mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa): refractor apparmor templates to the last changes.

Browse source
This commit is contained in:
Alexandre Pujol 2024-04-23 21:27:35 +01:00
parent 5483668574
commit 120db93396
Failed to generate hash of commit
15 changed files with 236 additions and 152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
pkg/aa/templates/apparmor.j2
View file

@ -2,26 +2,48 @@
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- range .Abi -}}
{{- if .IsMagic -}}
{{ "abi <" }}{{ .Path }}{{ ">,\n" }}
{{- else -}}
{{ "abi \"" }}{{ .Path }}{{ "\",\n" }}
{{- end }}
{{ end -}}
{{- define "apparmor" -}}
{{- range .Aliases -}}
{{ "alias " }}{{ .Path }}{{ " -> " }}{{ .RewrittenPath }}{{ ",\n" }}
{{ end -}}
{{- with .Comments -}}
{{- range . -}}
{{- template "comment" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- range .Includes -}}
{{ template "include" . }}{{ "\n" }}
{{ end -}}
{{- with .Abi -}}
{{- range . -}}
{{- template "abi" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- range .Variables -}}
{{ "@{" }}{{ .Name }}{{ "} = " }}{{ join .Values }}
{{ end -}}
{{- with .Aliases -}}
{{- range . -}}
{{- template "alias" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- with .Includes -}}
{{- range . -}}
{{- template "include" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- range .Variables -}}
{{- template "variable" . -}}
{{- "\n" -}}
{{- end -}}
{{- range .Profiles -}}
{{- template "profile" . -}}
{{- "\n" -}}
{{- end -}}
{{- range .Profiles -}}
{{ template "profile" . }}
{{- end -}}

120
pkg/aa/templates/profile.j2
View file

@ -4,110 +4,24 @@
{{- define "profile" -}}
{{- with .Header -}}
{{- "profile" -}}
{{- with .Name -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Attachments -}}
{{ " " }}{{ join . }}
{{- end -}}
{{- with .Attributes -}}
{{ " xattrs=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .Flags -}}
{{ " flags=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- " {\n" -}}
{{- "profile" -}}
{{- with .Name -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Attachments -}}
{{ " " }}{{ join . }}
{{- end -}}
{{- with .Attributes -}}
{{ " xattrs=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .Flags -}}
{{ " flags=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- $oldtype := "" -}}
{{- range .Rules -}}
{{- $type := typeof . -}}
{{- if eq $type "Rule" -}}
{{- template "comment" . -}}
{{- "\n" -}}
{{- continue -}}
{{- end -}}
{{- if and (ne $type $oldtype) (ne $oldtype "") -}}
{{- "\n" -}}
{{- end -}}
{{- indent "" -}}
{{- if eq $type "Include" -}}
{{ template "include" . }}
{{- end -}}
{{- if eq $type "Rlimit" -}}
{{- template "rlimit" . -}}
{{- end -}}
{{- if eq $type "Userns" -}}
{{- template "userns" . -}}
{{- end -}}
{{- if eq $type "Capability" -}}
{{- template "capability" . -}}
{{- end -}}
{{- if eq $type "Network" -}}
{{- template "network" . -}}
{{- end -}}
{{- if eq $type "Mount" -}}
{{- template "mount" . -}}
{{- end -}}
{{- if eq $type "Remount" -}}
{{- template "remount" . -}}
{{- end -}}
{{- if eq $type "Umount" -}}
{{- template "umount" . -}}
{{- end -}}
{{- if eq $type "PivotRoot" -}}
{{- template "pivot_root" . -}}
{{- end -}}
{{- if eq $type "ChangeProfile" -}}
{{- template "change_profile" . -}}
{{- end -}}
{{- if eq $type "Mqueue" -}}
{{- template "mqueue" . -}}
{{- end -}}
{{- if eq $type "Unix" -}}
{{- template "unix" . -}}
{{- end -}}
{{- if eq $type "Ptrace" -}}
{{- template "ptrace" . -}}
{{- end -}}
{{- if eq $type "Signal" -}}
{{- template "signal" . -}}
{{- end -}}
{{- if eq $type "Dbus" -}}
{{- template "dbus" . -}}
{{- end -}}
{{- if eq $type "File" -}}
{{- template "file" . -}}
{{- end -}}
{{- if eq $type "Profile" -}}
{{ template "profile" . }}
{{- end -}}
{{- "\n" -}}
{{- $oldtype = $type -}}
{{- end -}}
{{- with .Header -}}
{{- "}\n" -}}
{{- end -}}
{{- " {\n" -}}
{{- setindent "++" -}}
{{- template "rules" .Rules -}}
{{- setindent "--" -}}
{{- indent "}" -}}
{{- end -}}

