mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 14:36:33 +01:00
build: add the task to automatically attach disconnected path.
Not yet enabled on build, as the profiles still require some testing.
This commit is contained in:
parent
e90ccd214c
commit
273485217c
2 changed files with 71 additions and 1 deletions
65
pkg/prebuild/builder/attach.go
Normal file
65
pkg/prebuild/builder/attach.go
Normal file
|
@ -0,0 +1,65 @@
|
|||
// apparmor.d - Full set of apparmor profiles
|
||||
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
package builder
|
||||
|
||||
import (
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/roddhjav/apparmor.d/pkg/prebuild"
|
||||
)
|
||||
|
||||
var (
|
||||
regProfile = regexp.MustCompile(`profile ([^ ]+)`)
|
||||
)
|
||||
|
||||
type ReAttach struct {
|
||||
prebuild.Base
|
||||
}
|
||||
|
||||
func init() {
|
||||
RegisterBuilder(&ReAttach{
|
||||
Base: prebuild.Base{
|
||||
Keyword: "attach",
|
||||
Msg: "Re-attach disconnect path",
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// Apply will re-attach the disconnected path
|
||||
// - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag
|
||||
// - Add the attached/base abstraction in the profile
|
||||
// - For compatibility, non disconnected profile will have the @{att} variable set to /
|
||||
func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
|
||||
var insert string
|
||||
var origin = "profile " + opt.Name
|
||||
|
||||
if strings.Contains(profile, "attach_disconnected") {
|
||||
insert = "@{att} = /att/" + opt.Name + "/\n"
|
||||
profile = strings.Replace(profile,
|
||||
"attach_disconnected",
|
||||
"attach_disconnected,attach_disconnected.path=@{att}", -1,
|
||||
)
|
||||
|
||||
old := "include if exists <local/" + opt.Name + ">"
|
||||
new := "include <abstractions/attached/base>\n " + old
|
||||
profile = strings.Replace(profile, old, new, 1)
|
||||
|
||||
for _, match := range regProfile.FindAllStringSubmatch(profile, -1) {
|
||||
name := match[1]
|
||||
if name == opt.Name {
|
||||
continue
|
||||
}
|
||||
old = "include if exists <local/" + opt.Name + "_" + name + ">"
|
||||
new = "include <abstractions/attached/base>\n " + old
|
||||
profile = strings.Replace(profile, old, new, 1)
|
||||
}
|
||||
|
||||
} else {
|
||||
insert = "@{att} = /\n"
|
||||
}
|
||||
|
||||
return strings.Replace(profile, origin, insert+origin, 1), nil
|
||||
}
|
|
@ -88,8 +88,13 @@ func Prebuild() {
|
|||
if abi != nilABI {
|
||||
prebuild.ABI = abi
|
||||
}
|
||||
if prebuild.ABI == 3 {
|
||||
switch prebuild.ABI {
|
||||
case 3:
|
||||
builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
|
||||
case 4:
|
||||
// builder.Register("attach") // Re-attach disconnect path
|
||||
default:
|
||||
logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
|
||||
}
|
||||
|
||||
if file != "" {
|
||||
|
|
Loading…
Reference in a new issue