mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 14:55:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa): make preamble rule classic aa rules.

Browse source
This commit is contained in:
Alexandre Pujol 2024-05-04 23:25:55 +01:00
parent 068373405f
commit a5c4eab0cf
Failed to generate hash of commit
8 changed files with 81 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pkg/aa/apparmor.go
View file

@ -19,19 +19,10 @@ type AppArmorProfileFiles map[string]*AppArmorProfileFile
// - Some rules are not supported yet (subprofile, hat...) // - Some rules are not supported yet (subprofile, hat...)
// - The structure is simplified as it only aims at writing profile, not parsing it. // - The structure is simplified as it only aims at writing profile, not parsing it.
type AppArmorProfileFile struct { type AppArmorProfileFile struct {
Preamble Preamble Rules
Profiles []*Profile Profiles []*Profile
} }
// Preamble section of a profile file,
type Preamble struct {
Abi []*Abi
Includes []*Include
Aliases []*Alias
Variables []*Variable
Comments []*RuleBase
}
func NewAppArmorProfile() *AppArmorProfileFile { func NewAppArmorProfile() *AppArmorProfileFile {
return &AppArmorProfileFile{} return &AppArmorProfileFile{}
} }

32
pkg/aa/apparmor_test.go
View file

@ -31,15 +31,16 @@ func TestAppArmorProfileFile_String(t *testing.T) {
{ {
name: "foo", name: "foo",
f: &AppArmorProfileFile{ f: &AppArmorProfileFile{
Preamble: Preamble{ Preamble: Rules{
Abi: []*Abi{{IsMagic: true, Path: "abi/4.0"}}, &Comment{RuleBase: RuleBase{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}},
Includes: []*Include{{IsMagic: true, Path: "tunables/global"}}, nil,
Aliases: []*Alias{{Path: "/mnt/usr", RewrittenPath: "/usr"}}, &Abi{IsMagic: true, Path: "abi/4.0"},
Variables: []*Variable{{ &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"},
&Include{IsMagic: true, Path: "tunables/global"},
&Variable{
Name: "exec_path", Define: true, Name: "exec_path", Define: true,
Values: []string{"@{bin}/foo", "@{lib}/foo"}, Values: []string{"@{bin}/foo", "@{lib}/foo"},
}}, },
Comments: []*RuleBase{{Comment: "Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}},
}, },
Profiles: []*Profile{{ Profiles: []*Profile{{
Header: Header{ Header: Header{
@ -192,17 +193,16 @@ func TestAppArmorProfileFile_Integration(t *testing.T) {
{ {
name: "aa-status", name: "aa-status",
f: &AppArmorProfileFile{ f: &AppArmorProfileFile{
Preamble: Preamble{ Preamble: Rules{
Abi: []*Abi{{IsMagic: true, Path: "abi/3.0"}}, &Comment{RuleBase: RuleBase{Comment: " apparmor.d - Full set of apparmor profiles", IsLineRule: true}},
Includes: []*Include{{IsMagic: true, Path: "tunables/global"}}, &Comment{RuleBase: RuleBase{Comment: " Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>", IsLineRule: true}},
Variables: []*Variable{{ &Comment{RuleBase: RuleBase{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}},
nil,
&Abi{IsMagic: true, Path: "abi/3.0"},
&Include{IsMagic: true, Path: "tunables/global"},
&Variable{
Name: "exec_path", Define: true, Name: "exec_path", Define: true,
Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"},
}},
Comments: []*RuleBase{
{Comment: "apparmor.d - Full set of apparmor profiles", IsLineRule: true},
{Comment: "Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>", IsLineRule: true},
{Comment: "SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true},
}, },
}, },
Profiles: []*Profile{{ Profiles: []*Profile{{

