skipped 21 lines 22 22 task, 23 23 }; 24 24 25 - use crate::{alerts, policy, InodeSubjectMap}; 25 + use crate::{alerts, error : : GuardityError , policy, InodeSubjectMap}; 26 26 27 27 static INODE_SUBJECT_MAP: Lazy<Mutex<InodeSubjectMap>> = 28 28 Lazy::new(|| Mutex::new(InodeSubjectMap::default())); skipped 7 lines 36 36 } 37 37 38 38 impl All { 39 - pub async fn add_policy(&mut self, policy: policy::Policy) -> anyhow : : Result<()> { 39 + pub async fn add_policy(&mut self, policy: policy::Policy) -> Result<(), GuardityError > { 40 40 match policy { 41 41 policy::Policy::FileOpen(policy) => self.file_open.add_policy(policy).await?, 42 42 policy::Policy::TaskFixSetuid(policy) => { skipped 14 lines 57 57 } 58 58 59 59 impl BprmCheckSecurity { 60 - pub async fn alerts(&mut self) -> anyhow : : Result<Receiver<alerts::BprmCheckSecurity>> { 60 + pub async fn alerts(&mut self) -> Result<Receiver<alerts::BprmCheckSecurity>, GuardityError > { 61 61 perf_array_alerts::<ebpf_alerts::BprmCheckSecurity, alerts::BprmCheckSecurity>( 62 62 &mut self.perf_array, 63 63 ) skipped 10 lines 74 74 } 75 75 76 76 impl FileOpen { 77 - pub async fn add_policy(&mut self, policy: policy::FileOpen) -> anyhow : : Result<()> { 77 + pub async fn add_policy(&mut self, policy: policy::FileOpen) -> Result<(), GuardityError > { 78 78 let bin_inode = { 79 79 let mut map = INODE_SUBJECT_MAP.lock().await; 80 80 map.resolve_path(policy.subject)? skipped 8 lines 89 89 Ok(()) 90 90 } 91 91 92 - pub async fn list_policies(&self) -> anyhow : : Result<Vec<policy::FileOpen>> { 92 + pub async fn list_policies(&self) -> Result<Vec<policy::FileOpen>, GuardityError > { 93 93 let mut policies = Vec::new(); 94 94 95 95 for res in self.allowed_map.iter() { skipped 15 lines 111 111 Ok(policies) 112 112 } 113 113 114 - pub async fn alerts(&mut self) -> anyhow : : Result<Receiver<alerts::FileOpen>> { 114 + pub async fn alerts(&mut self) -> Result<Receiver<alerts::FileOpen>, GuardityError > { 115 115 perf_array_alerts::<ebpf_alerts::FileOpen, alerts::FileOpen>(&mut self.perf_array).await 116 116 } 117 117 } skipped 7 lines 125 125 } 126 126 127 127 impl TaskFixSetuid { 128 - pub async fn add_policy(&mut self, policy: policy::TaskFixSetuid) -> anyhow : : Result<()> { 128 + pub async fn add_policy(&mut self, policy: policy::TaskFixSetuid) -> Result<(), GuardityError > { 129 129 let bin_inode = { 130 130 let mut map = INODE_SUBJECT_MAP.lock().await; 131 131 map.resolve_path(policy.subject)? skipped 8 lines 140 140 Ok(()) 141 141 } 142 142 143 - pub async fn list_policies(&self) -> anyhow : : Result<Vec<policy::TaskFixSetuid>> { 143 + pub async fn list_policies(&self) -> Result<Vec<policy::TaskFixSetuid>, GuardityError > { 144 144 let mut policies = Vec::new(); 145 145 146 146 for res in self.allowed_map.iter() { skipped 27 lines 174 174 Ok(policies) 175 175 } 176 176 177 - pub async fn alerts(&mut self) -> anyhow : : Result<Receiver<alerts::TaskFixSetuid>> { 177 + pub async fn alerts(&mut self) -> Result<Receiver<alerts::TaskFixSetuid>, GuardityError > { 178 178 perf_array_alerts::<ebpf_alerts::TaskFixSetuid, alerts::TaskFixSetuid>(&mut self.perf_array) 179 179 .await 180 180 } skipped 8 lines 189 189 } 190 190 191 191 impl SocketBind { 192 - pub async fn add_policy(&mut self, policy: policy::SocketBind) -> anyhow : : Result<()> { 192 + pub async fn add_policy(&mut self, policy: policy::SocketBind) -> Result<(), GuardityError > { 193 193 let bin_inode = { 194 194 let mut map = INODE_SUBJECT_MAP.lock().await; 195 195 map.resolve_path(policy.subject)? skipped 8 lines 204 204 Ok(()) 205 205 } 206 206 207 - pub async fn list_policies(&self) -> anyhow : : Result<Vec<policy::SocketBind>> { 207 + pub async fn list_policies(&self) -> Result<Vec<policy::SocketBind>, GuardityError > { 208 208 let mut policies = Vec::new(); 209 209 210 210 for res in self.allowed_map.iter() { skipped 15 lines 226 226 Ok(policies) 227 227 } 228 228 229 - pub async fn alerts(&mut self) -> anyhow : : Result<Receiver<alerts::SocketBind>> { 229 + pub async fn alerts(&mut self) -> Result<Receiver<alerts::SocketBind>, GuardityError > { 230 230 perf_array_alerts::<ebpf_alerts::SocketBind, alerts::SocketBind>(&mut self.perf_array).await 231 231 } 232 232 } skipped 9 lines 242 242 } 243 243 244 244 impl SocketConnect { 245 - pub async fn add_policy(&mut self, policy: policy::SocketConnect) -> anyhow : : Result<()> { 245 + pub async fn add_policy(&mut self, policy: policy::SocketConnect) -> Result<(), GuardityError > { 246 246 let bin_inode = { 247 247 let mut map = INODE_SUBJECT_MAP.lock().await; 248 248 map.resolve_path(policy.subject)? skipped 10 lines 259 259 Ok(()) 260 260 } 261 261 262 - pub async fn list_policies(&self) -> anyhow : : Result<Vec<policy::SocketConnect>> { 262 + pub async fn list_policies(&self) -> Result<Vec<policy::SocketConnect>, GuardityError > { 263 263 let mut policies = Vec::new(); 264 264 265 265 for res in self.allowed_map_v4.iter() { skipped 7 lines 273 273 map.resolve_inode(bin_inode) 274 274 }; 275 275 276 - let allow = if allow_v4.all() { 277 - if allow_v6.all() { 278 - policy::Addresses::All 279 - } else { 280 - return Err(anyhow::anyhow!("Inconsistent policy state")); 281 - } 276 + let allow = if allow_v4.all() & & allow_v6 . all ( ) { 277 + policy::Addresses::All 282 278 } else { 283 - if allow_v4.all() { 284 - return Err(anyhow::anyhow!("Inconsistent policy state")); 285 - } 286 279 let mut addrs = Vec::new(); 287 280 for addr in allow_v4.addrs.iter() { 281 + if *addr == 0 { 282 + break; 283 + } 288 284 addrs.push(IpAddr::V4(Ipv4Addr::from(addr.to_owned()))); 289 285 } 290 286 for addr in allow_v6.addrs.iter() { 287 + if *addr == [0u8; 16] { 288 + break; 289 + } 291 290 addrs.push(IpAddr::V6(Ipv6Addr::from(addr.to_owned()))); 292 291 } 293 292 policy::Addresses::Addresses(addrs) 294 293 }; 295 - let deny = if deny_v4.all() { 296 - if deny_v6.all() { 297 - policy::Addresses::All 298 - } else { 299 - return Err(anyhow::anyhow!("Inconsistent policy state")); 300 - } 294 + let deny = if deny_v4.all() & & deny_v6 . all ( ) { 295 + policy::Addresses::All 301 296 } else { 302 - if deny_v4.all() { 303 - return Err(anyhow::anyhow!("Inconsistent policy state")); 304 - } 305 297 let mut addrs = Vec::new(); 306 298 for addr in deny_v4.addrs.iter() { 299 + if *addr == 0 { 300 + break; 301 + } 307 302 addrs.push(IpAddr::V4(Ipv4Addr::from(addr.to_owned()))); 308 303 } 309 304 for addr in deny_v6.addrs.iter() { 305 + if *addr == [0u8; 16] { 306 + break; 307 + } 310 308 addrs.push(IpAddr::V6(Ipv6Addr::from(addr.to_owned()))); 311 309 } 312 310 policy::Addresses::Addresses(addrs) skipped 9 lines 322 320 Ok(policies) 323 321 } 324 322 325 - pub async fn alerts(&mut self) -> anyhow : : Result<Receiver<alerts::SocketConnect>> { 323 + pub async fn alerts(&mut self) -> Result<Receiver<alerts::SocketConnect>, GuardityError > { 326 324 perf_array_alerts::<ebpf_alerts::SocketConnect, alerts::SocketConnect>(&mut self.perf_array) 327 325 .await 328 326 } skipped 1 lines 330 328 331 329 pub async fn perf_array_alerts<E, U>( 332 330 perf_array: &mut AsyncPerfEventArray<MapData>, 333 - ) -> anyhow : : Result<Receiver<U>> 331 + ) -> Result<Receiver<U>, GuardityError > 334 332 where 335 333 E: ebpf_alerts::Alert, 336 334 U: alerts::Alert + Debug + Send + From<E> + 'static, skipped 29 lines