mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(aa): add sub templates.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-09-29 20:28:56 +01:00
parent cb441733c0
commit 09a06db803
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
6 changed files with 63 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/aa/template.go
View File

@ -5,7 +5,7 @@
package aa package aa
import ( import (
_ "embed" "embed"
"reflect" "reflect"
"strings" "strings"
"text/template" "text/template"
@ -15,10 +15,10 @@ import (
const indentation = " " const indentation = " "
var ( var (
//go:embed templates/profile.j2 //go:embed templates/*.j2
tmplFileAppArmorProfile string tmplFiles embed.FS
// tmplFunctionMap is the list of function available in the template // The functions available in the template
tmplFunctionMap = template.FuncMap{ tmplFunctionMap = template.FuncMap{
"typeof": typeOf, "typeof": typeOf,
"join": join, "join": join,
@ -27,8 +27,7 @@ var (
} }
// The apparmor profile template // The apparmor profile template
tmplAppArmorProfile = template.Must(template.New("profile"). tmplAppArmorProfile = generateTemplate()
Funcs(tmplFunctionMap).Parse(tmplFileAppArmorProfile))
// convert apparmor requested mask to apparmor access mode // convert apparmor requested mask to apparmor access mode
// TODO: Should be a map of slice, not exhausive yet // TODO: Should be a map of slice, not exhausive yet
@ -110,6 +109,12 @@ var (
fileWeights = map[string]int{} fileWeights = map[string]int{}
) )
func generateTemplate() *template.Template {
res := template.New("profile.j2").Funcs(tmplFunctionMap)
res = template.Must(res.ParseFS(tmplFiles, "templates/*.j2"))
return res
}
func init() { func init() {
for i, r := range fileAlphabet { for i, r := range fileAlphabet {
fileWeights[r] = i fileWeights[r] = i

8
pkg/aa/templates/comments.j2 Normal file
View File

@ -0,0 +1,8 @@
{{- define "comments" -}}
{{- if .FileInherit -}}
{{- " # file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " # no new privs" -}}
{{- end -}}
{{- end -}}

11
pkg/aa/templates/include.j2 Normal file
View File

@ -0,0 +1,11 @@
{{- define "include" -}}
{{- "include" -}}
{{- if .IfExists -}}
{{ " if exists" }}
{{- end -}}
{{- if .IsMagic -}}
{{ " <" }}{{ .Path }}{{ ">" }}
{{- else -}}
{{ " \"" }}{{ .Path }}{{ "\"" }}
{{- end -}}
{{- end -}}

