2024-04-15 15:09:04 +02:00
|
|
|
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
|
|
|
|
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
|
|
|
|
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
|
|
|
|
|
|
|
|
{{- define "profile" -}}
|
|
|
|
|
2024-04-16 22:51:56 +02:00
|
|
|
{{- with .Header -}}
|
2024-04-15 15:09:04 +02:00
|
|
|
{{- "profile" -}}
|
|
|
|
{{- with .Name -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Attachments -}}
|
|
|
|
{{ " " }}{{ join . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Attributes -}}
|
|
|
|
{{ " xattrs=(" }}{{ join . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Flags -}}
|
|
|
|
{{ " flags=(" }}{{ join . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
2024-04-16 22:51:56 +02:00
|
|
|
{{- "{\n" -}}
|
2024-04-15 15:09:04 +02:00
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- $oldtype := "" -}}
|
|
|
|
{{- range .Rules -}}
|
|
|
|
{{- $type := typeof . -}}
|
|
|
|
{{- if eq $type "Rule" -}}
|
|
|
|
{{- "\n" -}}
|
|
|
|
{{- continue -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- if and (ne $type $oldtype) (ne $oldtype "") -}}
|
|
|
|
{{- "\n" -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- indent "" -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Include" -}}
|
|
|
|
{{ template "include" . }}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Rlimit" -}}
|
|
|
|
{{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Userns" -}}
|
|
|
|
{{- if .Create -}}
|
|
|
|
{{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Capability" -}}
|
|
|
|
{{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Network" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{ "network" }}
|
|
|
|
{{- with .Domain -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Type -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- else -}}
|
|
|
|
{{- with .Protocol -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Mount" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "mount" -}}
|
|
|
|
{{- with .FsType -}}
|
|
|
|
{{ " fstype=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Options -}}
|
|
|
|
{{ " options=(" }}{{ join . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Source -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .MountPoint -}}
|
|
|
|
{{ " -> " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Umount" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "umount" -}}
|
|
|
|
{{- with .FsType -}}
|
|
|
|
{{ " fstype=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Options -}}
|
|
|
|
{{ " options=(" }}{{ join . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .MountPoint -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Remount" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "remount" -}}
|
|
|
|
{{- with .FsType -}}
|
|
|
|
{{ " fstype=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Options -}}
|
|
|
|
{{ " options=(" }}{{ join . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .MountPoint -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "PivotRoot" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "pivot_root" -}}
|
|
|
|
{{- with .OldRoot -}}
|
|
|
|
{{ " oldroot=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .NewRoot -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .TargetProfile -}}
|
|
|
|
{{ " -> " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "ChangeProfile" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "change_profile" -}}
|
|
|
|
{{- with .ExecMode -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Exec -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .ProfileName -}}
|
|
|
|
{{ " -> " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Mqueue" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "mqueue" -}}
|
|
|
|
{{- with .Access -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Type -}}
|
|
|
|
{{ " type=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Label -}}
|
|
|
|
{{ " label=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Name -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Unix" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "unix" -}}
|
|
|
|
{{- with .Access -}}
|
|
|
|
{{ " (" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Type -}}
|
|
|
|
{{ " type=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Protocol -}}
|
|
|
|
{{ " protocol=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Address -}}
|
|
|
|
{{ " addr=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Label -}}
|
|
|
|
{{ " label=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- if and .PeerLabel .PeerAddr -}}
|
|
|
|
{{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }}
|
|
|
|
{{- else -}}
|
|
|
|
{{- with .PeerLabel -}}
|
|
|
|
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .PeerAddr -}}
|
|
|
|
{{ overindent "peer=(addr=" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Ptrace" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "ptrace" -}}
|
|
|
|
{{- with .Access -}}
|
|
|
|
{{ " (" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Peer -}}
|
|
|
|
{{ " peer=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Signal" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "signal" -}}
|
|
|
|
{{- with .Access -}}
|
|
|
|
{{ " (" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Set -}}
|
|
|
|
{{ " set=(" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Peer -}}
|
|
|
|
{{ " peer=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Dbus" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- "dbus" -}}
|
|
|
|
{{- if eq .Access "bind" -}}
|
|
|
|
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
|
|
|
|
{{- else -}}
|
|
|
|
{{- with .Access -}}
|
|
|
|
{{ " " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Bus -}}
|
|
|
|
{{ " bus=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Path -}}
|
|
|
|
{{ " path=" }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{ "\n" }}
|
|
|
|
{{- with .Interface -}}
|
|
|
|
{{ overindent "interface=" }}{{ . }}{{ "\n" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .Member -}}
|
|
|
|
{{ overindent "member=" }}{{ . }}{{ "\n" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- if and .PeerName .PeerLabel -}}
|
|
|
|
{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }}
|
|
|
|
{{- else -}}
|
|
|
|
{{- with .PeerName -}}
|
|
|
|
{{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- with .PeerLabel -}}
|
|
|
|
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "File" -}}
|
|
|
|
{{- template "qualifier" . -}}
|
|
|
|
{{- if .Owner -}}
|
|
|
|
{{- "owner " -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{- .Path -}}
|
|
|
|
{{- " " -}}
|
|
|
|
{{- with .Padding -}}
|
|
|
|
{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- .Access -}}
|
|
|
|
{{- with .Target -}}
|
|
|
|
{{ " -> " }}{{ . }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- "," -}}
|
|
|
|
{{- template "comment" . -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- if eq $type "Profile" -}}
|
|
|
|
{{ template "profile" . }}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- "\n" -}}
|
|
|
|
{{- $oldtype = $type -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
2024-04-16 22:51:56 +02:00
|
|
|
{{- with .Header -}}
|
2024-04-15 15:09:04 +02:00
|
|
|
{{- "}\n" -}}
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
{{- end -}}
|