2024-03-26 00:16:00 +01:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
|
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
package builder
|
|
|
|
|
|
|
|
import (
|
2024-07-16 00:04:35 +02:00
|
|
|
"fmt"
|
2024-03-26 00:16:00 +01:00
|
|
|
"regexp"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/roddhjav/apparmor.d/pkg/aa"
|
|
|
|
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
|
|
|
|
)
|
|
|
|
|
2024-07-16 00:04:35 +02:00
|
|
|
const tokATTACHMENT = "@{exec_path}"
|
|
|
|
|
2024-03-26 00:16:00 +01:00
|
|
|
var (
|
2024-07-16 00:04:35 +02:00
|
|
|
regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`)
|
2024-03-26 00:16:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
type Userspace struct {
|
|
|
|
cfg.Base
|
|
|
|
}
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
RegisterBuilder(&Userspace{
|
|
|
|
Base: cfg.Base{
|
|
|
|
Keyword: "userspace",
|
|
|
|
Msg: "Bypass userspace tools restriction",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2024-05-25 23:32:10 +02:00
|
|
|
func (b Userspace) Apply(opt *Option, profile string) (string, error) {
|
2024-05-29 22:12:54 +02:00
|
|
|
if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok {
|
|
|
|
return profile, nil
|
|
|
|
}
|
|
|
|
if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok {
|
|
|
|
return profile, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
f := aa.DefaultTunables()
|
2024-06-20 00:24:43 +02:00
|
|
|
if _, err := f.Parse(profile); err != nil {
|
2024-05-29 22:12:54 +02:00
|
|
|
return "", err
|
|
|
|
}
|
2024-07-16 00:04:35 +02:00
|
|
|
if len(f.GetDefaultProfile().Attachments) > 0 &&
|
|
|
|
f.GetDefaultProfile().Attachments[0] != tokATTACHMENT {
|
|
|
|
return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT)
|
|
|
|
}
|
2024-05-29 22:12:54 +02:00
|
|
|
if err := f.Resolve(); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2024-07-16 00:04:35 +02:00
|
|
|
|
2024-03-26 00:16:00 +01:00
|
|
|
matches := regAttachments.FindAllString(profile, -1)
|
|
|
|
if len(matches) > 0 {
|
2024-07-16 00:04:35 +02:00
|
|
|
att := f.GetDefaultProfile().GetAttachments()
|
|
|
|
strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1)
|
2024-05-25 23:30:20 +02:00
|
|
|
return regAttachments.ReplaceAllLiteralString(profile, strheader), nil
|
2024-03-26 00:16:00 +01:00
|
|
|
}
|
2024-05-25 23:30:20 +02:00
|
|
|
return profile, nil
|
2024-03-26 00:16:00 +01:00
|
|
|
}
|