14
pkg/aa/templates/rule/abi.j2 Normal file
View file

@ -0,0 +1,14 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "abi" -}}
{{- "abi" -}}
{{- if .IsMagic -}}
{{ " <" }}{{ .Path }}{{ ">" }}
{{- else -}}
{{ " \"" }}{{ .Path }}{{ "\"" }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

12
pkg/aa/templates/rule/alias.j2 Normal file
View file

@ -0,0 +1,12 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "alias" -}}
{{- "alias " -}}
{{- .Path -}}
{{- " -> " -}}
{{- .RewrittenPath -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

8
pkg/aa/templates/rule/capability.j2
View file

@ -3,5 +3,11 @@
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "capability" -}}
{{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }}
{{- template "qualifier" . -}}
{{- "capability" -}}
{{- range .Names -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

30
pkg/aa/templates/rule/comment.j2
View file

@ -4,18 +4,22 @@
{{- define "comment" -}}
{{- if or .FileInherit .NoNewPrivs .Optional .Comment -}}
{{- " #" -}}
{{- end -}}
{{- if .FileInherit -}}
{{- " file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " no new privs" -}}
{{- end -}}
{{- if .Optional -}}
{{- " optional:" -}}
{{- end -}}
{{- with .Comment -}}
{{ " " }}{{ . }}
{{- if .IsLineRule }}
{{- "#" -}}
{{- else -}}
{{- " #" -}}
{{- end -}}
{{- if .FileInherit -}}
{{- " file_inherit" -}}
{{- end -}}
{{- if .NoNewPrivs -}}
{{- " no new privs" -}}
{{- end -}}
{{- if .Optional -}}
{{- " optional:" -}}
{{- end -}}
{{- with .Comment -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{- end -}}

19
pkg/aa/templates/rule/dbus.j2
View file

@ -5,11 +5,15 @@
{{- define "dbus" -}}
{{- template "qualifier" . -}}
{{- "dbus" -}}
{{- if eq .Access "bind" -}}
{{- $access := "" -}}
{{- if .Access -}}
{{- $access = index .Access 0 -}}
{{- end -}}
{{- if eq $access "bind" -}}
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
{{- else -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{ " " }}{{ cjoin . }}
{{- end -}}
{{- with .Bus -}}
{{ " bus=" }}{{ . }}
@ -17,21 +21,20 @@
{{- with .Path -}}
{{ " path=" }}{{ . }}
{{- end -}}
{{ "\n" }}
{{- with .Interface -}}
{{ overindent "interface=" }}{{ . }}{{ "\n" }}
{{ "\n" }}{{ overindent "interface=" }}{{ . }}
{{- end -}}
{{- with .Member -}}
{{ overindent "member=" }}{{ . }}{{ "\n" }}
{{ "\n" }}{{ overindent "member=" }}{{ . }}
{{- end -}}
{{- if and .PeerName .PeerLabel -}}
{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }}
{{ "\n" }}{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }}
{{- else -}}
{{- with .PeerName -}}
{{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
{{ "\n" }}{{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .PeerLabel -}}
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{ "\n" }}{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- end -}}
{{- end -}}

4
pkg/aa/templates/rule/file.j2
View file

@ -12,7 +12,9 @@
{{- with .Padding -}}
{{ . }}
{{- end -}}
{{- .Access -}}
{{- range .Access -}}
{{- . -}}
{{- end -}}
{{- with .Target -}}
{{ " -> " }}{{ . }}
{{- end -}}

