diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.j2 index 821341b5..1686a7de 100644 --- a/pkg/aa/templates/apparmor.j2 +++ b/pkg/aa/templates/apparmor.j2 @@ -2,26 +2,48 @@ {{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} -{{- range .Abi -}} - {{- if .IsMagic -}} - {{ "abi <" }}{{ .Path }}{{ ">,\n" }} - {{- else -}} - {{ "abi \"" }}{{ .Path }}{{ "\",\n" }} - {{- end }} -{{ end -}} +{{- define "apparmor" -}} -{{- range .Aliases -}} - {{ "alias " }}{{ .Path }}{{ " -> " }}{{ .RewrittenPath }}{{ ",\n" }} -{{ end -}} + {{- with .Comments -}} + {{- range . -}} + {{- template "comment" . -}} + {{- "\n" -}} + {{- end -}} + {{- "\n" -}} + {{- end -}} -{{- range .Includes -}} - {{ template "include" . }}{{ "\n" }} -{{ end -}} + {{- with .Abi -}} + {{- range . -}} + {{- template "abi" . -}} + {{- "\n" -}} + {{- end -}} + {{- "\n" -}} + {{- end -}} -{{- range .Variables -}} - {{ "@{" }}{{ .Name }}{{ "} = " }}{{ join .Values }} -{{ end -}} + {{- with .Aliases -}} + {{- range . -}} + {{- template "alias" . -}} + {{- "\n" -}} + {{- end -}} + {{- "\n" -}} + {{- end -}} + + {{- with .Includes -}} + {{- range . -}} + {{- template "include" . -}} + {{- "\n" -}} + {{- end -}} + {{- "\n" -}} + {{- end -}} + + {{- range .Variables -}} + {{- template "variable" . -}} + {{- "\n" -}} + {{- end -}} + + {{- range .Profiles -}} + {{- template "profile" . -}} + {{- "\n" -}} + {{- end -}} -{{- range .Profiles -}} - {{ template "profile" . }} {{- end -}} diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.j2 index 394f18a1..f2df9069 100644 --- a/pkg/aa/templates/profile.j2 +++ b/pkg/aa/templates/profile.j2 @@ -4,110 +4,24 @@ {{- define "profile" -}} - {{- with .Header -}} - {{- "profile" -}} - {{- with .Name -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .Attachments -}} - {{ " " }}{{ join . }} - {{- end -}} - {{- with .Attributes -}} - {{ " xattrs=(" }}{{ join . }}{{ ")" }} - {{- end -}} - {{- with .Flags -}} - {{ " flags=(" }}{{ join . }}{{ ")" }} - {{- end -}} - {{- " {\n" -}} + {{- "profile" -}} + {{- with .Name -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Attachments -}} + {{ " " }}{{ join . }} + {{- end -}} + {{- with .Attributes -}} + {{ " xattrs=(" }}{{ join . }}{{ ")" }} + {{- end -}} + {{- with .Flags -}} + {{ " flags=(" }}{{ join . }}{{ ")" }} {{- end -}} - {{- $oldtype := "" -}} - {{- range .Rules -}} - {{- $type := typeof . -}} - {{- if eq $type "Rule" -}} - {{- template "comment" . -}} - {{- "\n" -}} - {{- continue -}} - {{- end -}} - {{- if and (ne $type $oldtype) (ne $oldtype "") -}} - {{- "\n" -}} - {{- end -}} - {{- indent "" -}} - - {{- if eq $type "Include" -}} - {{ template "include" . }} - {{- end -}} - - {{- if eq $type "Rlimit" -}} - {{- template "rlimit" . -}} - {{- end -}} - - {{- if eq $type "Userns" -}} - {{- template "userns" . -}} - {{- end -}} - - {{- if eq $type "Capability" -}} - {{- template "capability" . -}} - {{- end -}} - - {{- if eq $type "Network" -}} - {{- template "network" . -}} - {{- end -}} - - {{- if eq $type "Mount" -}} - {{- template "mount" . -}} - {{- end -}} - - {{- if eq $type "Remount" -}} - {{- template "remount" . -}} - {{- end -}} - - {{- if eq $type "Umount" -}} - {{- template "umount" . -}} - {{- end -}} - - {{- if eq $type "PivotRoot" -}} - {{- template "pivot_root" . -}} - {{- end -}} - - {{- if eq $type "ChangeProfile" -}} - {{- template "change_profile" . -}} - {{- end -}} - - {{- if eq $type "Mqueue" -}} - {{- template "mqueue" . -}} - {{- end -}} - - {{- if eq $type "Unix" -}} - {{- template "unix" . -}} - {{- end -}} - - {{- if eq $type "Ptrace" -}} - {{- template "ptrace" . -}} - {{- end -}} - - {{- if eq $type "Signal" -}} - {{- template "signal" . -}} - {{- end -}} - - {{- if eq $type "Dbus" -}} - {{- template "dbus" . -}} - {{- end -}} - - {{- if eq $type "File" -}} - {{- template "file" . -}} - {{- end -}} - - {{- if eq $type "Profile" -}} - {{ template "profile" . }} - {{- end -}} - - {{- "\n" -}} - {{- $oldtype = $type -}} - {{- end -}} - - {{- with .Header -}} - {{- "}\n" -}} - {{- end -}} + {{- " {\n" -}} + {{- setindent "++" -}} + {{- template "rules" .Rules -}} + {{- setindent "--" -}} + {{- indent "}" -}} {{- end -}} diff --git a/pkg/aa/templates/rule/abi.j2 b/pkg/aa/templates/rule/abi.j2 new file mode 100644 index 00000000..09840a8d --- /dev/null +++ b/pkg/aa/templates/rule/abi.j2 @@ -0,0 +1,14 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "abi" -}} + {{- "abi" -}} + {{- if .IsMagic -}} + {{ " <" }}{{ .Path }}{{ ">" }} + {{- else -}} + {{ " \"" }}{{ .Path }}{{ "\"" }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/alias.j2 b/pkg/aa/templates/rule/alias.j2 new file mode 100644 index 00000000..2912d334 --- /dev/null +++ b/pkg/aa/templates/rule/alias.j2 @@ -0,0 +1,12 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "alias" -}} + {{- "alias " -}} + {{- .Path -}} + {{- " -> " -}} + {{- .RewrittenPath -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/capability.j2 b/pkg/aa/templates/rule/capability.j2 index 4041ab11..5b46e73a 100644 --- a/pkg/aa/templates/rule/capability.j2 +++ b/pkg/aa/templates/rule/capability.j2 @@ -3,5 +3,11 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "capability" -}} - {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }} + {{- template "qualifier" . -}} + {{- "capability" -}} + {{- range .Names -}} + {{ " " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/comment.j2 b/pkg/aa/templates/rule/comment.j2 index 68fc20a8..2a752288 100644 --- a/pkg/aa/templates/rule/comment.j2 +++ b/pkg/aa/templates/rule/comment.j2 @@ -4,18 +4,22 @@ {{- define "comment" -}} {{- if or .FileInherit .NoNewPrivs .Optional .Comment -}} - {{- " #" -}} - {{- end -}} - {{- if .FileInherit -}} - {{- " file_inherit" -}} - {{- end -}} - {{- if .NoNewPrivs -}} - {{- " no new privs" -}} - {{- end -}} - {{- if .Optional -}} - {{- " optional:" -}} - {{- end -}} - {{- with .Comment -}} - {{ " " }}{{ . }} + {{- if .IsLineRule }} + {{- "#" -}} + {{- else -}} + {{- " #" -}} + {{- end -}} + {{- if .FileInherit -}} + {{- " file_inherit" -}} + {{- end -}} + {{- if .NoNewPrivs -}} + {{- " no new privs" -}} + {{- end -}} + {{- if .Optional -}} + {{- " optional:" -}} + {{- end -}} + {{- with .Comment -}} + {{ " " }}{{ . }} + {{- end -}} {{- end -}} {{- end -}} diff --git a/pkg/aa/templates/rule/dbus.j2 