mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa-log): rewrite the profile template.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-25 00:15:51 +01:00
parent 422418e0e2
commit 88f275ef43
Failed to generate hash of commit
2 changed files with 210 additions and 251 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
pkg/aa/template.go
View file

@ -6,32 +6,33 @@ package aa
import ( import (
_ "embed" _ "embed"
"reflect"
"strings"
"text/template" "text/template"
) )
// Default indentation for apparmor profile (2 spaces)
const indentation = " " const indentation = " "
var (
//go:embed template.j2 //go:embed template.j2
var tmplFileAppArmorProfile string tmplFileAppArmorProfile string
var tmplFunctionMap = template.FuncMap{ // tmplFunctionMap is the list of function available in the template
tmplFunctionMap = template.FuncMap{
"typeof": typeOf,
"join": join,
"indent": indent, "indent": indent,
"overindent": indentDbus, "overindent": indentDbus,
} }
var tmplAppArmorProfile = template.Must(template.New("profile"). // The apparmor profile template
tmplAppArmorProfile = template.Must(template.New("profile").
Funcs(tmplFunctionMap).Parse(tmplFileAppArmorProfile)) Funcs(tmplFunctionMap).Parse(tmplFileAppArmorProfile))
func indent(s string) string { // convert apparmor requested mask to apparmor access mode
return indentation + s
}
func indentDbus(s string) string {
return indentation + " " + s
}
// TODO: Should be a map of slice, not exhausive yet // TODO: Should be a map of slice, not exhausive yet
var maskToAccess = map[string]string{ maskToAccess = map[string]string{
"a": "w", "a": "w",
"c": "w", "c": "w",
"d": "w", "d": "w",
@ -50,6 +51,8 @@ var maskToAccess = map[string]string{
"send": "send", "send": "send",
"w": "w", "w": "w",
"wc": "w", "wc": "w",
"wd": "w",
"wk": "wk",
"wr": "rw", "wr": "rw",
"wrc": "rw", "wrc": "rw",
"wrd": "rw", "wrd": "rw",
@ -57,3 +60,32 @@ var maskToAccess = map[string]string{
"x": "rix", "x": "rix",
} }
)
func join(i any) string {
switch reflect.TypeOf(i).Kind() {
case reflect.Slice:
return strings.Join(i.([]string), " ")
case reflect.Map:
res := []string{}
for k, v := range i.(map[string]string) {
res = append(res, k+"="+v)
}
return strings.Join(res, " ")
default:
return i.(string)
}
}
func typeOf(i any) string {
return strings.TrimPrefix(reflect.TypeOf(i).String(), "*aa.")
}
func indent(s string) string {
return indentation + s
}
func indentDbus(s string) string {
return indentation + " " + s
}

331
pkg/aa/template.j2
View file

@ -2,307 +2,234 @@
{{- /* Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io> */ -}} {{- /* Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- if .Abi -}}
{{- range .Abi -}} {{- range .Abi -}}
{{- if .IsMagic -}} {{- if .IsMagic -}}
abi <{{ .Path }}>,{{ "\n" }} {{ "abi <" }}{{ .Path }}{{ ">,\n" }}
{{- else -}} {{- else -}}
abi "{{ .Path }}",{{ "\n" }} {{ "abi \"" }}{{ .Path }}{{ "\",\n" }}
{{- end -}} {{- end }}
{{- end -}} {{ end -}}
{{ "\n" }}
{{- end -}}
{{- if .Aliases -}}
{{- range .Aliases -}} {{- range .Aliases -}}
alias {{ .Path }} -> {{ .RewrittenPath }},{{ "\n" }} {{ "alias " }}{{ .Path }}{{ " -> " }}{{ .RewrittenPath }}{{ ",\n" }}
