From 81f0163086e9a8b0c0015318e383d68df6bebf4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 May 2024 14:19:25 +0100 Subject: [PATCH] feat(aa): cleanup, fix import and add some unit tests. --- pkg/aa/base.go | 4 +++- pkg/aa/capability.go | 3 +++ pkg/aa/dbus.go | 4 ++++ pkg/aa/file.go | 11 ++++++++++ pkg/aa/io_uring.go | 2 ++ pkg/aa/mqueue.go | 1 + pkg/aa/network.go | 2 ++ pkg/aa/profile.go | 2 +- pkg/aa/profile_test.go | 50 ++++++++++++++++++++++++++++++++++++++++++ pkg/aa/ptrace.go | 2 ++ pkg/aa/signal.go | 1 + pkg/aa/template.go | 7 +++--- pkg/aa/unix.go | 2 ++ 13 files changed, 86 insertions(+), 5 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index ed12a1d7..7b2bb127 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -4,7 +4,9 @@ package aa -import "strings" +import ( + "strings" +) type RuleBase struct { IsLineRule bool diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index f458350a..46450e45 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -4,6 +4,9 @@ package aa +import ( + "slices" +) const tokCAPABILITY = "capability" diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index aa88266c..ea88e538 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -4,6 +4,10 @@ package aa +import ( + "slices" +) + const tokDBUS = "dbus" type Dbus struct { diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 8aabd577..4facc57a 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -4,6 +4,17 @@ package aa +import ( + "slices" + "strings" +) + +const ( + tokLINK = "link" + tokOWNER = "owner" +) + + type File struct { RuleBase Qualifier diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 4f76354c..9ad2829a 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -4,6 +4,8 @@ package aa +import "slices" + const tokIOURING = "io_uring" diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 92a2252c..e00aedb7 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -5,6 +5,7 @@ package aa import ( + "slices" "strings" ) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 36ef3ac0..f8a286e3 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -4,6 +4,8 @@ package aa +import "slices" + const tokNETWORK = "network" diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 956a7922..8ad9e2a1 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -131,7 +131,7 @@ func (p *Profile) Format() { if letterI != letterJ { // Add a new empty line between Files rule of different type hasOwnerRule = false - p.Rules = append(p.Rules[:i], append([]Rule{&RuleBase{}}, p.Rules[i:]...)...) + p.Rules = append(p.Rules[:i], append(Rules{nil}, p.Rules[i:]...)...) } } } diff --git a/pkg/aa/profile_test.go b/pkg/aa/profile_test.go index 26ea6316..c2edd52c 100644 --- a/pkg/aa/profile_test.go +++ b/pkg/aa/profile_test.go @@ -82,3 +82,53 @@ func TestProfile_AddRule(t *testing.T) { }) } } + +func TestProfile_GetAttachments(t *testing.T) { + tests := []struct { + name string + Attachments []string + want string + }{ + { + name: "firefox", + Attachments: []string{ + "/{usr/,}bin/firefox{,-esr,-bin}", + "/{usr/,}lib{,32,64}/firefox{,-esr,-bin}/firefox{,-esr,-bin}", + "/opt/firefox{,-esr,-bin}/firefox{,-esr,-bin}", + }, + want: "/{{usr/,}bin/firefox{,-esr,-bin},{usr/,}lib{,32,64}/firefox{,-esr,-bin}/firefox{,-esr,-bin},opt/firefox{,-esr,-bin}/firefox{,-esr,-bin}}", + }, + { + name: "geoclue", + Attachments: []string{ + "/{usr/,}libexec/geoclue", + "/{usr/,}libexec/geoclue-2.0/demos/agent", + }, + want: "/{{usr/,}libexec/geoclue,{usr/,}libexec/geoclue-2.0/demos/agent}", + }, + { + name: "null", + Attachments: []string{}, + want: "", + }, + { + name: "empty", + Attachments: []string{""}, + want: "", + }, + { + name: "not valid aare", + Attachments: []string{"/file", "relative"}, + want: "/{file,relative}", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := &Profile{} + p.Attachments = tt.Attachments + if got := p.GetAttachments(); got != tt.want { + t.Errorf("Profile.GetAttachments() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 5a014bc7..a8ac55fc 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -4,6 +4,8 @@ package aa +import "slices" + const tokPTRACE = "ptrace" type Ptrace struct { diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 9a6da935..7daaa9a8 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -4,6 +4,7 @@ package aa +import "slices" const tokSIGNAL = "signal" diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 4f433c09..c0b74148 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -40,7 +40,7 @@ var ( tokINCLUDE, tokRLIMIT, tokCAPABILITY, tokNETWORK, tokMOUNT, tokPIVOTROOT, tokCHANGEPROFILE, tokSIGNAL, tokPTRACE, tokUNIX, tokUSERNS, tokIOURING, - tokDBUS, "file", + tokDBUS, "file", "variable", }) // convert apparmor requested mask to apparmor access mode @@ -73,7 +73,7 @@ var ( "profile", "include_if_exists", } - ruleWeights = map[string]int{} + ruleWeights = make(map[string]int, len(ruleAlphabet)) // The order the apparmor file rules should be sorted fileAlphabet = []string{ @@ -98,8 +98,9 @@ var ( "@{PROC}", // 10. Proc files "/dev", // 11. Dev files "deny", // 12. Deny rules + "profile", // 13. Subprofiles } - fileWeights = map[string]int{} + fileWeights = make(map[string]int, len(fileAlphabet)) ) func generateTemplates(names []string) map[string]*template.Template { diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 3c53dc84..f5915f01 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -4,6 +4,8 @@ package aa +import "slices" + const tokUNIX = "unix" type Unix struct {