6
pkg/aa/templates/rule/mount.j2
View file

@ -9,7 +9,7 @@
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{ " options=" }}{{ cjoin . }}
{{- end -}}
{{- with .Source -}}
{{ " " }}{{ . }}
@ -28,7 +28,7 @@
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{ " options=" }}{{ cjoin . }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}
@ -44,7 +44,7 @@
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{ " options=" }}{{ cjoin . }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}

2
pkg/aa/templates/rule/mqueue.j2
View file

@ -6,7 +6,7 @@
{{- template "qualifier" . -}}
{{- "mqueue" -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{ " " }}{{ cjoin . }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}

2
pkg/aa/templates/rule/ptrace.j2
View file

@ -6,7 +6,7 @@
{{- template "qualifier" . -}}
{{- "ptrace" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{ " " }}{{ cjoin . }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}

4
pkg/aa/templates/rule/signal.j2
View file

@ -6,10 +6,10 @@
{{- template "qualifier" . -}}
{{- "signal" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{ " " }}{{ cjoin . }}
{{- end -}}
{{- with .Set -}}
{{ " set=(" }}{{ . }}{{ ")" }}
{{ " set=" }}{{ cjoin . }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}

2
pkg/aa/templates/rule/unix.j2
View file

@ -6,7 +6,7 @@
{{- template "qualifier" . -}}
{{- "unix" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{ " " }}{{ cjoin . }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}

14
pkg/aa/templates/rule/variable.j2 Normal file
View file

@ -0,0 +1,14 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "variable" -}}
{{- "@{" -}}{{- .Name -}}{{- "}" -}}
{{- if .Define }}
{{- " = " -}}
{{- else -}}
{{- " += " -}}
{{- end -}}
{{- join .Values -}}
{{- template "comment" . -}}
{{- end -}}

93
pkg/aa/templates/rules.j2 Normal file
View file

@ -0,0 +1,93 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "rules" -}}
{{- $oldtype := "" -}}
{{- range . -}}
{{- $type := typeof . -}}
{{- if eq $type "RuleBase" -}}
{{- template "comment" . -}}
{{- "\n" -}}
{{- continue -}}
{{- end -}}
{{- if and (ne $type $oldtype) (ne $oldtype "") -}}
{{- "\n" -}}
{{- end -}}
{{- indent "" -}}
{{- if eq $type "Include" -}}
{{- template "include" . -}}
{{- end -}}
{{- if eq $type "Rlimit" -}}
{{- template "rlimit" . -}}
{{- end -}}
{{- if eq $type "Userns" -}}
{{- template "userns" . -}}
{{- end -}}
{{- if eq $type "Capability" -}}
{{- template "capability" . -}}
{{- end -}}
{{- if eq $type "Network" -}}
{{- template "network" . -}}
{{- end -}}
{{- if eq $type "Mount" -}}
{{- template "mount" . -}}
{{- end -}}
{{- if eq $type "Remount" -}}
{{- template "remount" . -}}
{{- end -}}
{{- if eq $type "Umount" -}}
{{- template "umount" . -}}
{{- end -}}
{{- if eq $type "PivotRoot" -}}
{{- template "pivot_root" . -}}
{{- end -}}
{{- if eq $type "ChangeProfile" -}}
{{- template "change_profile" . -}}
{{- end -}}
{{- if eq $type "Mqueue" -}}
{{- template "mqueue" . -}}
{{- end -}}
{{- if eq $type "Unix" -}}
{{- template "unix" . -}}
{{- end -}}
{{- if eq $type "Ptrace" -}}
{{- template "ptrace" . -}}
{{- end -}}
{{- if eq $type "Signal" -}}
{{- template "signal" . -}}
{{- end -}}
{{- if eq $type "Dbus" -}}
{{- template "dbus" . -}}
{{- end -}}
{{- if eq $type "File" -}}
{{- template "file" . -}}
{{- end -}}
{{- if eq $type "Profile" -}}
{{- template "profile" . -}}
{{- end -}}
{{- "\n" -}}
{{- $oldtype = $type -}}
{{- end -}}
{{- end -}}