2024-04-15 00:58:34 +02:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
|
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
package aa
|
|
|
|
|
|
|
|
import (
|
2024-05-27 19:55:21 +02:00
|
|
|
"fmt"
|
|
|
|
"strings"
|
2024-05-25 23:21:59 +02:00
|
|
|
)
|
2024-04-23 22:26:09 +02:00
|
|
|
|
|
|
|
const (
|
2024-05-28 19:15:22 +02:00
|
|
|
ABI Kind = "abi"
|
|
|
|
ALIAS Kind = "alias"
|
|
|
|
INCLUDE Kind = "include"
|
|
|
|
VARIABLE Kind = "variable"
|
|
|
|
COMMENT Kind = "comment"
|
|
|
|
|
2024-04-23 22:26:09 +02:00
|
|
|
tokIFEXISTS = "if exists"
|
2024-04-15 00:58:34 +02:00
|
|
|
)
|
|
|
|
|
2024-05-05 00:25:55 +02:00
|
|
|
type Comment struct {
|
2024-06-25 20:50:27 +02:00
|
|
|
Base
|
2024-05-05 00:25:55 +02:00
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
func newComment(rule rule) (Rule, error) {
|
|
|
|
base := newBase(rule)
|
2024-05-27 19:55:21 +02:00
|
|
|
base.IsLineRule = true
|
2024-06-25 20:50:27 +02:00
|
|
|
return &Comment{Base: base}, nil
|
2024-05-27 19:55:21 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Comment) Kind() Kind {
|
|
|
|
return COMMENT
|
2024-05-25 23:36:39 +02:00
|
|
|
}
|
|
|
|
|
2024-06-27 19:45:32 +02:00
|
|
|
func (r *Comment) Constraint() Constraint {
|
|
|
|
return AnyRule
|
2024-05-05 00:25:55 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Comment) String() string {
|
2024-05-28 19:15:22 +02:00
|
|
|
return renderTemplate(r.Kind(), r)
|
2024-05-05 00:25:55 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Comment) Validate() error {
|
|
|
|
return nil
|
2024-05-05 00:25:55 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Comment) Compare(other Rule) int {
|
|
|
|
return 0 // Comments are always equal to each other as they are not compared
|
2024-05-05 00:25:55 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 21:10:12 +02:00
|
|
|
func (r *Comment) Merge(other Rule) bool {
|
|
|
|
return false // Never merge comments
|
|
|
|
}
|
|
|
|
|
2024-06-29 23:27:39 +02:00
|
|
|
func (r *Comment) Lengths() []int {
|
|
|
|
return []int{} // No len for comments
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Comment) setPaddings(max []int) {} // No paddings for comments
|
|
|
|
|
2024-04-15 00:58:34 +02:00
|
|
|
type Abi struct {
|
2024-06-25 20:50:27 +02:00
|
|
|
Base
|
2024-04-15 00:58:34 +02:00
|
|
|
Path string
|
|
|
|
IsMagic bool
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
func newAbi(q Qualifier, rule rule) (Rule, error) {
|
2024-05-27 19:55:21 +02:00
|
|
|
var magic bool
|
|
|
|
if len(rule) != 1 {
|
|
|
|
return nil, fmt.Errorf("invalid abi format: %s", rule)
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
path := rule.Get(0)
|
2024-05-27 19:55:21 +02:00
|
|
|
switch {
|
|
|
|
case path[0] == '"':
|
|
|
|
magic = false
|
|
|
|
case path[0] == '<':
|
|
|
|
magic = true
|
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule)
|
|
|
|
}
|
|
|
|
return &Abi{
|
2024-06-25 20:50:27 +02:00
|
|
|
Base: newBase(rule),
|
|
|
|
Path: strings.Trim(path, "\"<>"),
|
|
|
|
IsMagic: magic,
|
2024-05-27 19:55:21 +02:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Abi) Kind() Kind {
|
|
|
|
return ABI
|
2024-05-25 23:36:39 +02:00
|
|
|
}
|
|
|
|
|
2024-06-27 19:45:32 +02:00
|
|
|
func (r *Abi) Constraint() Constraint {
|
|
|
|
return PreambleRule
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
|
|
|
|
2024-04-23 22:26:09 +02:00
|
|
|
func (r *Abi) String() string {
|
2024-05-25 23:26:51 +02:00
|
|
|
return renderTemplate(r.Kind(), r)
|
2024-04-23 22:26:09 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Abi) Validate() error {
|
|
|
|
return nil
|
2024-05-05 00:41:47 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Abi) Compare(other Rule) int {
|
|
|
|
o, _ := other.(*Abi)
|
|
|
|
if res := compare(r.Path, o.Path); res != 0 {
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
return compare(r.IsMagic, o.IsMagic)
|
2024-05-05 00:41:47 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 21:10:12 +02:00
|
|
|
func (r *Abi) Merge(other Rule) bool {
|
|
|
|
return false // Never merge abi
|
|
|
|
}