34
pkg/aa/preamble.go
View file

@ -14,6 +14,40 @@ const (
tokIFEXISTS = "if exists" tokIFEXISTS = "if exists"
) )
type Comment struct {
RuleBase
}
func newCommentFromRule(rule rule) (Rule, error) {
base := newRuleFromRule(rule)
base.IsLineRule = true
return &Comment{RuleBase: base}, nil
}
func (r *Comment) Less(other any) bool {
return false
}
func (r *Comment) Equals(other any) bool {
return false
}
func (r *Comment) String() string {
return renderTemplate("comment", r)
}
func (r *Comment) IsPreamble() bool {
return true
}
func (r *Comment) Constraint() RuleConstraint {
return anyKind
}
func (r *Comment) Kind() string {
return tokCOMMENT
}
type Abi struct { type Abi struct {
RuleBase RuleBase
Path string Path string

3
pkg/aa/template.go
View file

@ -175,6 +175,9 @@ func cjoin(i any) string {
} }
func typeOf(i any) string { func typeOf(i any) string {
if i == nil {
return ""
}
return strings.TrimPrefix(reflect.TypeOf(i).String(), "*aa.") return strings.TrimPrefix(reflect.TypeOf(i).String(), "*aa.")
} }

37
pkg/aa/templates/apparmor.j2
View file

@ -4,42 +4,7 @@
{{- define "apparmor" -}} {{- define "apparmor" -}}
{{- with .Comments -}} {{- template "rules" .Preamble -}}
{{- range . -}}
{{- template "comment" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- with .Abi -}}
{{- range . -}}
{{- template "abi" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- with .Aliases -}}
{{- range . -}}
{{- template "alias" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- with .Includes -}}
{{- range . -}}
{{- template "include" . -}}
{{- "\n" -}}
{{- end -}}
{{- "\n" -}}
{{- end -}}
{{- range .Variables -}}
{{- template "variable" . -}}
{{- "\n" -}}
{{- end -}}
{{- range .Profiles -}} {{- range .Profiles -}}
{{- template "profile" . -}} {{- template "profile" . -}}

2
pkg/aa/templates/rule/comment.j2
View file

@ -19,7 +19,7 @@
{{- " optional:" -}} {{- " optional:" -}}
{{- end -}} {{- end -}}
{{- with .Comment -}} {{- with .Comment -}}
{{ " " }}{{ . }} {{ . }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

18
pkg/aa/templates/rules.j2
View file

@ -7,7 +7,11 @@
{{- $oldtype := "" -}} {{- $oldtype := "" -}}
{{- range . -}} {{- range . -}}
{{- $type := typeof . -}} {{- $type := typeof . -}}
{{- if eq $type "RuleBase" -}} {{- if eq $type "" -}}
{{- "\n" -}}
{{- continue -}}
{{- end -}}
{{- if eq $type "Comment" -}}
{{- template "comment" . -}} {{- template "comment" . -}}
{{- "\n" -}} {{- "\n" -}}
{{- continue -}} {{- continue -}}
@ -18,10 +22,22 @@
{{- end -}} {{- end -}}
{{- indent "" -}} {{- indent "" -}}
{{- if eq $type "Abi" -}}
{{- template "abi" . -}}
{{- end -}}
{{- if eq $type "Alias" -}}
{{- template "alias" . -}}
{{- end -}}
{{- if eq $type "Include" -}} {{- if eq $type "Include" -}}
{{- template "include" . -}} {{- template "include" . -}}
{{- end -}} {{- end -}}
{{- if eq $type "Variable" -}}
{{- template "variable" . -}}
{{- end -}}
{{- if eq $type "All" -}} {{- if eq $type "All" -}}
{{- template "all" . -}} {{- template "all" . -}}
{{- end -}} {{- end -}}

18
pkg/aa/variables_test.go
View file

@ -21,16 +21,14 @@ func TestDefaultTunables(t *testing.T) {
{ {
name: "aa", name: "aa",
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Preamble: Preamble{ Preamble: Rules{
Variables: []*Variable{ &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}},
{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}}, &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}},
{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}},
{Name: "multiarch", Values: []string{"*-linux-gnu*"}}, &Variable{Name: "HOME", Values: []string{"/home/*"}},
{Name: "HOME", Values: []string{"/home/*"}}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}},
{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}},
{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}},
{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}},
},
}, },
}, },
}, },