49
pkg/aa/templates/profile.j2
View File

@ -15,15 +15,7 @@
{{ end -}} {{ end -}}
{{- range .Includes -}} {{- range .Includes -}}
{{- "include " -}} {{ template "include" . }}{{ "\n" }}
{{- if .IfExists -}}
{{- "if exists " -}}
{{- end -}}
{{- if .IsMagic -}}
{{ "<" }}{{ .Path }}{{ ">,\n" }}
{{- else -}}
{{ "\"" }}{{ .Path }}{{ "\",\n" }}
{{- end }}
{{ end -}} {{ end -}}
{{- range .Variables -}} {{- range .Variables -}}
@ -57,15 +49,7 @@
{{- indent "" -}} {{- indent "" -}}
{{- if eq $type "Include" -}} {{- if eq $type "Include" -}}
{{- "include " -}} {{ template "include" . }}
{{- if .IfExists -}}
{{ "if exists " }}
{{- end -}}
{{- if .IsMagic -}}
{{ "<" }}{{ .Path }}{{ ">" }}
{{- else -}}
{{ "\"" }}{{ .Path }}{{ "\"" }}
{{- end -}}
{{- end -}} {{- end -}}
{{- if eq $type "Rlimit" -}} {{- if eq $type "Rlimit" -}}
@ -73,10 +57,11 @@
{{- end -}} {{- end -}}
{{- if eq $type "Capability" -}} {{- if eq $type "Capability" -}}
{{ "capability " }}{{ .Name }}{{ "," }} {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comments" . }}
{{- end -}} {{- end -}}
{{- if eq $type "Network" -}} {{- if eq $type "Network" -}}
{{- template "qualifier" . -}}
{{ "network" }} {{ "network" }}
{{- with .Domain -}} {{- with .Domain -}}
{{ " " }}{{ . }} {{ " " }}{{ . }}
@ -89,9 +74,11 @@
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Mount" -}} {{- if eq $type "Mount" -}}
{{- template "qualifier" . -}}
{{- "mount" -}} {{- "mount" -}}
{{- with .FsType -}} {{- with .FsType -}}
{{ " fstype=" }}{{ . }} {{ " fstype=" }}{{ . }}
@ -106,9 +93,11 @@
{{ " -> " }}{{ . }} {{ " -> " }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Umount" -}} {{- if eq $type "Umount" -}}
{{- template "qualifier" . -}}
{{- "umount" -}} {{- "umount" -}}
{{- with .FsType -}} {{- with .FsType -}}
{{ " fstype=" }}{{ . }} {{ " fstype=" }}{{ . }}
@ -120,9 +109,11 @@
{{ " " }}{{ . }} {{ " " }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Remount" -}} {{- if eq $type "Remount" -}}
{{- template "qualifier" . -}}
{{- "remount" -}} {{- "remount" -}}
{{- with .FsType -}} {{- with .FsType -}}
{{ " fstype=" }}{{ . }} {{ " fstype=" }}{{ . }}
@ -134,9 +125,11 @@
{{ " " }}{{ . }} {{ " " }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Unix" -}} {{- if eq $type "Unix" -}}
{{- template "qualifier" . -}}
{{- "unix" -}} {{- "unix" -}}
{{- with .Access -}} {{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }} {{ " (" }}{{ . }}{{ ")" }}
@ -155,9 +148,11 @@
{{- ")" -}} {{- ")" -}}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Ptrace" -}} {{- if eq $type "Ptrace" -}}
{{- template "qualifier" . -}}
{{- "ptrace" -}} {{- "ptrace" -}}
{{- with .Access -}} {{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }} {{ " (" }}{{ . }}{{ ")" }}
@ -166,9 +161,11 @@
{{ " peer=" }}{{ . }} {{ " peer=" }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Signal" -}} {{- if eq $type "Signal" -}}
{{- template "qualifier" . -}}
{{- "signal" -}} {{- "signal" -}}
{{- with .Access -}} {{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }} {{ " (" }}{{ . }}{{ ")" }}
@ -180,9 +177,11 @@
{{ " peer=" }}{{ . }} {{ " peer=" }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Dbus" -}} {{- if eq $type "Dbus" -}}
{{- template "qualifier" . -}}
{{- "dbus" -}} {{- "dbus" -}}
{{- if eq .Access "bind" -}} {{- if eq .Access "bind" -}}
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
@ -213,23 +212,17 @@
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- template "comments" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "File" -}} {{- if eq $type "File" -}}
{{- if .Owner -}} {{- template "qualifier" . -}}
{{- "owner " -}}
{{- end -}}
{{ .Path }}{{ " " }}{{ .Access }} {{ .Path }}{{ " " }}{{ .Access }}
{{- with .Target -}} {{- with .Target -}}
{{ " -> " }}{{ . }} {{ " -> " }}{{ . }}
{{- end -}} {{- end -}}
{{- "," -}} {{- "," -}}
{{- if .FileInherit -}} {{- template "comments" . -}}
{{- " # file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " # no new privs" -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- "\n" -}} {{- "\n" -}}

11
pkg/aa/templates/qualifier.j2 Normal file
View File

@ -0,0 +1,11 @@
{{- define "qualifier" -}}
{{- if .Owner -}}
{{- "owner " -}}
{{- end -}}
{{- if .Audit -}}
{{- "audit " -}}
{{- end -}}
{{- if eq .AccessType "deny" -}}
{{- "deny " -}}
{{- end -}}
{{- end -}}

2
tests/string.aa
View File

@ -3,7 +3,7 @@ abi <abi/4.0>,
alias /mnt/usr -> /usr, alias /mnt/usr -> /usr,
include <tunables/global>, include <tunables/global>
@{exec_path} = @{bin}/foo @{lib}/foo @{exec_path} = @{bin}/foo @{lib}/foo
profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) { profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) {