apparmor.d/pkg/prebuild/build.go

// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only

package prebuild

import (
	"regexp"
	"strings"

	"github.com/roddhjav/apparmor.d/pkg/aa"
	"github.com/roddhjav/apparmor.d/pkg/util"
	"golang.org/x/exp/slices"
)

// Build the profiles with the following build tasks
var Builds = []BuildFunc{
	BuildUserspace,
}

var (
	regAttachments      = regexp.MustCompile(`(profile .* @{exec_path})`)
	regFlags            = regexp.MustCompile(`flags=\(([^)]+)\)`)
	regProfileHeader    = regexp.MustCompile(` {`)
	regFullSystemPolicy = util.ToRegexRepl([]string{
		`r(PU|U)x,`, `rPx,`,
	})
	regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
		`abi/3.0`, `abi/4.0`,
		`# userns,`, `userns,`,
		`# mqueue`, `mqueue`,
	})
)

type BuildFunc func(string) string

// Set complain flag on all profiles
func BuildComplain(profile string) string {
	flags := []string{}
	matches := regFlags.FindStringSubmatch(profile)
	if len(matches) != 0 {
		flags = strings.Split(matches[1], ",")
		if slices.Contains(flags, "complain") {
			return profile
		}
	}
	flags = append(flags, "complain")
	strFlags := " flags=(" + strings.Join(flags, ",") + ") {"

	// Remove all flags definition, then set manifest' flags
	profile = regFlags.ReplaceAllLiteralString(profile, "")
	return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
}

// Set all profiles in enforce mode
func BuildEnforce(profile string) string {
	matches := regFlags.FindStringSubmatch(profile)
	if len(matches) == 0 {
		return profile
	}

	flags := strings.Split(matches[1], ",")
	idx := slices.Index(flags, "complain")
	if idx == -1 {
		return profile
	}
	flags = slices.Delete(flags, idx, idx+1)
	strFlags := "{"
	if len(flags) >= 1 {
		strFlags = " flags=(" + strings.Join(flags, ",") + ") {"
	}

	// Remove all flags definition, then set new flags
	profile = regFlags.ReplaceAllLiteralString(profile, "")
	return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
}

// Bypass userspace tools restriction
func BuildUserspace(profile string) string {
	p := aa.DefaultTunables()
	p.ParseVariables(profile)
	p.ResolveAttachments()
	att := p.NestAttachments()
	matches := regAttachments.FindAllString(profile, -1)
	if len(matches) > 0 {
		strheader := strings.Replace(matches[0], "@{exec_path}", att, -1)
		return regAttachments.ReplaceAllLiteralString(profile, strheader)
	}
	return profile
}

func BuildABI3(profile string) string {
	for _, abi4t3 := range regAbi4To3 {
		profile = abi4t3.Regex.ReplaceAllLiteralString(profile, abi4t3.Repl)
	}
	return profile
}

func BuildFullSystemPolicy(profile string) string {
	for _, full := range regFullSystemPolicy {
		profile = full.Regex.ReplaceAllString(profile, full.Repl)
	}
	return profile
}
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`// apparmor.d - Full set of apparmor profiles`
			`// Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>`
			`// SPDX-License-Identifier: GPL-2.0-only`

feat(prebuild): make prebuild available as an external package. Usefull for downstream repo. 2023-05-06 14:01:07 +02:00			`package prebuild`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00
			`import (`
			`"regexp"`
			`"strings"`

			`"github.com/roddhjav/apparmor.d/pkg/aa"`
build: initial preparation for apparmor 4. 2023-09-29 21:12:00 +02:00			`"github.com/roddhjav/apparmor.d/pkg/util"`
feat(prebuild): make prebuild available as an external package. Usefull for downstream repo. 2023-05-06 14:01:07 +02:00			`"golang.org/x/exp/slices"`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`)`

feat(prebuild): make prebuild available as an external package. Usefull for downstream repo. 2023-05-06 14:01:07 +02:00			`// Build the profiles with the following build tasks`
			`var Builds = []BuildFunc{`
			`BuildUserspace,`
			`}`