b/pkg/aa/templates/rule/dbus.j2 index a25b87ef..f3227ad7 100644 --- a/pkg/aa/templates/rule/dbus.j2 +++ b/pkg/aa/templates/rule/dbus.j2 @@ -5,11 +5,15 @@ {{- define "dbus" -}} {{- template "qualifier" . -}} {{- "dbus" -}} - {{- if eq .Access "bind" -}} + {{- $access := "" -}} + {{- if .Access -}} + {{- $access = index .Access 0 -}} + {{- end -}} + {{- if eq $access "bind" -}} {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} {{- else -}} {{- with .Access -}} - {{ " " }}{{ . }} + {{ " " }}{{ cjoin . }} {{- end -}} {{- with .Bus -}} {{ " bus=" }}{{ . }} @@ -17,21 +21,20 @@ {{- with .Path -}} {{ " path=" }}{{ . }} {{- end -}} - {{ "\n" }} {{- with .Interface -}} - {{ overindent "interface=" }}{{ . }}{{ "\n" }} + {{ "\n" }}{{ overindent "interface=" }}{{ . }} {{- end -}} {{- with .Member -}} - {{ overindent "member=" }}{{ . }}{{ "\n" }} + {{ "\n" }}{{ overindent "member=" }}{{ . }} {{- end -}} {{- if and .PeerName .PeerLabel -}} - {{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }} + {{ "\n" }}{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }} {{- else -}} {{- with .PeerName -}} - {{ overindent "peer=(name=" }}{{ . }}{{ ")" }} + {{ "\n" }}{{ overindent "peer=(name=" }}{{ . }}{{ ")" }} {{- end -}} {{- with .PeerLabel -}} - {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} + {{ "\n" }}{{ overindent "peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} {{- end -}} {{- end -}} diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 index ea016e77..0021a874 100644 --- a/pkg/aa/templates/rule/file.j2 +++ b/pkg/aa/templates/rule/file.j2 @@ -12,7 +12,9 @@ {{- with .Padding -}} {{ . }} {{- end -}} - {{- .Access -}} + {{- range .Access -}} + {{- . -}} + {{- end -}} {{- with .Target -}} {{ " -> " }}{{ . }} {{- end -}} diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.j2 index 19d29b13..c97ead10 100644 --- a/pkg/aa/templates/rule/mount.j2 +++ b/pkg/aa/templates/rule/mount.j2 @@ -9,7 +9,7 @@ {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} + {{ " options=" }}{{ cjoin . }} {{- end -}} {{- with .Source -}} {{ " " }}{{ . }} @@ -28,7 +28,7 @@ {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} + {{ " options=" }}{{ cjoin . }} {{- end -}} {{- with .MountPoint -}} {{ " " }}{{ . }} @@ -44,7 +44,7 @@ {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} + {{ " options=" }}{{ cjoin . }} {{- end -}} {{- with .MountPoint -}} {{ " " }}{{ . }} diff --git a/pkg/aa/templates/rule/mqueue.j2 b/pkg/aa/templates/rule/mqueue.j2 index 48b764aa..e2df2756 100644 --- a/pkg/aa/templates/rule/mqueue.j2 +++ b/pkg/aa/templates/rule/mqueue.j2 @@ -6,7 +6,7 @@ {{- template "qualifier" . -}} {{- "mqueue" -}} {{- with .Access -}} - {{ " " }}{{ . }} + {{ " " }}{{ cjoin . }} {{- end -}} {{- with .Type -}} {{ " type=" }}{{ . }} diff --git a/pkg/aa/templates/rule/ptrace.j2 b/pkg/aa/templates/rule/ptrace.j2 index 95318a28..c499890b 100644 --- a/pkg/aa/templates/rule/ptrace.j2 +++ b/pkg/aa/templates/rule/ptrace.j2 @@ -6,7 +6,7 @@ {{- template "qualifier" . -}} {{- "ptrace" -}} {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} + {{ " " }}{{ cjoin . }} {{- end -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} diff --git a/pkg/aa/templates/rule/signal.j2 b/pkg/aa/templates/rule/signal.j2 index b0fdbc35..b56085d8 100644 --- a/pkg/aa/templates/rule/signal.j2 +++ b/pkg/aa/templates/rule/signal.j2 @@ -6,10 +6,10 @@ {{- template "qualifier" . -}} {{- "signal" -}} {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} + {{ " " }}{{ cjoin . }} {{- end -}} {{- with .Set -}} - {{ " set=(" }}{{ . }}{{ ")" }} + {{ " set=" }}{{ cjoin . }} {{- end -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index fe1a6c7a..531eaaf9 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -6,7 +6,7 @@ {{- template "qualifier" . -}} {{- "unix" -}} {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} + {{ " " }}{{ cjoin . }} {{- end -}} {{- with .Type -}} {{ " type=" }}{{ . }} diff --git a/pkg/aa/templates/rule/variable.j2 b/pkg/aa/templates/rule/variable.j2 new file mode 100644 index 00000000..f27e01cc --- /dev/null +++ b/pkg/aa/templates/rule/variable.j2 @@ -0,0 +1,14 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "variable" -}} + {{- "@{" -}}{{- .Name -}}{{- "}" -}} + {{- if .Define }} + {{- " = " -}} + {{- else -}} + {{- " += " -}} + {{- end -}} + {{- join .Values -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rules.j2 b/pkg/aa/templates/rules.j2 new file mode 100644 index 00000000..4ce59626 --- /dev/null +++ b/pkg/aa/templates/rules.j2 @@ -0,0 +1,93 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "rules" -}} + + {{- $oldtype := "" -}} + {{- range . -}} + {{- $type := typeof . -}} + {{- if eq $type "RuleBase" -}} + {{- template "comment" . -}} + {{- "\n" -}} + {{- continue -}} + {{- end -}} + + {{- if and (ne $type $oldtype) (ne $oldtype "") -}} + {{- "\n" -}} + {{- end -}} + {{- indent "" -}} + + {{- if eq $type "Include" -}} + {{- template "include" . -}} + {{- end -}} + + {{- if eq $type "Rlimit" -}} + {{- template "rlimit" . -}} + {{- end -}} + + {{- if eq $type "Userns" -}} + {{- template "userns" . -}} + {{- end -}} + + {{- if eq $type "Capability" -}} + {{- template "capability" . -}} + {{- end -}} + + {{- if eq $type "Network" -}} + {{- template "network" . -}} + {{- end -}} + + {{- if eq $type "Mount" -}} + {{- template "mount" . -}} + {{- end -}} + + {{- if eq $type "Remount" -}} + {{- template "remount" . -}} + {{- end -}} + + {{- if eq $type "Umount" -}} + {{- template "umount" . -}} + {{- end -}} + + {{- if eq $type "PivotRoot" -}} + {{- template "pivot_root" . -}} + {{- end -}} + + {{- if eq $type "ChangeProfile" -}} + {{- template "change_profile" . -}} + {{- end -}} + + {{- if eq $type "Mqueue" -}} + {{- template "mqueue" . -}} + {{- end -}} + + {{- if eq $type "Unix" -}} + {{- template "unix" . -}} + {{- end -}} + + {{- if eq $type "Ptrace" -}} + {{- template "ptrace" . -}} + {{- end -}} + + {{- if eq $type "Signal" -}} + {{- template "signal" . -}} + {{- end -}} + + {{- if eq $type "Dbus" -}} + {{- template "dbus" . -}} + {{- end -}} + + {{- if eq $type "File" -}} + {{- template "file" . -}} + {{- end -}} + + {{- if eq $type "Profile" -}} + {{- template "profile" . -}} + {{- end -}} + + {{- "\n" -}} + {{- $oldtype = $type -}} + {{- end -}} + +{{- end -}}