コード例 #1
0
def main():

    opts = get_args()

    if opts['ContainerID']:
        container_inspect_raw = None
        for backend in ["podman", "docker"]:
            try:
                run_inspect = subprocess.Popen(
                    [backend, "inspect", opts['ContainerID']],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.DEVNULL)
                inspect_data = run_inspect.communicate()[0]
                if run_inspect.returncode != 0:
                    inspect_data = None
            except FileNotFoundError:
                inspect_data = None

            if inspect_data:
                container_inspect_raw = inspect_data
                break

        if not container_inspect_raw:
            print('Container with specified ID does not exits!')
            exit(3)

    if opts['JsonFile']:
        if opts['JsonFile'] == '-':
            import sys
            container_inspect_raw = sys.stdin.read()
        else:
            import os.path
            if os.path.isfile(opts['JsonFile']):
                with open(opts['JsonFile'], 'r') as f:
                    container_inspect_raw = f.read()
            else:
                print('Json file does not exists!')
                exit(3)

    if (not opts['JsonFile']) and (not opts['ContainerID']):
        try:
            import sys
            container_inspect_raw = sys.stdin.read()
        except Exception as e:
            print('Couldn\'t parse inspect data from stdin:', e)
            exit(3)

    try:
        inspect_format = parse.get_inspect_format(container_inspect_raw)
    except Exception as e:
        print('Couldn\'t parse inspect data:', e)
        exit(3)
    container_inspect = parse_inspect(container_inspect_raw)
    container_mounts = parse.get_mounts(container_inspect, inspect_format)
    container_ports = parse.get_ports(container_inspect, inspect_format)

    # Append allow rules if AVCs log is provided
    append_rules = None
    if opts['FileAVCS']:
        import os.path
        if os.path.isfile(opts['FileAVCS']):
            with open(opts['FileAVCS'], 'r') as f:
                try:
                    append_rules = parse_avc_file(f.read())
                except Exception as e:
                    print('Couldn\'t parse AVC file:', e)
                    exit(3)
            f.close()
        else:
            print('AVC file does not exists!')
            exit(3)

    container_caps = []

    container_caps = parse.get_caps(container_inspect, opts, inspect_format)

    try:
        create_policy(opts, container_caps, container_mounts, container_ports,
                      append_rules, inspect_format)
    except Exception as e:
        print('Couldn\'t create policy:', e)
        exit(4)

    print('\nPolicy ' + opts['ContainerName'] + ' created!')

    if opts['Ansible']:
        generate_playbook(opts)
    else:
        load_policy(opts)

    print('\nRestart the container with: "--security-opt label=type:' +
          opts['ContainerName'] + '.process" parameter')
コード例 #2
0
def main():

    opts = get_args()

    if opts["ContainerID"]:
        container_inspect_raw = None
        for backend in [ENGINE_PODMAN, ENGINE_DOCKER]:
            try:
                run_inspect = subprocess.Popen(
                    [backend, "inspect", opts["ContainerID"]],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.DEVNULL,
                )
                inspect_data = run_inspect.communicate()[0]
                if run_inspect.returncode != 0:
                    inspect_data = None
            except FileNotFoundError:
                inspect_data = None

            if inspect_data:
                container_inspect_raw = inspect_data
                break

        if not container_inspect_raw:
            print("Container with specified ID does not exits!")
            exit(3)

    if opts["JsonFile"]:
        if opts["JsonFile"] == "-":
            import sys

            container_inspect_raw = sys.stdin.read()
        else:
            import os.path

            if os.path.isfile(opts["JsonFile"]):
                with open(opts["JsonFile"], "r") as f:
                    container_inspect_raw = f.read()
            else:
                print("Json file does not exists!")
                exit(3)

    if (not opts["JsonFile"]) and (not opts["ContainerID"]):
        try:
            import sys

            container_inspect_raw = sys.stdin.read()
        except Exception as e:
            print("Couldn't parse inspect data from stdin:", e)
            exit(3)

    try:
        inspect_format = parse.get_inspect_format(container_inspect_raw,
                                                  opts["ContainerEngine"])
    except Exception as e:
        print("Couldn't parse inspect data:", e)
        exit(3)
    container_inspect = parse_inspect(container_inspect_raw,
                                      opts["ContainerEngine"])
    container_mounts = parse.get_mounts(container_inspect, inspect_format)
    container_ports = parse.get_ports(container_inspect, inspect_format)

    # Append allow rules if AVCs log is provided
    append_rules = None
    if opts["FileAVCS"]:
        import os.path

        if os.path.isfile(opts["FileAVCS"]):
            with open(opts["FileAVCS"], "r") as f:
                try:
                    append_rules = parse_avc_file(f.read())
                except Exception as e:
                    print("Couldn't parse AVC file:", e)
                    exit(3)
            f.close()
        else:
            print("AVC file does not exists!")
            exit(3)

    container_caps = []

    container_caps = parse.get_caps(container_inspect, opts, inspect_format)

    try:
        create_policy(
            opts,
            container_caps,
            container_mounts,
            container_ports,
            append_rules,
            inspect_format,
        )
    except Exception as e:
        print("Couldn't create policy:", e)
        exit(4)

    print("\nPolicy " + opts["ContainerName"] + " created!")

    if opts["Ansible"]:
        generate_playbook(opts)
    else:
        load_policy(opts)

    print('\nRestart the container with: "--security-opt label=type:' +
          opts["ContainerName"] + '.process" parameter')
コード例 #3
0
def main():

    opts = get_args()

    if opts['ContainerID']:
        container_inspect_data = None
        for backend in ["podman", "docker"]:
            try:
                run_inspect = subprocess.Popen(
                    [backend, "inspect", opts['ContainerID']],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.DEVNULL)
                inspect_data = run_inspect.communicate()[0]
                if run_inspect.returncode != 0:
                    inspect_data = None
            except FileNotFoundError:
                inspect_data = None

            if inspect_data:
                container_inspect_data = inspect_data
                break

        if not container_inspect_data:
            print('Container with specified ID does not exits!')
            exit(3)

    if opts['JsonFile']:
        if opts['JsonFile'] == '-':
            import sys
            container_inspect_data = sys.stdin.read()
        else:
            import os.path
            if os.path.isfile(opts['JsonFile']):
                with open(opts['JsonFile'], 'r') as f:
                    container_inspect_data = f.read()
            else:
                print('Json file does not exists!')
                exit(3)

    if (not opts['JsonFile']) and (not opts['ContainerID']):
        try:
            import sys
            container_inspect_data = sys.stdin.read()
        except Exception as e:
            print('Couldn\'t parse inspect data from stdin:', e)
            exit(3)

    try:
        container_inspect = parse_inspect(container_inspect_data)
    except Exception as e:
        print('Couldn\'t parse inspect data:', e)
        exit(3)
    container_mounts = container_inspect[0]['Mounts']
    container_ports = container_inspect[0]['NetworkSettings']['Ports']

    try:
        is_podman = parse_is_podman(container_inspect_data)
    except Exception as e:
        print('Couldn\'t parse podman:', e)
        exit(3)

    container_caps = []

    if opts['Caps']:
        if opts['Caps'] == 'None':
            container_caps = []
        else:
            container_caps = opts['Caps'].split(',')
    else:
        if is_podman:
            container_caps = container_inspect[0]['EffectiveCaps']

    try:
        create_policy(opts, container_caps, container_mounts, container_ports)
    except Exception as e:
        print('Couldn\'t create policy:', e)
        exit(4)

    print('\nPolicy ' + opts['ContainerName'] + ' created!')

    if opts['Ansible']:
        generate_playbook(opts)
    else:
        load_policy(opts)

    print('\nRestart the container with: "--security-opt label=type:' +
          opts['ContainerName'] + '.process" parameter')