Skip to content

Commit

Permalink
Quick code review
Browse files Browse the repository at this point in the history
  • Loading branch information
@hubertqc
hubertqc committed May 18, 2024
1 parent 4923c82 commit 7a4b813
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
21 changes: 17 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,13 +156,19 @@ Springboot application to offload arbitrary code and use it.

#### allow_springboot_purge_logs (default: `false`)

When switched to `true`n, this boolean allows the Springboot application to delete its log
files. It can be useful for log file rotation, but it can also be useful for attackers who
would like to clean after themselves and remove traces of their actions...
When switched to `true`, this boolean allows the Springboot application to delete its log
files. It can be useful for "in Java app" logging framework initiated log file rotation.
But it can also be useful for attackers who would like to clean after themselves and remove traces of their actions...

#### allow_springboot_rewrite_logs (default: `false`)

When switched to `true`, this boolean allows the Springboot application to rewrite its own
log files. It can prove useful when the logging framework cannot work in "append only" mode".
But it can also be useful for attackers who would like to clean after themselves and remove traces of their actions...

#### allow_webadm_read_springboot_files (default: `false`)

Users running with the `webadm_r`SELinux role and`webadm_t`domain are granted the
Users running with the `webadm_r` SELinux role and`webadm_t` domain are granted the
permissions to browse the directories of the Springboot application and the permission to
stop and start the Springboot application **systemd** services, as well as querying their
status.
Expand Down Expand Up @@ -264,6 +270,13 @@ is also supported.

### Running multiple Springboot applications on the same host

#### Without isolation

Nothing special needs to be done.
Care must be taken to name each Springboot apps properly and to properly use systemd/systemctl to manage each one.

#### With isolation between the Springboot apps

TO DO

## Related projects
Expand Down
2 changes: 1 addition & 1 deletion se_module/springboot.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ allow springboot_t springboot_log_t:file { create_file_perms append_file_perms
logging_log_filetrans(springboot_t, springboot_log_t, { file dir } )

if (allow_springboot_purge_logs) {
allow springboot_t springboot_log_t:dir del_entry_dir_perms_dir_perms;
allow springboot_t springboot_log_t:dir del_entry_dir_perms;
allow springboot_t springboot_log_t:file delete_file_perms;
}

Expand Down

0 comments on commit 7a4b813

Please sign in to comment.