung.com>
	Mon, 14 May 2018 02:17:55 +0000 (11:17 +0900)
plugins/base-rule-set.cpp		patch \| blob \| history
plugins/base-rule-set.h		patch \| blob \| history