From 42ca1be8586783faecc8282947b295440917001d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 20 Jun 2024 23:23:39 +0100 Subject: [PATCH] feat(aa): add the Merge method to the Rule interface. --- cmd/aa-log/main.go | 2 +- pkg/aa/apparmor.go | 2 +- pkg/aa/base.go | 4 ++++ pkg/aa/file.go | 11 +++++++++++ pkg/aa/profile.go | 3 ++- pkg/aa/rules.go | 21 ++++++--------------- 6 files changed, 25 insertions(+), 18 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index dde4e2ca..184e6d11 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -68,7 +68,7 @@ func aaLog(logger string, path string, profile string) error { if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { - p.Merge() + p.Merge(nil) p.Sort() p.Format() fmt.Print(p.String() + "\n\n") diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index afac739b..75c009c8 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -92,7 +92,7 @@ func (f *AppArmorProfileFile) Sort() { // Note: logs.regCleanLogs helps a lot to do a first cleaning func (f *AppArmorProfileFile) MergeRules() { for _, p := range f.Profiles { - p.Merge() + p.Merge(nil) } } diff --git a/pkg/aa/base.go b/pkg/aa/base.go index 37d3873a..a9c86487 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -79,6 +79,10 @@ func newBaseFromLog(log map[string]string) RuleBase { } } +func (r RuleBase) Merge(other Rule) bool { + return false +} + type Qualifier struct { Audit bool AccessType string diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 3e27bfbb..7cc6d4dc 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -130,6 +130,17 @@ func (r *File) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } +func (r *File) Merge(other Rule) bool { + o, _ := other.(*File) + if r.Path == o.Path { + r.Access = append(r.Access, o.Access...) + slices.SortFunc(r.Access, compareFileAccess) + r.Access = slices.Compact(r.Access) + return true + } + return false +} + func (r *File) String() string { return renderTemplate(r.Kind(), r) } diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index ee2b7a3b..a5ed8a6a 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -96,10 +96,11 @@ func (p *Profile) Kind() Kind { return PROFILE } -func (p *Profile) Merge() { +func (p *Profile) Merge(other Rule) bool { slices.Sort(p.Flags) p.Flags = slices.Compact(p.Flags) p.Rules = p.Rules.Merge() + return false } func (p *Profile) Sort() { diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index 675a8a73..d216c758 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -39,6 +39,7 @@ func (k Kind) Tok() string { type Rule interface { Validate() error Compare(other Rule) int + Merge(other Rule) bool String() string Constraint() constraint Kind() Kind @@ -156,30 +157,20 @@ func (r Rules) Merge() Rules { if r[i] == nil || r[j] == nil { continue } - kindOfI := r[i].Kind() - if kindOfI != r[j].Kind() { + if r[i].Kind() != r[j].Kind() { continue } // If rules are identical, merge them. Ignore comments - if kindOfI != COMMENT && r[i].Compare(r[j]) == 0 { + if r[i].Kind() != COMMENT && r[i].Compare(r[j]) == 0 { r = r.Delete(j) j-- continue } - // File rule - if kindOfI == FILE { - // Merge access - fileI := r[i].(*File) - fileJ := r[j].(*File) - if fileI.Path == fileJ.Path { - fileI.Access = append(fileI.Access, fileJ.Access...) - slices.SortFunc(fileI.Access, compareFileAccess) - fileI.Access = slices.Compact(fileI.Access) - r = r.Delete(j) - j-- - } + if r[i].Merge(r[j]) { + r = r.Delete(j) + j-- } } }