mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(aa): add sub templates.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-09-29 20:28:56 +01:00
parent cb441733c0
commit 09a06db803
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
6 changed files with 63 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/aa/template.go
View File

@ -5,7 +5,7 @@
package aa
import (
_ "embed"
"embed"
"reflect"
"strings"
"text/template"
@ -15,10 +15,10 @@ import (
const indentation = " "
var (
//go:embed templates/profile.j2
tmplFileAppArmorProfile string
//go:embed templates/*.j2
tmplFiles embed.FS
// tmplFunctionMap is the list of function available in the template
// The functions available in the template
tmplFunctionMap = template.FuncMap{
"typeof": typeOf,
"join": join,
@ -27,8 +27,7 @@ var (
}
// The apparmor profile template
tmplAppArmorProfile = template.Must(template.New("profile").
Funcs(tmplFunctionMap).Parse(tmplFileAppArmorProfile))
tmplAppArmorProfile = generateTemplate()
// convert apparmor requested mask to apparmor access mode
// TODO: Should be a map of slice, not exhausive yet
@ -110,6 +109,12 @@ var (
fileWeights = map[string]int{}
)
func generateTemplate() *template.Template {
res := template.New("profile.j2").Funcs(tmplFunctionMap)
res = template.Must(res.ParseFS(tmplFiles, "templates/*.j2"))
return res
}
func init() {
for i, r := range fileAlphabet {
fileWeights[r] = i

8
pkg/aa/templates/comments.j2 Normal file
View File

@ -0,0 +1,8 @@
{{- define "comments" -}}
{{- if .FileInherit -}}
{{- " # file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " # no new privs" -}}
{{- end -}}
{{- end -}}

11
pkg/aa/templates/include.j2 Normal file
View File

@ -0,0 +1,11 @@
{{- define "include" -}}
{{- "include" -}}
{{- if .IfExists -}}
{{ " if exists" }}
{{- end -}}
{{- if .IsMagic -}}
{{ " <" }}{{ .Path }}{{ ">" }}
{{- else -}}
{{ " \"" }}{{ .Path }}{{ "\"" }}
{{- end -}}
{{- end -}}

49
pkg/aa/templates/profile.j2
View File

@ -15,15 +15,7 @@
{{ end -}}
{{- range .Includes -}}
{{- "include " -}}
{{- if .IfExists -}}
{{- "if exists " -}}
{{- end -}}
{{- if .IsMagic -}}
{{ "<" }}{{ .Path }}{{ ">,\n" }}
{{- else -}}
{{ "\"" }}{{ .Path }}{{ "\",\n" }}
{{- end }}
{{ template "include" . }}{{ "\n" }}
{{ end -}}
{{- range .Variables -}}
@ -57,15 +49,7 @@
{{- indent "" -}}
{{- if eq $type "Include" -}}
{{- "include " -}}
{{- if .IfExists -}}
{{ "if exists " }}
{{- end -}}
{{- if .IsMagic -}}
{{ "<" }}{{ .Path }}{{ ">" }}
{{- else -}}
{{ "\"" }}{{ .Path }}{{ "\"" }}
{{- end -}}
{{ template "include" . }}
{{- end -}}
{{- if eq $type "Rlimit" -}}
@ -73,10 +57,11 @@
{{- end -}}
{{- if eq $type "Capability" -}}
{{ "capability " }}{{ .Name }}{{ "," }}
{{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comments" . }}
{{- end -}}
{{- if eq $type "Network" -}}
{{- template "qualifier" . -}}
{{ "network" }}
{{- with .Domain -}}
{{ " " }}{{ . }}
@ -89,9 +74,11 @@
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Mount" -}}
{{- template "qualifier" . -}}
{{- "mount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
@ -106,9 +93,11 @@
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Umount" -}}
{{- template "qualifier" . -}}
{{- "umount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
@ -120,9 +109,11 @@
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Remount" -}}
{{- template "qualifier" . -}}
{{- "remount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
@ -134,9 +125,11 @@
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Unix" -}}
{{- template "qualifier" . -}}
{{- "unix" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
@ -155,9 +148,11 @@
{{- ")" -}}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Ptrace" -}}
{{- template "qualifier" . -}}
{{- "ptrace" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
@ -166,9 +161,11 @@
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Signal" -}}
{{- template "qualifier" . -}}
{{- "signal" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
@ -180,9 +177,11 @@
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "Dbus" -}}
{{- template "qualifier" . -}}
{{- "dbus" -}}
{{- if eq .Access "bind" -}}
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
@ -213,23 +212,17 @@
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comments" . -}}
{{- end -}}
{{- if eq $type "File" -}}
{{- if .Owner -}}
{{- "owner " -}}
{{- end -}}
{{- template "qualifier" . -}}
{{ .Path }}{{ " " }}{{ .Access }}
{{- with .Target -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- if .FileInherit -}}
{{- " # file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " # no new privs" -}}
{{- end -}}
{{- template "comments" . -}}
{{- end -}}
{{- "\n" -}}

11
pkg/aa/templates/qualifier.j2 Normal file
View File

@ -0,0 +1,11 @@
{{- define "qualifier" -}}
{{- if .Owner -}}
{{- "owner " -}}
{{- end -}}
{{- if .Audit -}}
{{- "audit " -}}
{{- end -}}
{{- if eq .AccessType "deny" -}}
{{- "deny " -}}
{{- end -}}
{{- end -}}

2
tests/string.aa
View File

@ -3,7 +3,7 @@ abi <abi/4.0>,
alias /mnt/usr -> /usr,
include <tunables/global>,
include <tunables/global>
@{exec_path} = @{bin}/foo @{lib}/foo
profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) {