lxc-generate-aa-rules.py revision 198b363fff1de9afcee2f26b9aa847316f589afe
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn#!/usr/bin/python3
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynimport sys
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynblocks = []
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn#
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# blocks is an array of paths under which we want to block by
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# default.
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn#
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# blocks[0] = ['path' = '/sys', 'children' = [A,B] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# blocks[1] = ['path' = '/proc/sys', 'children' = [ E ] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# A = [ 'path' = 'fs', children = [C] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# C = [ 'path' = 'cgroup', children = [F] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# B = [ 'path' = 'class', children = [D] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# D = [ 'path' = 'net', children = [F] ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# E = [ 'path' = 'shm*' ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn# F = [ 'path' = '**' ]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef add_block(path):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for b in blocks:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if b['path'] == path:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # duplicate
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn return
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn blocks.append({'path': path.strip(), 'children': []})
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef child_get(prev, path):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for p in prev:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if p['path'] == path:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn return p
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn return None
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef add_allow(path):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # find which block we belong to
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn found = None
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for b in blocks:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn l = len(b['path'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if len(path) <= l:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if path[0:l] == b['path']:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn found = b
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn break
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if found is None:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn print("allow with no previous block at %s" % path)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn sys.exit(1)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn p = path[l:].strip()
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn while p[:1] == "/":
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn p = p[1:]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn prev = b['children']
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for s in p.split('/'):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn n = {'path': s.strip(), 'children': []}
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn tmp = child_get(prev, n['path'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if tmp is not None:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn prev = tmp
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn else:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn prev.append(n)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn prev = n['children']
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynconfig = "config"
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynif len(sys.argv) > 1:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn config = sys.argv[1]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynwith open(config) as f:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for x in f.readlines():
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn x.strip()
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if x[:1] == '#':
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn try:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn (cmd, path) = x.split(' ')
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn except: # blank line
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if cmd == "block":
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn add_block(path)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn elif cmd == "allow":
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn add_allow(path)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn else:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn print("Unknown command: %s" % cmd)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn sys.exit(1)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndenies = []
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef collect_chars(children, ref, index):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn r = ""
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for c in children:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if index >= len(c['path']):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if ref[0:index] != c['path'][0:index]:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if c['path'][index] not in r:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn r = r + c['path'][index]
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn return r
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef append_deny(s):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn s = "%s wklx," % s
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if s not in denies:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn denies.append(s)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndef gen_denies(pathsofar, children):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for c in children:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn for char in range(len(c['path'])):
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if char == len(c['path'])-1 and c['path'][char] == '*':
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if char == len(c['path'])-2:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if c['path'][char:char+2] == '**':
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn continue
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn x = collect_chars(children, c['path'], char)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn newdeny = "deny %s/%s[^%s]*{,/**}" % (pathsofar,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn c['path'][0:char], x)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn append_deny(newdeny)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if c['path'] != '**' and c['path'][len(c['path'])-1] != '*':
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn newdeny = "deny %s/%s?*{,/**}" % (pathsofar, c['path'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn append_deny(newdeny)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn elif c['path'] != '**':
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn newdeny = "deny %s/%s/**" % (pathsofar, c['path'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn append_deny(newdeny)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn if len(c['children']) != 0:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn newpath = "%s/%s" % (pathsofar, c['path'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn gen_denies(newpath, c['children'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynfor b in blocks:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn gen_denies(b['path'], b['children'])
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyndenies.sort()
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyngenby = " # generated by: lxc-generate-aa-rules.py"
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynfor a in sys.argv[1:]:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn genby += " %s" % a
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynprint(genby)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallynfor d in denies:
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn print(" %s" % d)