|
|
|
|
|
2024-06-29 23:27:39 +02:00
|
|
|
func (r *Abi) Lengths() []int {
|
|
|
|
return []int{} // No len for abi
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Abi) setPaddings(max []int) {} // No paddings for abi
|
|
|
|
|
2024-04-15 00:58:34 +02:00
|
|
|
type Alias struct {
|
2024-06-25 20:50:27 +02:00
|
|
|
Base
|
2024-04-15 00:58:34 +02:00
|
|
|
Path string
|
|
|
|
RewrittenPath string
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
func newAlias(q Qualifier, rule rule) (Rule, error) {
|
2024-05-27 19:55:21 +02:00
|
|
|
if len(rule) != 3 {
|
|
|
|
return nil, fmt.Errorf("invalid alias format: %s", rule)
|
|
|
|
}
|
2024-06-20 00:22:49 +02:00
|
|
|
if rule.Get(1) != tokARROW {
|
2024-05-27 19:55:21 +02:00
|
|
|
return nil, fmt.Errorf("invalid alias format, missing %s in: %s", tokARROW, rule)
|
|
|
|
}
|
|
|
|
return &Alias{
|
2024-06-25 20:50:27 +02:00
|
|
|
Base: newBase(rule),
|
2024-06-20 00:22:49 +02:00
|
|
|
Path: rule.Get(0),
|
|
|
|
RewrittenPath: rule.Get(2),
|
2024-05-27 19:55:21 +02:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Alias) Kind() Kind {
|
|
|
|
return ALIAS
|
2024-05-25 23:36:39 +02:00
|
|
|
}
|
|
|
|
|
2024-06-27 19:45:32 +02:00
|
|
|
func (r *Alias) Constraint() Constraint {
|
|
|
|
return PreambleRule
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
|
|
|
|
2024-04-23 22:26:09 +02:00
|
|
|
func (r *Alias) String() string {
|
2024-05-25 23:26:51 +02:00
|
|
|
return renderTemplate(r.Kind(), r)
|
2024-04-23 22:26:09 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Alias) Validate() error {
|
|
|
|
return nil
|
2024-05-05 00:41:47 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Alias) Compare(other Rule) int {
|
|
|
|
o, _ := other.(*Alias)
|
|
|
|
if res := compare(r.Path, o.Path); res != 0 {
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
return compare(r.RewrittenPath, o.RewrittenPath)
|
2024-05-05 00:41:47 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 21:10:12 +02:00
|
|
|
func (r *Alias) Merge(other Rule) bool {
|
|
|
|
return false // Never merge alias
|
|
|
|
}
|
|
|
|
|
2024-06-29 23:27:39 +02:00
|
|
|
func (r *Alias) Lengths() []int {
|
|
|
|
return []int{} // No len for alias
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Alias) setPaddings(max []int) {} // No paddings for alias
|
|
|
|
|
2024-04-15 00:58:34 +02:00
|
|
|
type Include struct {
|
2024-06-25 20:50:27 +02:00
|
|
|
Base
|
2024-04-15 00:58:34 +02:00
|
|
|
IfExists bool
|
|
|
|
Path string
|
|
|
|
IsMagic bool
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
func newInclude(rule rule) (Rule, error) {
|
2024-05-27 19:55:21 +02:00
|
|
|
var magic bool
|
|
|
|
var ifexists bool
|
|
|
|
|
|
|
|
size := len(rule)
|
|
|
|
if size == 0 {
|
|
|
|
return nil, fmt.Errorf("invalid include format: %v", rule)
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
r := rule.GetSlice()
|
|
|
|
if size >= 3 && strings.Join(r[:2], " ") == tokIFEXISTS {
|
2024-05-27 19:55:21 +02:00
|
|
|
ifexists = true
|
2024-06-20 00:22:49 +02:00
|
|
|
r = r[2:]
|
2024-05-27 19:55:21 +02:00
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
path := r[0]
|
2024-05-27 19:55:21 +02:00
|
|
|
switch {
|
|
|
|
case path[0] == '"':
|
|
|
|
magic = false
|
|
|
|
case path[0] == '<':
|
|
|
|
magic = true
|
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("invalid path format: %v", path)
|
|
|
|
}
|
|
|
|
return &Include{
|
2024-06-25 20:50:27 +02:00
|
|
|
Base: newBase(rule),
|
2024-05-27 19:55:21 +02:00
|
|
|
IfExists: ifexists,
|
|
|
|
Path: strings.Trim(path, "\"<>"),
|
|
|
|
IsMagic: magic,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Include) Kind() Kind {
|
|
|
|
return INCLUDE
|
|
|
|
}
|
|
|
|
|
2024-06-27 19:45:32 +02:00
|
|
|
func (r *Include) Constraint() Constraint {
|
|
|
|
return AnyRule
|
2024-06-25 20:56:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Include) String() string {
|
|
|
|
return renderTemplate(r.Kind(), r)
|
|
|
|
}
|
|
|
|
|
2024-05-25 23:36:39 +02:00
|
|
|
func (r *Include) Validate() error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-06-19 19:34:58 +02:00
