2024-05-05 15:09:00 +02:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
|
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
package aa
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"regexp"
|
|
|
|
"strings"
|
2024-05-28 12:53:32 +02:00
|
|
|
|
|
|
|
"github.com/arduino/go-paths-helper"
|
|
|
|
"github.com/roddhjav/apparmor.d/pkg/util"
|
2024-05-05 15:09:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2024-05-28 12:53:32 +02:00
|
|
|
includeCache map[*Include]*AppArmorProfileFile = make(map[*Include]*AppArmorProfileFile)
|
|
|
|
|
2024-05-05 15:09:00 +02:00
|
|
|
regVariableReference = regexp.MustCompile(`@{([^{}]+)}`)
|
|
|
|
)
|
|
|
|
|
2024-05-28 12:53:32 +02:00
|
|
|
// Resolve resolves variables and includes definied in the profile preamble
|
2024-05-05 15:09:00 +02:00
|
|
|
func (f *AppArmorProfileFile) Resolve() error {
|
2024-05-28 12:53:32 +02:00
|
|
|
// Resolve preamble includes
|
|
|
|
for _, include := range f.Preamble.GetIncludes() {
|
|
|
|
err := f.resolveInclude(include)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-05-05 15:09:00 +02:00
|
|
|
// Resolve variables
|
|
|
|
for _, variable := range f.Preamble.GetVariables() {
|
|
|
|
newValues := []string{}
|
|
|
|
for _, value := range variable.Values {
|
2024-05-28 12:53:32 +02:00
|
|
|
vars, err := f.resolveValues(value)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
|
|
|
newValues = append(newValues, vars...)
|
|
|
|
}
|
|
|
|
variable.Values = newValues
|
|
|
|
}
|
|
|
|
|
|
|
|
// Resolve variables in attachements
|
|
|
|
for _, profile := range f.Profiles {
|
|
|
|
attachments := []string{}
|
|
|
|
for _, att := range profile.Attachments {
|
2024-05-28 12:53:32 +02:00
|
|
|
vars, err := f.resolveValues(att)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
|
|
|
attachments = append(attachments, vars...)
|
|
|
|
}
|
|
|
|
profile.Attachments = attachments
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-05-28 12:53:32 +02:00
|
|
|
func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) {
|
2024-05-05 15:09:00 +02:00
|
|
|
if !strings.Contains(input, tokVARIABLE) {
|
2024-05-28 12:53:32 +02:00
|
|
|
return []string{input}, nil
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
|
|
|
|
2024-05-28 12:53:32 +02:00
|
|
|
values := []string{}
|
2024-05-05 15:09:00 +02:00
|
|
|
match := regVariableReference.FindStringSubmatch(input)
|
2024-05-28 12:53:32 +02:00
|
|
|
if len(match) == 0 {
|
|
|
|
return nil, fmt.Errorf("Invalid variable reference: %s", input)
|
|
|
|
}
|
|
|
|
|
|
|
|
variable := match[0]
|
|
|
|
varname := match[1]
|
|
|
|
found := false
|
|
|
|
for _, vrbl := range f.Preamble.GetVariables() {
|
|
|
|
if vrbl.Name == varname {
|
|
|
|
found = true
|
|
|
|
for _, v := range vrbl.Values {
|
|
|
|
if strings.Contains(v, tokVARIABLE+varname+"}") {
|
|
|
|
return nil, fmt.Errorf("recursive variable found in: %s", varname)
|
|
|
|
}
|
|
|
|
newValues := strings.ReplaceAll(input, variable, v)
|
|
|
|
newValues = strings.ReplaceAll(newValues, "//", "/")
|
|
|
|
res, err := f.resolveValues(newValues)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
values = append(values, res...)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !found {
|
|
|
|
return nil, fmt.Errorf("Variable %s not defined", varname)
|
|
|
|
}
|
|
|
|
return values, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// resolveInclude resolves all includes defined in the profile preamble
|
|
|
|
func (f *AppArmorProfileFile) resolveInclude(include *Include) error {
|
|
|
|
if include == nil || include.Path == "" {
|
|
|
|
return fmt.Errorf("Invalid include: %v", include)
|
|
|
|
}
|
|
|
|
|
|
|
|
_, isCached := includeCache[include]
|
|
|
|
if !isCached {
|
|
|
|
var files paths.PathList
|
|
|
|
var err error
|
|
|
|
|
|
|
|
path := MagicRoot.Join(include.Path)
|
|
|
|
if !include.IsMagic {
|
|
|
|
path = paths.New(include.Path)
|
|
|
|
}
|
|
|
|
|
|
|
|
if path.IsDir() {
|
|
|
|
files, err = path.ReadDir(paths.FilterOutDirectories())
|
|
|
|
if err != nil {
|
|
|
|
if include.IfExists {
|
|
|
|
return nil
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
2024-05-28 12:53:32 +02:00
|
|
|
return fmt.Errorf("File %s not found: %v", path, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
} else if path.Exist() {
|
|
|
|
files = append(files, path)
|
|
|
|
|
|
|
|
} else {
|
|
|
|
if include.IfExists {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("File %s not found", path)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
iFile := &AppArmorProfileFile{}
|
|
|
|
for _, file := range files {
|
|
|
|
raw, err := util.ReadFile(file)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := iFile.Parse(raw); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := iFile.Validate(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
for _, inc := range iFile.Preamble.GetIncludes() {
|
|
|
|
if err := iFile.resolveInclude(inc); err != nil {
|
|
|
|
return err
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
|
|
|
}
|
2024-05-28 12:53:32 +02:00
|
|
|
|
|
|
|
// Remove all includes in iFile
|
|
|
|
iFile.Preamble = iFile.Preamble.DeleteKind(tokINCLUDE)
|
|
|
|
|
|
|
|
// Cache the included file
|
|
|
|
includeCache[include] = iFile
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|
2024-05-28 12:53:32 +02:00
|
|
|
|
|
|
|
// Insert iFile in the place of include in the current file
|
|
|
|
index := f.Preamble.IndexOf(include)
|
|
|
|
f.Preamble = f.Preamble.Insert(index, includeCache[include].Preamble...)
|
|
|
|
return nil
|
2024-05-05 15:09:00 +02:00
|
|
|
}
|