diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 893442eb..0eb12fe6 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -5,7 +5,7 @@ package aa import ( - _ "embed" + "embed" "reflect" "strings" "text/template" @@ -15,10 +15,10 @@ import ( const indentation = " " var ( - //go:embed templates/profile.j2 - tmplFileAppArmorProfile string + //go:embed templates/*.j2 + tmplFiles embed.FS - // tmplFunctionMap is the list of function available in the template + // The functions available in the template tmplFunctionMap = template.FuncMap{ "typeof": typeOf, "join": join, @@ -27,8 +27,7 @@ var ( } // The apparmor profile template - tmplAppArmorProfile = template.Must(template.New("profile"). - Funcs(tmplFunctionMap).Parse(tmplFileAppArmorProfile)) + tmplAppArmorProfile = generateTemplate() // convert apparmor requested mask to apparmor access mode // TODO: Should be a map of slice, not exhausive yet @@ -110,6 +109,12 @@ var ( fileWeights = map[string]int{} ) +func generateTemplate() *template.Template { + res := template.New("profile.j2").Funcs(tmplFunctionMap) + res = template.Must(res.ParseFS(tmplFiles, "templates/*.j2")) + return res +} + func init() { for i, r := range fileAlphabet { fileWeights[r] = i diff --git a/pkg/aa/templates/comments.j2 b/pkg/aa/templates/comments.j2 new file mode 100644 index 00000000..6a5217f5 --- /dev/null +++ b/pkg/aa/templates/comments.j2 @@ -0,0 +1,8 @@ +{{- define "comments" -}} + {{- if .FileInherit -}} + {{- " # file_inherit" -}} + {{- end -}} + {{- if .NoNewPrivs -}} + {{- " # no new privs" -}} + {{- end -}} +{{- end -}} diff --git a/pkg/aa/templates/include.j2 b/pkg/aa/templates/include.j2 new file mode 100644 index 00000000..8a39a8c3 --- /dev/null +++ b/pkg/aa/templates/include.j2 @@ -0,0 +1,11 @@ +{{- define "include" -}} + {{- "include" -}} + {{- if .IfExists -}} + {{ " if exists" }} + {{- end -}} + {{- if .IsMagic -}} + {{ " <" }}{{ .Path }}{{ ">" }} + {{- else -}} + {{ " \"" }}{{ .Path }}{{ "\"" }} + {{- end -}} +{{- end -}} diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.j2 index 3ae55079..fa6d58c9 100644 --- a/pkg/aa/templates/profile.j2 +++ b/pkg/aa/templates/profile.j2 @@ -15,15 +15,7 @@ {{ end -}} {{- range .Includes -}} - {{- "include " -}} - {{- if .IfExists -}} - {{- "if exists " -}} - {{- end -}} - {{- if .IsMagic -}} - {{ "<" }}{{ .Path }}{{ ">,\n" }} - {{- else -}} - {{ "\"" }}{{ .Path }}{{ "\",\n" }} - {{- end }} + {{ template "include" . }}{{ "\n" }} {{ end -}} {{- range .Variables -}} @@ -57,15 +49,7 @@ {{- indent "" -}} {{- if eq $type "Include" -}} - {{- "include " -}} - {{- if .IfExists -}} - {{ "if exists " }} - {{- end -}} - {{- if .IsMagic -}} - {{ "<" }}{{ .Path }}{{ ">" }} - {{- else -}} - {{ "\"" }}{{ .Path }}{{ "\"" }} - {{- end -}} + {{ template "include" . }} {{- end -}} {{- if eq $type "Rlimit" -}} @@ -73,10 +57,11 @@ {{- end -}} {{- if eq $type "Capability" -}} - {{ "capability " }}{{ .Name }}{{ "," }} + {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comments" . }} {{- end -}} {{- if eq $type "Network" -}} + {{- template "qualifier" . -}} {{ "network" }} {{- with .Domain -}} {{ " " }}{{ . }} @@ -89,9 +74,11 @@ {{- end -}} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Mount" -}} + {{- template "qualifier" . -}} {{- "mount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} @@ -106,9 +93,11 @@ {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Umount" -}} + {{- template "qualifier" . -}} {{- "umount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} @@ -120,9 +109,11 @@ {{ " " }}{{ . }} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Remount" -}} + {{- template "qualifier" . -}} {{- "remount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} @@ -134,9 +125,11 @@ {{ " " }}{{ . }} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Unix" -}} + {{- template "qualifier" . -}} {{- "unix" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} @@ -155,9 +148,11 @@ {{- ")" -}} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Ptrace" -}} + {{- template "qualifier" . -}} {{- "ptrace" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} @@ -166,9 +161,11 @@ {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Signal" -}} + {{- template "qualifier" . -}} {{- "signal" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} @@ -180,9 +177,11 @@ {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "Dbus" -}} + {{- template "qualifier" . -}} {{- "dbus" -}} {{- if eq .Access "bind" -}} {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} @@ -213,23 +212,17 @@ {{- end -}} {{- end -}} {{- "," -}} + {{- template "comments" . -}} {{- end -}} {{- if eq $type "File" -}} - {{- if .Owner -}} - {{- "owner " -}} - {{- end -}} + {{- template "qualifier" . -}} {{ .Path }}{{ " " }}{{ .Access }} {{- with .Target -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} - {{- if .FileInherit -}} - {{- " # file_inherit" -}} - {{- end -}} - {{- if .NoNewPrivs -}} - {{- " # no new privs" -}} - {{- end -}} + {{- template "comments" . -}} {{- end -}} {{- "\n" -}} diff --git a/pkg/aa/templates/qualifier.j2 b/pkg/aa/templates/qualifier.j2 new file mode 100644 index 00000000..afe1e0ed --- /dev/null +++ b/pkg/aa/templates/qualifier.j2 @@ -0,0 +1,11 @@ +{{- define "qualifier" -}} + {{- if .Owner -}} + {{- "owner " -}} + {{- end -}} + {{- if .Audit -}} + {{- "audit " -}} + {{- end -}} + {{- if eq .AccessType "deny" -}} + {{- "deny " -}} + {{- end -}} +{{- end -}} diff --git a/tests/string.aa b/tests/string.aa index 64ef386a..d1fd01ac 100644 --- a/tests/string.aa +++ b/tests/string.aa @@ -3,7 +3,7 @@ abi , alias /mnt/usr -> /usr, -include , +include @{exec_path} = @{bin}/foo @{lib}/foo profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) {