build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`var (`
build: enforce the use on the default profile on full mode. 2023-11-22 21:52:25 +01:00			regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
			regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`)
			regProfileHeader = regexp.MustCompile(` {`)
			`regFullSystemPolicy = util.ToRegexRepl([]string{`
			`r(PU\|U)x,`, `rPx,`,
			`})`
			`regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4`
feat(profiles): add initial userns rule. Require apparmor 4 to be enabled. 2023-11-19 12:19:24 +01:00			`abi/3.0`, `abi/4.0`,
			`# userns,`, `userns,`,
feat(aa-log): add support for mqueue. 2023-12-05 21:47:32 +01:00			`# mqueue`, `mqueue`,
build: initial preparation for apparmor 4. 2023-09-29 21:12:00 +02:00			`})`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`)`

feat(prebuild): make prebuild available as an external package. Usefull for downstream repo. 2023-05-06 14:01:07 +02:00			`type BuildFunc func(string) string`

build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`// Set complain flag on all profiles`
			`func BuildComplain(profile string) string {`
			`flags := []string{}`
build: add the ability to set enforce all profiles. Do not do that!!! It forces ALL profiles in enforce mode. 2023-09-05 20:44:36 +02:00			`matches := regFlags.FindStringSubmatch(profile)`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`if len(matches) != 0 {`
			`flags = strings.Split(matches[1], ",")`
feat(prebuild): make prebuild available as an external package. Usefull for downstream repo. 2023-05-06 14:01:07 +02:00			`if slices.Contains(flags, "complain") {`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`return profile`
			`}`
			`}`
			`flags = append(flags, "complain")`
			`strFlags := " flags=(" + strings.Join(flags, ",") + ") {"`

			`// Remove all flags definition, then set manifest' flags`
build: add the ability to set enforce all profiles. Do not do that!!! It forces ALL profiles in enforce mode. 2023-09-05 20:44:36 +02:00			`profile = regFlags.ReplaceAllLiteralString(profile, "")`
			`return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)`
			`}`

			`// Set all profiles in enforce mode`
			`func BuildEnforce(profile string) string {`
			`matches := regFlags.FindStringSubmatch(profile)`
			`if len(matches) == 0 {`
			`return profile`
			`}`

			`flags := strings.Split(matches[1], ",")`
			`idx := slices.Index(flags, "complain")`
			`if idx == -1 {`
			`return profile`
			`}`
			`flags = slices.Delete(flags, idx, idx+1)`
			`strFlags := "{"`
			`if len(flags) >= 1 {`
			`strFlags = " flags=(" + strings.Join(flags, ",") + ") {"`
			`}`

			`// Remove all flags definition, then set new flags`
			`profile = regFlags.ReplaceAllLiteralString(profile, "")`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)`
			`}`

			`// Bypass userspace tools restriction`
			`func BuildUserspace(profile string) string {`
feat(aa-log): add a new apparmor profile struct Also rewrite variables resolution to this new struct. 2023-08-18 00:00:52 +02:00			`p := aa.DefaultTunables()`
build: simplify profile struct. 2023-07-25 23:01:07 +02:00			`p.ParseVariables(profile)`
build(prebuild): add new prebuild command. Fix #146, #136 2023-04-19 18:40:40 +02:00			`p.ResolveAttachments()`
			`att := p.NestAttachments()`
			`matches := regAttachments.FindAllString(profile, -1)`
			`if len(matches) > 0 {`
			`strheader := strings.Replace(matches[0], "@{exec_path}", att, -1)`
			`return regAttachments.ReplaceAllLiteralString(profile, strheader)`
			`}`
			`return profile`
			`}`
build: initial preparation for apparmor 4. 2023-09-29 21:12:00 +02:00
			`func BuildABI3(profile string) string {`
			`for _, abi4t3 := range regAbi4To3 {`
			`profile = abi4t3.Regex.ReplaceAllLiteralString(profile, abi4t3.Repl)`
			`}`
			`return profile`
			`}`
build: enforce the use on the default profile on full mode. 2023-11-22 21:52:25 +01:00
			`func BuildFullSystemPolicy(profile string) string {`
			`for _, full := range regFullSystemPolicy {`
			`profile = full.Regex.ReplaceAllString(profile, full.Repl)`
			`}`
			`return profile`
			`}`