{{- end -}} {{ end -}}
{{ "\n" }}
{{- end -}}
{{- if .PreambleIncludes -}} {{- range .Includes -}}
{{- range .PreambleIncludes -}}
{{- "include " -}} {{- "include " -}}
{{- if .IfExists -}} {{- if .IfExists -}}
{{- "if exists " -}} {{- "if exists " -}}
{{- end -}} {{- end -}}
{{- if .IsMagic -}} {{- if .IsMagic -}}
<{{ .Path }}>{{ "\n" }} {{ "<" }}{{ .Path }}{{ ">,\n" }}
{{- else -}} {{- else -}}
"{{ .Path }}"{{ "\n" }} {{ "\"" }}{{ .Path }}{{ "\",\n" }}
{{- end -}} {{- end }}
{{- end -}} {{ end -}}
{{ "\n" }}
{{- end -}}
{{- if .Preamble.Variables -}} {{- range .Variables -}}
{{- range .Preamble.Variables -}}
{{ "@{" }}{{ .Name }}{{ "} = " }} {{ "@{" }}{{ .Name }}{{ "} = " }}
{{- range .Values -}} {{- range .Values -}}
{{ . }}{{ " " }} {{ . }}{{ " " }}
{{- end -}} {{- end }}
{{ "\n" }} {{ end -}}
{{- end -}}
{{- end -}}
profile {{ .Name }}{{ " " }} {{- "profile " -}}
{{- range .Attachments -}} {{- with .Name -}}
{{ . }}{{ " " }} {{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Attributes -}} {{- with .Attachments -}}
{{- "xattrs=(" -}} {{ join . }}{{ " " }}
{{- range .Attributes -}}
{{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{ ") " }} {{- with .Attributes -}}
{{ "xattrs=(" }}{{ join . }}{{ ") " }}
{{- end -}} {{- end -}}
{{- if .Flags -}} {{- with .Flags -}}
{{- "flags=(" -}} {{ "flags=(" }}{{ join . }}{{ ") " }}
{{- range .Flags -}}
{{ . }}{{ " " }}
{{- end -}}
{{ ") " }}
{{- end -}} {{- end -}}
{{ "{\n" }} {{ "{\n" }}
{{- if .Includes -}} {{- $oldtype := "" -}}
{{- range .Includes -}} {{- range .Rules -}}
{{- if not .IfExists -}} {{- $type := typeof . -}}
{{- "include " | indent -}} {{- if and (ne $type $oldtype) (ne $oldtype "") -}}
{{- if .AbsPath -}} {{- "\n" -}}
"{{ . }}"{{ "\n" }} {{- end -}}
{{- indent "" -}}
{{- if eq $type "Include" -}}
{{- "include " -}}
{{- if .IfExists -}}
{{ "if exists " }}
{{- end -}}
{{- if .IsMagic -}}
{{ "<" }}{{ .Path }}{{ ">" }}
{{- else -}} {{- else -}}
<{{ .MagicPath }}>{{ "\n" }} {{ "\"" }}{{ .Path }}{{ "\"" }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}}
{{ "\n" }}
{{- end -}}
{{- if .Rlimit -}} {{- if eq $type "Rlimit" -}}
{{- range .Rlimit -}} {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}
{{ "set rlimit" | indent }} {{ .Key }} {{ .Op }} {{ .Value }},{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Capability -}} {{- if eq $type "Capability" -}}
{{- range .Capability -}} {{ "capability " }}{{ .Name }}{{ "," }}
{{ "capability" | indent }} {{ .Name }},{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Network -}} {{- if eq $type "Network" -}}
{{- range .Network -}}
{{- if eq .AccessType "deny" -}} {{- if eq .AccessType "deny" -}}
{{ "deny network " | indent }} {{ "deny " }}
{{- end -}}
{{ "network " }}
{{- with .Domain -}}
{{ . }}{{ " " }}
{{- end -}}
{{- with .Type -}}
{{ . }}
{{- else -}} {{- else -}}
{{ "network " | indent }} {{- with .Protocol -}}
{{- end -}} {{ . }}
{{- if .Domain -}}
{{ .Domain }}{{ " " }}
{{- end -}}
{{- if .Type -}}
{{ .Type }}{{ " " }}
{{- else -}}
{{ if .Protocol -}}
