def _add_posix1e_acl(self, path, st):
if not posix1e or not posix1e.HAS_EXTENDED_CHECK:
return
if not stat.S_ISLNK(st.st_mode):
acls = None
def_acls = None
try:
if posix1e.has_extended(path):
acl = posix1e.ACL(file=path)
acls = [acl, acl] # txt and num are the same
if stat.S_ISDIR(st.st_mode):
def_acl = posix1e.ACL(filedef=path)
def_acls = [def_acl, def_acl]
except EnvironmentError as e:
if e.errno not in (errno.EOPNOTSUPP, errno.ENOSYS):
raise
if acls:
txt_flags = posix1e.TEXT_ABBREVIATE
num_flags = posix1e.TEXT_ABBREVIATE | posix1e.TEXT_NUMERIC_IDS
acl_rep = [acls[0].to_any_text('', '\n', txt_flags),
acls[1].to_any_text('', '\n', num_flags)]
if def_acls:
acl_rep.append(def_acls[0].to_any_text('', '\n', txt_flags))
acl_rep.append(def_acls[1].to_any_text('', '\n', num_flags))
self.posix1e_acl = acl_rep
def _add_posix1e_acl(self, path, st):
if not posix1e or not posix1e.HAS_EXTENDED_CHECK:
return
if not stat.S_ISLNK(st.st_mode):
acls = None
def_acls = None
try:
if posix1e.has_extended(path):
acl = posix1e.ACL(file=path)
acls = [acl, acl] # txt and num are the same
if stat.S_ISDIR(st.st_mode):
def_acl = posix1e.ACL(filedef=path)
def_acls = [def_acl, def_acl]
except EnvironmentError as e:
if e.errno not in (errno.EOPNOTSUPP, errno.ENOSYS):
raise
if acls:
txt_flags = posix1e.TEXT_ABBREVIATE
num_flags = posix1e.TEXT_ABBREVIATE | posix1e.TEXT_NUMERIC_IDS
acl_rep = [
acls[0].to_any_text('', '\n', txt_flags),
acls[1].to_any_text('', '\n', num_flags)
]
if def_acls:
acl_rep.append(def_acls[0].to_any_text(
'', '\n', txt_flags))
acl_rep.append(def_acls[1].to_any_text(
'', '\n', num_flags))
self.posix1e_acl = acl_rep
def getacls(filepath):
acls = ''
try:
if not has_extended(filepath):
return None
# posix1e doesn't work with unicode properly
if type(filepath) == unicode:
filepath = filepath.encode('utf-8')
acls += ACL(file=filepath).to_any_text()
except (OSError, IOError):
pass
if path.isdir(filepath):
try:
defaults = ACL(filedef=filepath).to_any_text()
if defaults:
defaults = '\n'.join([
'default:' + x for x in defaults.split('\n')
])
acls += '\n' + defaults
except (OSError, IOError):
pass
return acls
def _add_posix1e_acl(self, path, st):
if not stat.S_ISLNK(st.st_mode):
try:
if posix1e.has_extended(path):
acl = posix1e.ACL(file=path)
self.posix1e_acl = [acl, acl] # txt and num are the same
if stat.S_ISDIR(st.st_mode):
acl = posix1e.ACL(filedef=path)
self.posix1e_acl.extend([acl, acl])
except EnvironmentError, e:
if e.errno != errno.EOPNOTSUPP:
raise
def _add_posix1e_acl(self, path, st):
if not posix1e: return
if not stat.S_ISLNK(st.st_mode):
try:
if posix1e.has_extended(path):
acl = posix1e.ACL(file=path)
self.posix1e_acl = [acl, acl] # txt and num are the same
if stat.S_ISDIR(st.st_mode):
acl = posix1e.ACL(filedef=path)
self.posix1e_acl.extend([acl, acl])
except EnvironmentError, e:
if e.errno != errno.EOPNOTSUPP:
raise
def run_analysis_child(aminer_config, program_name):
"""Run the Analysis Child."""
# Verify existance and ownership of persistence directory.
logging.getLogger(
AMinerConfig.REMOTE_CONTROL_LOG_NAME).info('aminer started.')
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).info('aminer started.')
persistence_dir_name = aminer_config.config_properties.get(
AMinerConfig.KEY_PERSISTENCE_DIR, AMinerConfig.DEFAULT_PERSISTENCE_DIR)
from aminer.util import SecureOSFunctions
if isinstance(persistence_dir_name, str):
persistence_dir_name = persistence_dir_name.encode()
persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(
persistence_dir_name, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH)
stat_result = os.fstat(persistence_dir_fd)
import stat
if ((not stat.S_ISDIR(stat_result.st_mode))
or ((stat_result.st_mode & stat.S_IRWXU) != 0o700)
or (stat_result.st_uid != os.getuid())
or (stat_result.st_gid != os.getgid())):
msg = 'FATAL: persistence directory "%s" has to be owned by analysis process (uid %d!=%d, gid %d!=%d) and have access mode 0700 ' \
'only!' % (repr(persistence_dir_name), stat_result.st_uid, os.getuid(), stat_result.st_gid, os.getgid())
print(msg, file=sys.stderr)
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).critical(msg)
sys.exit(1)
import posix1e
# O_PATH is problematic when checking ACL. However it is possible to check the ACL using the file name.
if posix1e.has_extended(persistence_dir_name):
msg = 'WARNING: SECURITY: Extended POSIX ACLs are set in %s, but not supported by the aminer. Backdoor access could be possible.'\
% persistence_dir_name.decode()
print(msg, file=sys.stderr)
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).warning(msg)
from aminer.AnalysisChild import AnalysisChild
child = AnalysisChild(program_name, aminer_config)
# This function call will only return on error or signal induced normal termination.
child_return_status = child.run_analysis(3)
if child_return_status == 0:
sys.exit(0)
msg = '%s: run_analysis terminated with unexpected status %d' % (
program_name, child_return_status)
print(msg, file=sys.stderr)
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).error(msg)
sys.exit(1)
def discardeacl(path, followlinks=True):
if os.path.islink(path) and not followlinks:
return
if posix1e.HAS_EXTENDED_CHECK and not posix1e.has_extended(path):
return
# the original approach, requiring level 2 support
#acl = posix1e.ACL(file=path)
#for entry in acl:
# if entry not in [ posix1e.ACL_USER_OBJ
# , posix1e.ACL_GROUP_OBJ
# , posix1e.ACL_OTHER
# ]:
# acl.delete_entry(entry)
#acl.applyto(path)
#posix1e.delete_default(path)
#assert not posix1e.has_extended(path)
#
# the new approach, not requiring level 2 support
acl = posix1e.ACL()
acl.applyto(path)
posix1e.delete_default(path)