mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 06:45:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(aa-log): add a new constructors for aa rules.

Browse source
This commit is contained in:
Alexandre Pujol 2023-08-17 23:05:07 +01:00
parent a8470dfa38
commit 4f40cb6d78
Failed to generate hash of commit
2 changed files with 146 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
pkg/aa/rules.go
View file

@ -4,6 +4,10 @@
package aa package aa
import (
"golang.org/x/exp/slices"
)
// Preamble section of a profile // Preamble section of a profile
type Preamble struct { type Preamble struct {
Abi []Abi Abi []Abi
@ -200,3 +204,107 @@ type File struct {
Target string Target string
} }
// Rules constructors from logs
func NewQualifier(owner, noNewPrivs, fileInherit bool) Qualifier {
return Qualifier{
Audit: false,
AccessType: "",
Owner: owner,
NoNewPrivs: noNewPrivs,
FileInherit: fileInherit,
}
}
func NewCapability(log map[string]string, noNewPrivs, fileInherit bool) Capability {
return Capability{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
Name: log["capname"],
}
}
func NewNetwork(log map[string]string, noNewPrivs, fileInherit bool) Network {
return Network{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
AddressExpr: AddressExpr{
Source: log["laddr"],
Destination: log["faddr"],
Port: log["lport"],
},
Domain: log["family"],
Type: log["sock_type"],
Protocol: log["protocol"],
}
}
func NewFile(log map[string]string, noNewPrivs, fileInherit bool) File {
owner := false
if log["fsuid"] == log["ouid"] && log["OUID"] != "root" {
owner = true
}
return File{
Qualifier: NewQualifier(owner, noNewPrivs, fileInherit),
Path: log["name"],
Access: maskToAccess[log["requested_mask"]],
Target: log["target"],
}
}
func NewSignal(log map[string]string, noNewPrivs, fileInherit bool) Signal {
return Signal{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
Access: maskToAccess[log["requested_mask"]],
Set: log["signal"],
Peer: log["peer"],
}
}
func NewPtrace(log map[string]string, noNewPrivs, fileInherit bool) Ptrace {
return Ptrace{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
Access: maskToAccess[log["requested_mask"]],
Peer: log["peer"],
}
}
func NewUnix(log map[string]string, noNewPrivs, fileInherit bool) Unix {
return Unix{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
Access: maskToAccess[log["requested_mask"]],
Type: log["sock_type"],
Protocol: log["protocol"],
Address: log["addr"],
Label: log["peer_label"],
Attr: log["attr"],
Opt: log["opt"],
Peer: log["peer"],
PeerAddr: log["peer_addr"],
}
}
func NewMount(log map[string]string, noNewPrivs, fileInherit bool) Mount {
return Mount{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
MountConditions: MountConditions{
Fs: "",
Op: "",
FsType: log["fstype"],
Options: []string{},
},
Source: log["srcname"],
MountPoint: log["name"],
}
}
func NewDbus(log map[string]string, noNewPrivs, fileInherit bool) Dbus {
return Dbus{
Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
Access: log["mask"],
Bus: log["bus"],
Name: log["name"],
Path: log["path"],
Interface: log["interface"],
Member: log["member"],
Label: log["peer_label"],
}
}

38
pkg/aa/template.go Normal file
View file

@ -0,0 +1,38 @@
// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
package aa
import (
_ "embed"
"strings"
)
// TODO: Should be a map of slice, not exhausive yet
var maskToAccess = map[string]string{
"a": "w",
"c": "w",
"d": "w",
"k": "rk",
"l": "l",
"m": "rm",
"r": "r",
"ra": "rw",
"read write": "read write",
"read": "read",
"readby": "readby",
"receive": "receive",
"rm": "rm",
"rw": "rw",
"send receive": "send receive",
"send": "send",
"w": "w",
"wc": "w",
"wr": "rw",
"wrc": "rw",
"wrd": "rw",
"write": "write",
"x": "rix",
}