|
|
|
func (r *Include) Compare(other Rule) int {
|
|
|
|
const base = "abstractions/base"
|
2024-04-15 00:58:34 +02:00
|
|
|
o, _ := other.(*Include)
|
2024-06-19 19:34:58 +02:00
|
|
|
if res := compare(r.Path, o.Path); res != 0 {
|
|
|
|
if r.Path == base {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
if o.Path == base {
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
return res
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
2024-06-19 19:34:58 +02:00
|
|
|
if res := compare(r.IsMagic, o.IsMagic); res != 0 {
|
|
|
|
return res
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
2024-06-19 19:34:58 +02:00
|
|
|
return compare(r.IfExists, o.IfExists)
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
|
|
|
|
2024-06-25 21:10:12 +02:00
|
|
|
func (r *Include) Merge(other Rule) bool {
|
|
|
|
return false // Never merge include
|
|
|
|
}
|
|
|
|
|
2024-06-29 23:27:39 +02:00
|
|
|
func (r *Include) Lengths() []int {
|
|
|
|
return []int{} // No len for include
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Include) setPaddings(max []int) {} // No paddings for include
|
|
|
|
|
2024-04-15 00:58:34 +02:00
|
|
|
type Variable struct {
|
2024-06-25 20:50:27 +02:00
|
|
|
Base
|
2024-04-15 00:58:34 +02:00
|
|
|
Name string
|
|
|
|
Values []string
|
2024-04-23 22:18:44 +02:00
|
|
|
Define bool
|
|
|
|
}
|
|
|
|
|
2024-06-20 17:34:49 +02:00
|
|
|
func newVariable(rule rule) (Rule, error) {
|
2024-05-27 19:55:21 +02:00
|
|
|
var define bool
|
|
|
|
var values []string
|
|
|
|
if len(rule) < 3 {
|
|
|
|
return nil, fmt.Errorf("invalid variable format: %v", rule)
|
|
|
|
}
|
|
|
|
|
2024-06-20 00:22:49 +02:00
|
|
|
r := rule.GetSlice()
|
|
|
|
name := strings.Trim(rule.Get(0), VARIABLE.Tok()+"}")
|
|
|
|
switch rule.Get(1) {
|
2024-05-27 19:55:21 +02:00
|
|
|
case tokEQUAL:
|
|
|
|
define = true
|
2024-06-20 00:22:49 +02:00
|
|
|
values = r[2:]
|
|
|
|
case tokPLUS + tokEQUAL:
|
2024-05-27 19:55:21 +02:00
|
|
|
define = false
|
2024-06-20 00:22:49 +02:00
|
|
|
values = r[2:]
|
2024-05-27 19:55:21 +02:00
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("invalid operator in variable: %v", rule)
|
|
|
|
}
|
|
|
|
return &Variable{
|
2024-06-25 20:50:27 +02:00
|
|
|
Base: newBase(rule),
|
|
|
|
Name: name,
|
|
|
|
Values: values,
|
|
|
|
Define: define,
|
2024-05-27 19:55:21 +02:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Variable) Kind() Kind {
|
|
|
|
return VARIABLE
|
2024-05-25 23:36:39 +02:00
|
|
|
}
|
|
|
|
|
2024-06-27 19:45:32 +02:00
|
|
|
func (r *Variable) Constraint() Constraint {
|
|
|
|
return PreambleRule
|
2024-06-25 20:56:36 +02:00
|
|
|
}
|
2024-06-22 21:59:43 +02:00
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Variable) String() string {
|
|
|
|
return renderTemplate(r.Kind(), r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Variable) Validate() error {
|
|
|
|
return nil
|
2024-06-22 21:59:43 +02:00
|
|
|
}
|
|
|
|
|
2024-06-19 19:34:58 +02:00
|
|
|
func (r *Variable) Compare(other Rule) int {
|
2024-06-22 21:59:43 +02:00
|
|
|
o, _ := other.(*Variable)
|
|
|
|
if res := compare(r.Name, o.Name); res != 0 {
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
if res := compare(r.Define, o.Define); res != 0 {
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
return compare(r.Values, o.Values)
|
2024-04-15 00:58:34 +02:00
|
|
|
}
|
2024-04-23 22:26:09 +02:00
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
func (r *Variable) Merge(other Rule) bool {
|
|
|
|
o, _ := other.(*Variable)
|
2024-05-05 00:41:47 +02:00
|
|
|
|
2024-06-25 20:56:36 +02:00
|
|
|
if r.Name == o.Name && r.Define == o.Define {
|
|
|
|
r.Values = merge(r.Kind(), "access", r.Values, o.Values)
|
|
|
|
b := &r.Base
|
|
|
|
return b.merge(o.Base)
|
|
|
|
}
|
|
|
|
return false
|
2024-05-05 00:41:47 +02:00
|
|
|
}
|
2024-06-29 23:27:39 +02:00
|
|
|
|
|
|
|
func (r *Variable) Lengths() []int {
|
|
|
|
return []int{} // No len for variable
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Variable) setPaddings(max []int) {} // No paddings for variable
|