rule(Update Package Repository): restrict files

Previously any write to a file called sources.list would match the
access_repositories condition, even a file /usr/tmp/..../sources.list.

Change the macro so the files in repository_files must be somewhere
below any of repository_directories.

Also allow programs spawned by package management programs to change
these files, using package_mgmt_ancestor_procs.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2020-08-27 17:29:37 -07:00
committed by poiana
parent 891965375d
commit 7ae0ce1936

View File

@@ -935,10 +935,12 @@
items: [sources.list]
- list: repository_directories
items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]
- macro: access_repositories
condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
condition: (fd.directory in (repository_directories) or
(fd.name pmatch (repository_directories) and
fd.filename in (repository_files)))
- macro: modify_repositories
condition: (evt.arg.newpath pmatch (repository_directories))
@@ -951,6 +953,7 @@
condition: >
((open_write and access_repositories) or (modify and modify_repositories))
and not package_mgmt_procs
and not package_mgmt_ancestor_procs
and not exe_running_docker_save
and not user_known_update_package_registry
output: >