build: add the task to automatically attach disconnected path.

Not yet enabled on build, as the profiles still require some testing.
2024-12-26 06:58:00 +01:00 · 2024-10-12 20:08:21 +01:00 · 2024-10-12 20:08:21 +01:00 · 273485217c
commit 273485217c
parent e90ccd214c
2 changed files with 71 additions and 1 deletions
--- a/pkg/prebuild/builder/attach.go
+++ b/pkg/prebuild/builder/attach.go
@ -0,0 +1,65 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package builder
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+)
+
+var (
+	regProfile = regexp.MustCompile(`profile ([^ ]+)`)
+)
+
+type ReAttach struct {
+	prebuild.Base
+}
+
+func init() {
+	RegisterBuilder(&ReAttach{
+		Base: prebuild.Base{
+			Keyword: "attach",
+			Msg:     "Re-attach disconnect path",
+		},
+	})
+}
+
+// Apply will re-attach the disconnected path
+//   - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag
+//   - Add the attached/base abstraction in the profile
+//   - For compatibility, non disconnected profile will have the @{att} variable set to /
+func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
+	var insert string
+	var origin = "profile " + opt.Name
+
+	if strings.Contains(profile, "attach_disconnected") {
+		insert = "@{att} = /att/" + opt.Name + "/\n"
+		profile = strings.Replace(profile,
+			"attach_disconnected",
+			"attach_disconnected,attach_disconnected.path=@{att}", -1,
+		)
+
+		old := "include if exists <local/" + opt.Name + ">"
+		new := "include <abstractions/attached/base>\n  " + old
+		profile = strings.Replace(profile, old, new, 1)
+
+		for _, match := range regProfile.FindAllStringSubmatch(profile, -1) {
+			name := match[1]
+			if name == opt.Name {
+				continue
+			}
+			old = "include if exists <local/" + opt.Name + "_" + name + ">"
+			new = "include <abstractions/attached/base>\n    " + old
+			profile = strings.Replace(profile, old, new, 1)
+		}
+
+	} else {
+		insert = "@{att} = /\n"
+	}
+
+	return strings.Replace(profile, origin, insert+origin, 1), nil
+}
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@ -88,8 +88,13 @@ func Prebuild() {
 	if abi != nilABI {
 		prebuild.ABI = abi
 	}
-	if prebuild.ABI == 3 {
+	switch prebuild.ABI {
+	case 3:
 		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
+	case 4:
+		// builder.Register("attach") // Re-attach disconnect path
+	default:
+		logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
 	}

 	if file != "" {