{{ .Protocol }}{{ " " }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- if .Destination -}} {{- "," -}}
{{ "dst=" }}{{ .Destination }}
{{- end -}}
,{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Mount -}} {{- if eq $type "Mount" -}}
{{- range .Mount -}} {{- "mount " -}}
{{- "mount " | indent -}} {{- with .FsType -}}
{{- if .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }}
fstype={{ .FsType }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Options -}} {{- with .Options -}}
{{- "options=(" -}} {{ "options=(" }}{{ join . }}{{ ") " }}
{{- range .Options -}} {{- end -}}
{{- with .Source -}}
{{ . }}{{ " " }} {{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{ ") " }} {{- with .MountPoint -}}
{{ "-> " }}{{ . }}
{{- end -}} {{- end -}}
{{- if .Source -}} {{- "," -}}
{{ .Source }}{{ " " }}
{{- end -}}
{{- if .MountPoint -}}
{{ "-> " }}{{ .MountPoint }}
{{- end -}}
,{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Umount -}} {{- if eq $type "Umount" -}}
{{- range .Umount -}} {{- "umount " -}}
{{- "umount " | indent -}} {{- with .FsType -}}
{{- if .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }}
fstype={{ .FsType }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Options -}} {{- with .Options -}}
{{- "options=(" -}} {{ "options=(" }}{{ join . }}{{ ") " }}
{{- range .Options -}}
{{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{ ") " }} {{- with .MountPoint -}}
{{ . }}
{{- end -}} {{- end -}}
{{- if .MountPoint -}} {{- "," -}}
{{ .MountPoint }}
{{- end -}}
,{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Remount -}} {{- if eq $type "Remount" -}}
{{- range .Remount -}} {{- "remount " -}}
{{- "remount " | indent -}} {{- with .FsType -}}
{{- if .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }}
fstype={{ .FsType }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Options -}} {{- with .Options -}}
{{- "options=(" -}} {{ "options=(" }}{{ join . }}{{ ") " }}
{{- range .Options -}}
{{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{ ") " }} {{- with .Remount -}}
{{ . }}
{{- end -}} {{- end -}}
{{- if .Remount -}} {{- "," -}}
{{ .Remount }}
{{- end -}}
,{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Unix -}} {{- if eq $type "Unix" -}}
{{- range .Unix -}} {{- "unix " -}}
{{- "unix " | indent -}} {{- with .Access -}}
{{- if .Access -}} {{ "(" }}{{ . }}{{ ") " }}
({{ .Access }}){{ " " }}
{{- end -}} {{- end -}}
{{- if .Type -}} {{- with .Type -}}
type={{ .Type }}{{ " " }} {{ "type=" }}{{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Address -}} {{- with .Address -}}
addr={{ .Address }}{{ " " }} {{ "addr=" }}{{ . }}{{ " " }}
{{- end -}} {{- end -}}
{{- if .Peer -}} {{- if .Peer -}}
{{ "peer=(label=" }}{{ .Peer }} {{ "peer=(label=" }}{{ .Peer }}
{{- if .PeerAddr -}} {{- with .PeerAddr -}}
, addr={{ .PeerAddr }} {{ ", addr="}}{{ . }}
{{- end -}} {{- end -}}
{{- ")" -}} {{- ")" -}}
{{- end -}} {{- end -}}
,{{ "\n" }} {{- "," -}}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Ptrace -}} {{- if eq $type "Ptrace" -}}
{{- range .Ptrace -}} {{- "ptrace " -}}
{{- "ptrace " | indent -}} {{- with .Access -}}
{{- if .Access -}} {{ "(" }}{{ . }}{{ ") " }}
({{ .Access }}){{ " " }}
{{- end -}} {{- end -}}
{{- if .Peer -}} {{- with .Peer -}}
peer={{ .Peer }} {{ "peer=" }}{{ . }}
{{- end -}} {{- end -}}
,{{ "\n" }} {{- "," -}}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Signal -}} {{- if eq $type "Signal" -}}
{{- range .Signal -}} {{- "signal " -}}
{{- "signal " | indent -}} {{- with .Access -}}
{{- if .Access -}} {{ "(" }}{{ . }}{{ ") " }}
({{ .Access }}){{ " " }}
{{- end -}} {{- end -}}
{{- if .Set -}} {{- with .Set -}}
set=({{ .Set }}){{ " " }} {{ "set=(" }}{{ . }}{{ ") " }}
{{- end -}} {{- end -}}
{{- if .Peer -}} {{- with .Peer -}}
peer={{ .Peer }} {{ "peer=" }}{{ . }}
{{- end -}} {{- end -}}
,{{ "\n" }} {{- "," -}}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Dbus -}} {{- if eq $type "Dbus" -}}
{{- range .Dbus -}} {{- "dbus " -}}
{{- "dbus " | indent -}}
{{- if eq .Access "bind" -}} {{- if eq .Access "bind" -}}
bind bus={{ .Bus }} name={{ .Name }} bind bus={{ .Bus }} name={{ .Name }}
{{- else -}} {{- else -}}
{{ .Access }} bus={{ .Bus }} path={{ .Path }}{{ "\n" }} {{ .Access }} bus={{ .Bus }} path={{ .Path }}{{ "\n" }}
{{- if .Interface -}} {{- with .Interface -}}
{{ "interface=" | overindent }}{{ .Interface }}{{ "\n" }} {{ overindent "interface=" }}{{ . }}{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Member -}} {{- with .Member -}}
{{ "member=" | overindent }}{{ .Member }}{{ " " }}{{ "\n" }} {{ overindent "member=" }}{{ . }}{{ " " }}{{ "\n" }}
{{- end -}} {{- end -}}
{{- if and .Name .Label -}} {{- if and .Name .Label -}}
{{- "peer=" | overindent -}} {{ overindent "peer=(name=" }}{{ .Name }}{{ ", label="}}{{ .Label }}{{ ")" }}
(name={{ .Name }}, label={{ .Label }})
{{- else -}} {{- else -}}
{{- if .Name }} {{- with .Name -}}
{{- "peer=" | overindent -}} {{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
(name={{ .Name }})
{{- end -}} {{- end -}}
{{- if .Label -}} {{- with .Label -}}
{{- "peer=" | overindent -}} {{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
(label={{ .Label }})
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
,{{ "\n\n" }} {{- "," -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- if .File -}} {{- if eq $type "File" -}}
{{- range .File -}}
{{- indent "" -}}
{{- if .Owner -}} {{- if .Owner -}}
{{- "owner " -}} {{- "owner " -}}
{{- end -}} {{- end -}}
{{ .Path }} {{ .Access }} {{ .Path }}{{ " " }}{{ .Access }}
{{- if .Target -}} {{- with .Target -}}
{{ " ->" }} {{ .Target }} {{ " -> " }}{{ . }}
{{- end -}} {{- end -}}
, {{- "," -}}
{{- if .FileInherit -}} {{- if .FileInherit -}}
{{- " # file_inherit" -}} {{- " # file_inherit" -}}
{{- end -}} {{- end -}}
{{- if .NoNewPrivs -}} {{- if .NoNewPrivs -}}
{{- " # no new privs" -}} {{- " # no new privs" -}}
{{- end -}} {{- end -}}
{{ "\n" }}
{{- end -}}
{{ "\n" }}
{{- end -}} {{- end -}}
{{- if .Includes -}} {{- "\n" -}}
{{- range .Includes -}} {{- $oldtype = $type -}}
{{- if .IfExists -}}
{{ "include if exists " | indent }}
{{- if .IsMagic -}}
<{{ .Path }}>{{ "\n" }}
{{- else -}}
"{{ .Path }}"{{ "\n" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- "}\n" -}} {{- "}\n" -}}