def main(): opts = get_args() if opts['ContainerID']: container_inspect_raw = None for backend in ["podman", "docker"]: try: run_inspect = subprocess.Popen( [backend, "inspect", opts['ContainerID']], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) inspect_data = run_inspect.communicate()[0] if run_inspect.returncode != 0: inspect_data = None except FileNotFoundError: inspect_data = None if inspect_data: container_inspect_raw = inspect_data break if not container_inspect_raw: print('Container with specified ID does not exits!') exit(3) if opts['JsonFile']: if opts['JsonFile'] == '-': import sys container_inspect_raw = sys.stdin.read() else: import os.path if os.path.isfile(opts['JsonFile']): with open(opts['JsonFile'], 'r') as f: container_inspect_raw = f.read() else: print('Json file does not exists!') exit(3) if (not opts['JsonFile']) and (not opts['ContainerID']): try: import sys container_inspect_raw = sys.stdin.read() except Exception as e: print('Couldn\'t parse inspect data from stdin:', e) exit(3) try: inspect_format = parse.get_inspect_format(container_inspect_raw) except Exception as e: print('Couldn\'t parse inspect data:', e) exit(3) container_inspect = parse_inspect(container_inspect_raw) container_mounts = parse.get_mounts(container_inspect, inspect_format) container_ports = parse.get_ports(container_inspect, inspect_format) # Append allow rules if AVCs log is provided append_rules = None if opts['FileAVCS']: import os.path if os.path.isfile(opts['FileAVCS']): with open(opts['FileAVCS'], 'r') as f: try: append_rules = parse_avc_file(f.read()) except Exception as e: print('Couldn\'t parse AVC file:', e) exit(3) f.close() else: print('AVC file does not exists!') exit(3) container_caps = [] container_caps = parse.get_caps(container_inspect, opts, inspect_format) try: create_policy(opts, container_caps, container_mounts, container_ports, append_rules, inspect_format) except Exception as e: print('Couldn\'t create policy:', e) exit(4) print('\nPolicy ' + opts['ContainerName'] + ' created!') if opts['Ansible']: generate_playbook(opts) else: load_policy(opts) print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter')
def main(): opts = get_args() if opts["ContainerID"]: container_inspect_raw = None for backend in [ENGINE_PODMAN, ENGINE_DOCKER]: try: run_inspect = subprocess.Popen( [backend, "inspect", opts["ContainerID"]], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, ) inspect_data = run_inspect.communicate()[0] if run_inspect.returncode != 0: inspect_data = None except FileNotFoundError: inspect_data = None if inspect_data: container_inspect_raw = inspect_data break if not container_inspect_raw: print("Container with specified ID does not exits!") exit(3) if opts["JsonFile"]: if opts["JsonFile"] == "-": import sys container_inspect_raw = sys.stdin.read() else: import os.path if os.path.isfile(opts["JsonFile"]): with open(opts["JsonFile"], "r") as f: container_inspect_raw = f.read() else: print("Json file does not exists!") exit(3) if (not opts["JsonFile"]) and (not opts["ContainerID"]): try: import sys container_inspect_raw = sys.stdin.read() except Exception as e: print("Couldn't parse inspect data from stdin:", e) exit(3) try: inspect_format = parse.get_inspect_format(container_inspect_raw, opts["ContainerEngine"]) except Exception as e: print("Couldn't parse inspect data:", e) exit(3) container_inspect = parse_inspect(container_inspect_raw, opts["ContainerEngine"]) container_mounts = parse.get_mounts(container_inspect, inspect_format) container_ports = parse.get_ports(container_inspect, inspect_format) # Append allow rules if AVCs log is provided append_rules = None if opts["FileAVCS"]: import os.path if os.path.isfile(opts["FileAVCS"]): with open(opts["FileAVCS"], "r") as f: try: append_rules = parse_avc_file(f.read()) except Exception as e: print("Couldn't parse AVC file:", e) exit(3) f.close() else: print("AVC file does not exists!") exit(3) container_caps = [] container_caps = parse.get_caps(container_inspect, opts, inspect_format) try: create_policy( opts, container_caps, container_mounts, container_ports, append_rules, inspect_format, ) except Exception as e: print("Couldn't create policy:", e) exit(4) print("\nPolicy " + opts["ContainerName"] + " created!") if opts["Ansible"]: generate_playbook(opts) else: load_policy(opts) print('\nRestart the container with: "--security-opt label=type:' + opts["ContainerName"] + '.process" parameter')
def main(): opts = get_args() if opts['ContainerID']: container_inspect_data = None for backend in ["podman", "docker"]: try: run_inspect = subprocess.Popen( [backend, "inspect", opts['ContainerID']], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) inspect_data = run_inspect.communicate()[0] if run_inspect.returncode != 0: inspect_data = None except FileNotFoundError: inspect_data = None if inspect_data: container_inspect_data = inspect_data break if not container_inspect_data: print('Container with specified ID does not exits!') exit(3) if opts['JsonFile']: if opts['JsonFile'] == '-': import sys container_inspect_data = sys.stdin.read() else: import os.path if os.path.isfile(opts['JsonFile']): with open(opts['JsonFile'], 'r') as f: container_inspect_data = f.read() else: print('Json file does not exists!') exit(3) if (not opts['JsonFile']) and (not opts['ContainerID']): try: import sys container_inspect_data = sys.stdin.read() except Exception as e: print('Couldn\'t parse inspect data from stdin:', e) exit(3) try: container_inspect = parse_inspect(container_inspect_data) except Exception as e: print('Couldn\'t parse inspect data:', e) exit(3) container_mounts = container_inspect[0]['Mounts'] container_ports = container_inspect[0]['NetworkSettings']['Ports'] try: is_podman = parse_is_podman(container_inspect_data) except Exception as e: print('Couldn\'t parse podman:', e) exit(3) container_caps = [] if opts['Caps']: if opts['Caps'] == 'None': container_caps = [] else: container_caps = opts['Caps'].split(',') else: if is_podman: container_caps = container_inspect[0]['EffectiveCaps'] try: create_policy(opts, container_caps, container_mounts, container_ports) except Exception as e: print('Couldn\'t create policy:', e) exit(4) print('\nPolicy ' + opts['ContainerName'] + ' created!') if opts['Ansible']: generate_playbook(opts) else: load_policy(opts) print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter')