From 8ef858ad352c2d81990023cd593489ced3b63670 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Apr 2024 18:02:41 +0100 Subject: [PATCH] feat(aa): refractor template to allow multiple templates. --- pkg/aa/apparmor.go | 2 +- pkg/aa/template.go | 31 ++- pkg/aa/templates/{file.j2 => apparmor.j2} | 0 pkg/aa/templates/profile.j2 | 228 ++-------------------- pkg/aa/templates/rule/capability.j2 | 7 + pkg/aa/templates/rule/change_profile.j2 | 19 ++ pkg/aa/templates/{ => rule}/comment.j2 | 4 + pkg/aa/templates/rule/dbus.j2 | 40 ++++ pkg/aa/templates/rule/file.j2 | 21 ++ pkg/aa/templates/{ => rule}/include.j2 | 4 + pkg/aa/templates/rule/mount.j2 | 54 +++++ pkg/aa/templates/rule/mqueue.j2 | 22 +++ pkg/aa/templates/rule/network.j2 | 20 ++ pkg/aa/templates/rule/pivot_root.j2 | 19 ++ pkg/aa/templates/rule/ptrace.j2 | 16 ++ pkg/aa/templates/{ => rule}/qualifier.j2 | 4 + pkg/aa/templates/rule/rlimit.j2 | 7 + pkg/aa/templates/rule/signal.j2 | 19 ++ pkg/aa/templates/rule/unix.j2 | 35 ++++ pkg/aa/templates/rule/userns.j2 | 9 + 20 files changed, 347 insertions(+), 214 deletions(-) rename pkg/aa/templates/{file.j2 => apparmor.j2} (100%) create mode 100644 pkg/aa/templates/rule/capability.j2 create mode 100644 pkg/aa/templates/rule/change_profile.j2 rename pkg/aa/templates/{ => rule}/comment.j2 (69%) create mode 100644 pkg/aa/templates/rule/dbus.j2 create mode 100644 pkg/aa/templates/rule/file.j2 rename pkg/aa/templates/{ => rule}/include.j2 (61%) create mode 100644 pkg/aa/templates/rule/mount.j2 create mode 100644 pkg/aa/templates/rule/mqueue.j2 create mode 100644 pkg/aa/templates/rule/network.j2 create mode 100644 pkg/aa/templates/rule/pivot_root.j2 create mode 100644 pkg/aa/templates/rule/ptrace.j2 rename pkg/aa/templates/{ => rule}/qualifier.j2 (56%) create mode 100644 pkg/aa/templates/rule/rlimit.j2 create mode 100644 pkg/aa/templates/rule/signal.j2 create mode 100644 pkg/aa/templates/rule/unix.j2 create mode 100644 pkg/aa/templates/rule/userns.j2 diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index db0ca8b9..b3a14ccf 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -44,7 +44,7 @@ func NewAppArmorProfile() *AppArmorProfileFile { // String returns the formatted representation of a profile as a string func (f *AppArmorProfileFile) String() string { var res bytes.Buffer - err := tmplAppArmorProfile.Execute(&res, f) + err := tmpl["apparmor"].Execute(&res, f) if err != nil { return err.Error() } diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 88235e8c..2a4d0e0a 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -6,6 +6,7 @@ package aa import ( "embed" + "fmt" "reflect" "strings" "text/template" @@ -26,8 +27,10 @@ var ( "overindent": indentDbus, } - // The apparmor profile template - tmplAppArmorProfile = generateTemplate() + // The apparmor templates + tmpl = map[string]*template.Template{ + "apparmor": generateTemplate("apparmor.j2"), + } // convert apparmor requested mask to apparmor access mode requestedMaskToAccess = map[string]string{ @@ -96,9 +99,27 @@ var ( fileWeights = map[string]int{} ) -func generateTemplate() *template.Template { - res := template.New("file.j2").Funcs(tmplFunctionMap) - res = template.Must(res.ParseFS(tmplFiles, "templates/*.j2")) +func generateTemplate(name string) *template.Template { + res := template.New(name).Funcs(tmplFunctionMap) + switch name { + case "apparmor.j2": + res = template.Must(res.ParseFS(tmplFiles, + "templates/*.j2", "templates/rule/*.j2", + )) + case "profile.j2": + res = template.Must(res.Parse("{{ template \"profile\" . }}")) + res = template.Must(res.ParseFS(tmplFiles, + "templates/profile.j2", "templates/rule/*.j2", + )) + default: + res = template.Must(res.Parse( + fmt.Sprintf("{{ template \"%s\" . }}", name), + )) + res = template.Must(res.ParseFS(tmplFiles, + fmt.Sprintf("templates/rule/%s.j2", name), + "templates/rule/qualifier.j2", "templates/rule/comment.j2", + )) + } return res } diff --git a/pkg/aa/templates/file.j2 b/pkg/aa/templates/apparmor.j2 similarity index 100% rename from pkg/aa/templates/file.j2 rename to pkg/aa/templates/apparmor.j2 diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.j2 index 1c4cb287..394f18a1 100644 --- a/pkg/aa/templates/profile.j2 +++ b/pkg/aa/templates/profile.j2 @@ -18,13 +18,14 @@ {{- with .Flags -}} {{ " flags=(" }}{{ join . }}{{ ")" }} {{- end -}} - {{- "{\n" -}} + {{- " {\n" -}} {{- end -}} {{- $oldtype := "" -}} {{- range .Rules -}} {{- $type := typeof . -}} {{- if eq $type "Rule" -}} + {{- template "comment" . -}} {{- "\n" -}} {{- continue -}} {{- end -}} @@ -38,252 +39,63 @@ {{- end -}} {{- if eq $type "Rlimit" -}} - {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }} + {{- template "rlimit" . -}} {{- end -}} {{- if eq $type "Userns" -}} - {{- if .Create -}} - {{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }} - {{- end -}} + {{- template "userns" . -}} {{- end -}} {{- if eq $type "Capability" -}} - {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }} + {{- template "capability" . -}} {{- end -}} {{- if eq $type "Network" -}} - {{- template "qualifier" . -}} - {{ "network" }} - {{- with .Domain -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .Type -}} - {{ " " }}{{ . }} - {{- else -}} - {{- with .Protocol -}} - {{ " " }}{{ . }} - {{- end -}} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "network" . -}} {{- end -}} {{- if eq $type "Mount" -}} - {{- template "qualifier" . -}} - {{- "mount" -}} - {{- with .FsType -}} - {{ " fstype=" }}{{ . }} - {{- end -}} - {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} - {{- end -}} - {{- with .Source -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .MountPoint -}} - {{ " -> " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} - {{- end -}} - - {{- if eq $type "Umount" -}} - {{- template "qualifier" . -}} - {{- "umount" -}} - {{- with .FsType -}} - {{ " fstype=" }}{{ . }} - {{- end -}} - {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} - {{- end -}} - {{- with .MountPoint -}} - {{ " " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "mount" . -}} {{- end -}} {{- if eq $type "Remount" -}} - {{- template "qualifier" . -}} - {{- "remount" -}} - {{- with .FsType -}} - {{ " fstype=" }}{{ . }} - {{- end -}} - {{- with .Options -}} - {{ " options=(" }}{{ join . }}{{ ")" }} - {{- end -}} - {{- with .MountPoint -}} - {{ " " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "remount" . -}} + {{- end -}} + + {{- if eq $type "Umount" -}} + {{- template "umount" . -}} {{- end -}} {{- if eq $type "PivotRoot" -}} - {{- template "qualifier" . -}} - {{- "pivot_root" -}} - {{- with .OldRoot -}} - {{ " oldroot=" }}{{ . }} - {{- end -}} - {{- with .NewRoot -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .TargetProfile -}} - {{ " -> " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "pivot_root" . -}} {{- end -}} {{- if eq $type "ChangeProfile" -}} - {{- template "qualifier" . -}} - {{- "change_profile" -}} - {{- with .ExecMode -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .Exec -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .ProfileName -}} - {{ " -> " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "change_profile" . -}} {{- end -}} {{- if eq $type "Mqueue" -}} - {{- template "qualifier" . -}} - {{- "mqueue" -}} - {{- with .Access -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .Type -}} - {{ " type=" }}{{ . }} - {{- end -}} - {{- with .Label -}} - {{ " label=" }}{{ . }} - {{- end -}} - {{- with .Name -}} - {{ " " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "mqueue" . -}} {{- end -}} {{- if eq $type "Unix" -}} - {{- template "qualifier" . -}} - {{- "unix" -}} - {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .Type -}} - {{ " type=" }}{{ . }} - {{- end -}} - {{- with .Protocol -}} - {{ " protocol=" }}{{ . }} - {{- end -}} - {{- with .Address -}} - {{ " addr=" }}{{ . }} - {{- end -}} - {{- with .Label -}} - {{ " label=" }}{{ . }} - {{- end -}} - {{- if and .PeerLabel .PeerAddr -}} - {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} - {{- else -}} - {{- with .PeerLabel -}} - {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .PeerAddr -}} - {{ overindent "peer=(addr=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "unix" . -}} {{- end -}} {{- if eq $type "Ptrace" -}} - {{- template "qualifier" . -}} - {{- "ptrace" -}} - {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .Peer -}} - {{ " peer=" }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "ptrace" . -}} {{- end -}} {{- if eq $type "Signal" -}} - {{- template "qualifier" . -}} - {{- "signal" -}} - {{- with .Access -}} - {{ " (" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .Set -}} - {{ " set=(" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .Peer -}} - {{ " peer=" }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "signal" . -}} {{- end -}} {{- if eq $type "Dbus" -}} - {{- template "qualifier" . -}} - {{- "dbus" -}} - {{- if eq .Access "bind" -}} - {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} - {{- else -}} - {{- with .Access -}} - {{ " " }}{{ . }} - {{- end -}} - {{- with .Bus -}} - {{ " bus=" }}{{ . }} - {{- end -}} - {{- with .Path -}} - {{ " path=" }}{{ . }} - {{- end -}} - {{ "\n" }} - {{- with .Interface -}} - {{ overindent "interface=" }}{{ . }}{{ "\n" }} - {{- end -}} - {{- with .Member -}} - {{ overindent "member=" }}{{ . }}{{ "\n" }} - {{- end -}} - {{- if and .PeerName .PeerLabel -}} - {{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }} - {{- else -}} - {{- with .PeerName -}} - {{ overindent "peer=(name=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .PeerLabel -}} - {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "dbus" . -}} {{- end -}} {{- if eq $type "File" -}} - {{- template "qualifier" . -}} - {{- if .Owner -}} - {{- "owner " -}} - {{- end -}} - {{- .Path -}} - {{- " " -}} - {{- with .Padding -}} - {{ . }} - {{- end -}} - {{- .Access -}} - {{- with .Target -}} - {{ " -> " }}{{ . }} - {{- end -}} - {{- "," -}} - {{- template "comment" . -}} + {{- template "file" . -}} {{- end -}} {{- if eq $type "Profile" -}} diff --git a/pkg/aa/templates/rule/capability.j2 b/pkg/aa/templates/rule/capability.j2 new file mode 100644 index 00000000..4041ab11 --- /dev/null +++ b/pkg/aa/templates/rule/capability.j2 @@ -0,0 +1,7 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "capability" -}} + {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }} +{{- end -}} diff --git a/pkg/aa/templates/rule/change_profile.j2 b/pkg/aa/templates/rule/change_profile.j2 new file mode 100644 index 00000000..a5e4e75f --- /dev/null +++ b/pkg/aa/templates/rule/change_profile.j2 @@ -0,0 +1,19 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "change_profile" -}} + {{- template "qualifier" . -}} + {{- "change_profile" -}} + {{- with .ExecMode -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Exec -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .ProfileName -}} + {{ " -> " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/comment.j2 b/pkg/aa/templates/rule/comment.j2 similarity index 69% rename from pkg/aa/templates/comment.j2 rename to pkg/aa/templates/rule/comment.j2 index ce7c30b9..68fc20a8 100644 --- a/pkg/aa/templates/comment.j2 +++ b/pkg/aa/templates/rule/comment.j2 @@ -1,3 +1,7 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + {{- define "comment" -}} {{- if or .FileInherit .NoNewPrivs .Optional .Comment -}} {{- " #" -}} diff --git a/pkg/aa/templates/rule/dbus.j2 b/pkg/aa/templates/rule/dbus.j2 new file mode 100644 index 00000000..a25b87ef --- /dev/null +++ b/pkg/aa/templates/rule/dbus.j2 @@ -0,0 +1,40 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "dbus" -}} + {{- template "qualifier" . -}} + {{- "dbus" -}} + {{- if eq .Access "bind" -}} + {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} + {{- else -}} + {{- with .Access -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Bus -}} + {{ " bus=" }}{{ . }} + {{- end -}} + {{- with .Path -}} + {{ " path=" }}{{ . }} + {{- end -}} + {{ "\n" }} + {{- with .Interface -}} + {{ overindent "interface=" }}{{ . }}{{ "\n" }} + {{- end -}} + {{- with .Member -}} + {{ overindent "member=" }}{{ . }}{{ "\n" }} + {{- end -}} + {{- if and .PeerName .PeerLabel -}} + {{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }} + {{- else -}} + {{- with .PeerName -}} + {{ overindent "peer=(name=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerLabel -}} + {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 new file mode 100644 index 00000000..ea016e77 --- /dev/null +++ b/pkg/aa/templates/rule/file.j2 @@ -0,0 +1,21 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "file" -}} + {{- template "qualifier" . -}} + {{- if .Owner -}} + {{- "owner " -}} + {{- end -}} + {{- .Path -}} + {{- " " -}} + {{- with .Padding -}} + {{ . }} + {{- end -}} + {{- .Access -}} + {{- with .Target -}} + {{ " -> " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/include.j2 b/pkg/aa/templates/rule/include.j2 similarity index 61% rename from pkg/aa/templates/include.j2 rename to pkg/aa/templates/rule/include.j2 index fad5e9ca..b2dcb110 100644 --- a/pkg/aa/templates/include.j2 +++ b/pkg/aa/templates/rule/include.j2 @@ -1,3 +1,7 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + {{- define "include" -}} {{- "include" -}} {{- if .IfExists -}} diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.j2 new file mode 100644 index 00000000..19d29b13 --- /dev/null +++ b/pkg/aa/templates/rule/mount.j2 @@ -0,0 +1,54 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "mount" -}} + {{- template "qualifier" . -}} + {{- "mount" -}} + {{- with .FsType -}} + {{ " fstype=" }}{{ . }} + {{- end -}} + {{- with .Options -}} + {{ " options=(" }}{{ join . }}{{ ")" }} + {{- end -}} + {{- with .Source -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .MountPoint -}} + {{ " -> " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} + +{{- define "remount" -}} + {{- template "qualifier" . -}} + {{- "remount" -}} + {{- with .FsType -}} + {{ " fstype=" }}{{ . }} + {{- end -}} + {{- with .Options -}} + {{ " options=(" }}{{ join . }}{{ ")" }} + {{- end -}} + {{- with .MountPoint -}} + {{ " " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} + +{{- define "umount" -}} + {{- template "qualifier" . -}} + {{- "umount" -}} + {{- with .FsType -}} + {{ " fstype=" }}{{ . }} + {{- end -}} + {{- with .Options -}} + {{ " options=(" }}{{ join . }}{{ ")" }} + {{- end -}} + {{- with .MountPoint -}} + {{ " " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/mqueue.j2 b/pkg/aa/templates/rule/mqueue.j2 new file mode 100644 index 00000000..48b764aa --- /dev/null +++ b/pkg/aa/templates/rule/mqueue.j2 @@ -0,0 +1,22 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "mqueue" -}} + {{- template "qualifier" . -}} + {{- "mqueue" -}} + {{- with .Access -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Type -}} + {{ " type=" }}{{ . }} + {{- end -}} + {{- with .Label -}} + {{ " label=" }}{{ . }} + {{- end -}} + {{- with .Name -}} + {{ " " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 new file mode 100644 index 00000000..6f2503a8 --- /dev/null +++ b/pkg/aa/templates/rule/network.j2 @@ -0,0 +1,20 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "network" -}} + {{- template "qualifier" . -}} + {{ "network" }} + {{- with .Domain -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .Type -}} + {{ " " }}{{ . }} + {{- else -}} + {{- with .Protocol -}} + {{ " " }}{{ . }} + {{- end -}} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/pivot_root.j2 b/pkg/aa/templates/rule/pivot_root.j2 new file mode 100644 index 00000000..d779e2c1 --- /dev/null +++ b/pkg/aa/templates/rule/pivot_root.j2 @@ -0,0 +1,19 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "pivot_root" -}} + {{- template "qualifier" . -}} + {{- "pivot_root" -}} + {{- with .OldRoot -}} + {{ " oldroot=" }}{{ . }} + {{- end -}} + {{- with .NewRoot -}} + {{ " " }}{{ . }} + {{- end -}} + {{- with .TargetProfile -}} + {{ " -> " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/ptrace.j2 b/pkg/aa/templates/rule/ptrace.j2 new file mode 100644 index 00000000..95318a28 --- /dev/null +++ b/pkg/aa/templates/rule/ptrace.j2 @@ -0,0 +1,16 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "ptrace" -}} + {{- template "qualifier" . -}} + {{- "ptrace" -}} + {{- with .Access -}} + {{ " (" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .Peer -}} + {{ " peer=" }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 similarity index 56% rename from pkg/aa/templates/qualifier.j2 rename to pkg/aa/templates/rule/qualifier.j2 index 51373549..ed89f63e 100644 --- a/pkg/aa/templates/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -1,3 +1,7 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + {{- define "qualifier" -}} {{- with .Prefix -}} {{ . }} diff --git a/pkg/aa/templates/rule/rlimit.j2 b/pkg/aa/templates/rule/rlimit.j2 new file mode 100644 index 00000000..5061c1c4 --- /dev/null +++ b/pkg/aa/templates/rule/rlimit.j2 @@ -0,0 +1,7 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "rlimit" -}} + {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/signal.j2 b/pkg/aa/templates/rule/signal.j2 new file mode 100644 index 00000000..b0fdbc35 --- /dev/null +++ b/pkg/aa/templates/rule/signal.j2 @@ -0,0 +1,19 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "signal" -}} + {{- template "qualifier" . -}} + {{- "signal" -}} + {{- with .Access -}} + {{ " (" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .Set -}} + {{ " set=(" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .Peer -}} + {{ " peer=" }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 new file mode 100644 index 00000000..fe1a6c7a --- /dev/null +++ b/pkg/aa/templates/rule/unix.j2 @@ -0,0 +1,35 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "unix" -}} + {{- template "qualifier" . -}} + {{- "unix" -}} + {{- with .Access -}} + {{ " (" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .Type -}} + {{ " type=" }}{{ . }} + {{- end -}} + {{- with .Protocol -}} + {{ " protocol=" }}{{ . }} + {{- end -}} + {{- with .Address -}} + {{ " addr=" }}{{ . }} + {{- end -}} + {{- with .Label -}} + {{ " label=" }}{{ . }} + {{- end -}} + {{- if and .PeerLabel .PeerAddr -}} + {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} + {{- else -}} + {{- with .PeerLabel -}} + {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddr -}} + {{ overindent "peer=(addr=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/userns.j2 b/pkg/aa/templates/rule/userns.j2 new file mode 100644 index 00000000..771a5e2f --- /dev/null +++ b/pkg/aa/templates/rule/userns.j2 @@ -0,0 +1,9 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "userns" -}} + {{- if .Create -}} + {{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }} + {{- end -}} +{{- end -}} \ No newline at end of file