mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-22 09:55:36 +01:00
build: exex directive: add support for transition.
This commit is contained in:
Alexandre Pujol
parent
a5f71675ea
commit
73fe7a7475
2 changed files with 38 additions and 10 deletions
|
|
@ -18,7 +18,7 @@ func init() {
|
||||||
Directives["exec"] = &Exec{
|
Directives["exec"] = &Exec{
|
||||||
DirectiveBase: DirectiveBase{
|
DirectiveBase: DirectiveBase{
|
||||||
message: "Exec directive applied",
|
message: "Exec directive applied",
|
||||||
usage: `#aa:exec [P|U|p|u|i|] profiles_name...`,
|
usage: `#aa:exec [P|U|p|u|PU|pu|] profiles_name...`,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -26,23 +26,37 @@ func init() {
|
||||||
func (d Exec) Apply(opt *Option, profile string) string {
|
func (d Exec) Apply(opt *Option, profile string) string {
|
||||||
res := ""
|
res := ""
|
||||||
transition := "Px"
|
transition := "Px"
|
||||||
|
transitions := []string{"P", "U", "p", "u", "PU", "pu"}
|
||||||
|
for _, t := range transitions {
|
||||||
|
if _, present := opt.Args[t]; present {
|
||||||
|
transition = t + "x"
|
||||||
|
delete(opt.Args, t)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for name := range opt.Args {
|
for name := range opt.Args {
|
||||||
tmp, err := rootApparmord.Join(name).ReadFile()
|
content, err := rootApparmord.Join(name).ReadFile()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
profiletoTransition := string(tmp)
|
profiletoTransition := string(content)
|
||||||
|
|
||||||
p := aa.DefaultTunables()
|
p := &aa.AppArmorProfile{}
|
||||||
p.ParseVariables(profiletoTransition)
|
dstProfile := aa.DefaultTunables()
|
||||||
for _, variable := range p.Variables {
|
dstProfile.ParseVariables(profiletoTransition)
|
||||||
|
for _, variable := range dstProfile.Variables {
|
||||||
if variable.Name == "exec_path" {
|
if variable.Name == "exec_path" {
|
||||||
for _, value := range variable.Values {
|
for _, v := range variable.Values {
|
||||||
res += " " + value + " " + transition + ",\n"
|
p.Rules = append(p.Rules, &aa.File{
|
||||||
|
Path: v,
|
||||||
|
Access: transition,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
res += p.String()
|
||||||
}
|
}
|
||||||
profile = strings.Replace(profile, opt.Raw, res, -1)
|
return strings.Replace(profile, opt.Raw, res, -1)
|
||||||
}
|
|
||||||
return profile
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,20 @@ func TestExec_Apply(t *testing.T) {
|
||||||
profile: ` #aa:exec DiscoverNotifier`,
|
profile: ` #aa:exec DiscoverNotifier`,
|
||||||
want: ` @{lib}/DiscoverNotifier Px,
|
want: ` @{lib}/DiscoverNotifier Px,
|
||||||
@{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px,
|
@{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px,
|
||||||
|
`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "exec-unconfined",
|
||||||
|
rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"),
|
||||||
|
opt: &Option{
|
||||||
|
Name: "exec",
|
||||||
|
Args: map[string]string{"U": "", "polkit-agent-helper": ""},
|
||||||
|
File: nil,
|
||||||
|
Raw: " #aa:exec U polkit-agent-helper",
|
||||||
|
},
|
||||||
|
profile: ` #aa:exec U polkit-agent-helper`,
|
||||||
|
want: ` @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] Ux,
|
||||||
|
@{lib}/polkit-agent-helper-[0-9] Ux,
|
||||||
`,
|
`,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue