mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa): continue refractoring the aa structure.

Browse source
This commit is contained in:
Alexandre Pujol 2024-04-19 22:43:02 +01:00
parent 8ef858ad35
commit c97886d960
Failed to generate hash of commit
22 changed files with 160 additions and 182 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
pkg/aa/apparmor.go
View file

@ -35,6 +35,7 @@ type Preamble struct {
Includes []*Include Includes []*Include
Aliases []*Alias Aliases []*Alias
Variables []*Variable Variables []*Variable
Comments []*RuleBase
} }
func NewAppArmorProfile() *AppArmorProfileFile { func NewAppArmorProfile() *AppArmorProfileFile {

26
pkg/aa/apparmor_test.go
View file

@ -58,7 +58,7 @@ func TestAppArmorProfile_String(t *testing.T) {
Attributes: map[string]string{"security.tagged": "allowed"}, Attributes: map[string]string{"security.tagged": "allowed"},
Flags: []string{"complain", "attach_disconnected"}, Flags: []string{"complain", "attach_disconnected"},
}, },
Rules: []ApparmorRule{ Rules: []Rule{
&Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/base"},
&Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
rlimit1, rlimit1,
@ -135,7 +135,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: capability1Log, log: capability1Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{capability1}, Rules: []Rule{capability1},
}}, }},
}, },
}, },
@ -144,7 +144,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: network1Log, log: network1Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{network1}, Rules: []Rule{network1},
}}, }},
}, },
}, },
@ -153,7 +153,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: mount2Log, log: mount2Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{mount2}, Rules: []Rule{mount2},
}}, }},
}, },
}, },
@ -162,7 +162,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: signal1Log, log: signal1Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{signal1}, Rules: []Rule{signal1},
}}, }},
}, },
}, },
@ -171,7 +171,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: ptrace2Log, log: ptrace2Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{ptrace2}, Rules: []Rule{ptrace2},
}}, }},
}, },
}, },
@ -180,7 +180,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: unix1Log, log: unix1Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{unix1}, Rules: []Rule{unix1},
}}, }},
}, },
}, },
@ -189,7 +189,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: dbus2Log, log: dbus2Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{dbus2}, Rules: []Rule{dbus2},
}}, }},
}, },
}, },
@ -198,7 +198,7 @@ func TestAppArmorProfile_AddRule(t *testing.T) {
log: file2Log, log: file2Log,
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{file2}, Rules: []Rule{file2},
}}, }},
}, },
}, },
@ -224,7 +224,7 @@ func TestAppArmorProfile_Sort(t *testing.T) {
name: "all", name: "all",
origin: &AppArmorProfileFile{ origin: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{ Rules: []Rule{
file2, network1, includeLocal1, dbus2, signal1, ptrace1, file2, network1, includeLocal1, dbus2, signal1, ptrace1,
capability2, file1, dbus1, unix2, signal2, mount2, capability2, file1, dbus1, unix2, signal2, mount2,
}, },
@ -232,7 +232,7 @@ func TestAppArmorProfile_Sort(t *testing.T) {
}, },
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{ Rules: []Rule{
capability2, network1, mount2, signal1, signal2, ptrace1, capability2, network1, mount2, signal1, signal2, ptrace1,
unix2, dbus2, dbus1, file1, file2, includeLocal1, unix2, dbus2, dbus1, file1, file2, includeLocal1,
}, },
@ -261,12 +261,12 @@ func TestAppArmorProfile_MergeRules(t *testing.T) {
name: "all", name: "all",
origin: &AppArmorProfileFile{ origin: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{capability1, capability1, network1, network1, file1, file1}, Rules: []Rule{capability1, capability1, network1, network1, file1, file1},
}}, }},
}, },
want: &AppArmorProfileFile{ want: &AppArmorProfileFile{
Profiles: []*Profile{{ Profiles: []*Profile{{
Rules: []ApparmorRule{capability1, network1, file1}, Rules: []Rule{capability1, network1, file1},
}}, }},
}, },
}, },

6
pkg/aa/capability.go
View file

@ -5,14 +5,14 @@
package aa package aa
type Capability struct { type Capability struct {
Rule RuleBase
Qualifier Qualifier
Name string Name string
} }
func newCapabilityFromLog(log map[string]string) *Capability { func newCapabilityFromLog(log map[string]string) Rule {
return &Capability{ return &Capability{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Name: log["capname"], Name: log["capname"],
} }

6
pkg/aa/change_profile.go
View file

@ -5,16 +5,16 @@
package aa package aa
type ChangeProfile struct { type ChangeProfile struct {
Rule RuleBase
Qualifier Qualifier
ExecMode string ExecMode string
Exec string Exec string
ProfileName string ProfileName string
} }
func newChangeProfileFromLog(log map[string]string) *ChangeProfile { func newChangeProfileFromLog(log map[string]string) Rule {
return &ChangeProfile{ return &ChangeProfile{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
ExecMode: log["mode"], ExecMode: log["mode"],
Exec: log["exec"], Exec: log["exec"],

18
pkg/aa/data_test.go
View file

@ -71,13 +71,13 @@ var (
"flags": "rw, rbind", "flags": "rw, rbind",
} }
mount1 = &Mount{ mount1 = &Mount{
Rule: Rule{Comment: "failed perms check"}, RuleBase: RuleBase{Comment: "failed perms check"},
MountConditions: MountConditions{FsType: "overlay"}, MountConditions: MountConditions{FsType: "overlay"},
Source: "overlay", Source: "overlay",
MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/", MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
} }
mount2 = &Mount{ mount2 = &Mount{
Rule: Rule{Comment: "failed perms check"}, RuleBase: RuleBase{Comment: "failed perms check"},
MountConditions: MountConditions{Options: []string{"rw", "rbind"}}, MountConditions: MountConditions{Options: []string{"rw", "rbind"}},
Source: "/oldroot/dev/tty", Source: "/oldroot/dev/tty",
MountPoint: "/newroot/dev/tty", MountPoint: "/newroot/dev/tty",
@ -205,9 +205,9 @@ var (
PeerLabel: "dbus-daemon", PeerLabel: "dbus-daemon",
} }
unix2 = &Unix{ unix2 = &Unix{
Rule: Rule{FileInherit: true}, RuleBase: RuleBase{FileInherit: true},
Access: "receive", Access: "receive",
Type: "stream", Type: "stream",
} }
// Dbus // Dbus
@ -285,9 +285,9 @@ var (
} }
file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: "r"} file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: "r"}
file2 = &File{ file2 = &File{
Rule: Rule{NoNewPrivs: true}, RuleBase: RuleBase{NoNewPrivs: true},
Owner: true, Owner: true,
Path: "@{PROC}/4163/cgroup", Path: "@{PROC}/4163/cgroup",
Access: "r", Access: "r",
} }
) )

6
pkg/aa/dbus.go
View file

@ -5,7 +5,7 @@
package aa package aa
type Dbus struct { type Dbus struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Bus string Bus string
@ -17,7 +17,7 @@ type Dbus struct {
PeerLabel string PeerLabel string
} }
func newDbusFromLog(log map[string]string) *Dbus { func newDbusFromLog(log map[string]string) Rule {
name := "" name := ""
peerName := "" peerName := ""
if log["mask"] == "bind" { if log["mask"] == "bind" {
@ -26,7 +26,7 @@ func newDbusFromLog(log map[string]string) *Dbus {
peerName = log["name"] peerName = log["name"]
} }
return &Dbus{ return &Dbus{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: log["mask"], Access: log["mask"],
Bus: log["bus"], Bus: log["bus"],

6
pkg/aa/file.go
View file

@ -5,7 +5,7 @@
package aa package aa
type File struct { type File struct {
Rule RuleBase
Qualifier Qualifier
Owner bool Owner bool
Path string Path string
@ -13,7 +13,7 @@ type File struct {
Target string Target string
} }
func newFileFromLog(log map[string]string) *File { func newFileFromLog(log map[string]string) Rule {
owner := false owner := false
fsuid, hasFsUID := log["fsuid"] fsuid, hasFsUID := log["fsuid"]
ouid, hasOuUID := log["ouid"] ouid, hasOuUID := log["ouid"]
@ -22,7 +22,7 @@ func newFileFromLog(log map[string]string) *File {
owner = true owner = true
} }
return &File{ return &File{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Owner: owner, Owner: owner,
Path: log["name"], Path: log["name"],

6
pkg/aa/io_uring.go
View file

@ -5,15 +5,15 @@
package aa package aa
type IOUring struct { type IOUring struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Label string Label string
} }
func newIOUringFromLog(log map[string]string) *IOUring { func newIOUringFromLog(log map[string]string) Rule {
return &IOUring{ return &IOUring{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: toAccess(log["requested"]), Access: toAccess(log["requested"]),
Label: log["label"], Label: log["label"],

18
pkg/aa/mount.go
View file

@ -37,16 +37,16 @@ func (m MountConditions) Equals(other MountConditions) bool {
} }
type Mount struct { type Mount struct {
Rule RuleBase
Qualifier Qualifier
MountConditions MountConditions
Source string Source string
MountPoint string MountPoint string
} }
func newMountFromLog(log map[string]string) *Mount { func newMountFromLog(log map[string]string) Rule {
return &Mount{ return &Mount{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
MountConditions: newMountConditionsFromLog(log), MountConditions: newMountConditionsFromLog(log),
Source: log["srcname"], Source: log["srcname"],
@ -76,15 +76,15 @@ func (r *Mount) Equals(other any) bool {
} }
type Umount struct { type Umount struct {
Rule RuleBase
Qualifier Qualifier
MountConditions MountConditions
MountPoint string MountPoint string
} }
func newUmountFromLog(log map[string]string) *Umount { func newUmountFromLog(log map[string]string) Rule {
return &Umount{ return &Umount{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
MountConditions: newMountConditionsFromLog(log), MountConditions: newMountConditionsFromLog(log),
MountPoint: log["name"], MountPoint: log["name"],
@ -110,15 +110,15 @@ func (r *Umount) Equals(other any) bool {
} }
type Remount struct { type Remount struct {
Rule RuleBase
Qualifier Qualifier
MountConditions MountConditions
MountPoint string MountPoint string
} }
func newRemountFromLog(log map[string]string) *Remount { func newRemountFromLog(log map[string]string) Rule {
return &Remount{ return &Remount{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
MountConditions: newMountConditionsFromLog(log), MountConditions: newMountConditionsFromLog(log),
MountPoint: log["name"], MountPoint: log["name"],

6
pkg/aa/mqueue.go
View file

@ -9,7 +9,7 @@ import (
) )
type Mqueue struct { type Mqueue struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Type string Type string
@ -17,7 +17,7 @@ type Mqueue struct {
Name string Name string
} }
func newMqueueFromLog(log map[string]string) *Mqueue { func newMqueueFromLog(log map[string]string) Rule {
mqueueType := "posix" mqueueType := "posix"
if strings.Contains(log["class"], "posix") { if strings.Contains(log["class"], "posix") {
mqueueType = "posix" mqueueType = "posix"
@ -25,7 +25,7 @@ func newMqueueFromLog(log map[string]string) *Mqueue {
mqueueType = "sysv" mqueueType = "sysv"
} }
return &Mqueue{ return &Mqueue{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: toAccess(log["requested"]), Access: toAccess(log["requested"]),
Type: mqueueType, Type: mqueueType,

6
pkg/aa/network.go
View file

@ -34,7 +34,7 @@ func (r AddressExpr) Equals(other AddressExpr) bool {
} }
type Network struct { type Network struct {
Rule RuleBase
Qualifier Qualifier
AddressExpr AddressExpr
Domain string Domain string
@ -42,9 +42,9 @@ type Network struct {
Protocol string Protocol string
} }
func newNetworkFromLog(log map[string]string) *Network { func newNetworkFromLog(log map[string]string) Rule {
return &Network{ return &Network{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
AddressExpr: newAddressExprFromLog(log), AddressExpr: newAddressExprFromLog(log),
Domain: log["family"], Domain: log["family"],

6
pkg/aa/pivot_root.go
View file

@ -5,16 +5,16 @@
package aa package aa
type PivotRoot struct { type PivotRoot struct {
Rule RuleBase
Qualifier Qualifier
OldRoot string OldRoot string
NewRoot string NewRoot string
TargetProfile string TargetProfile string
} }
func newPivotRootFromLog(log map[string]string) *PivotRoot { func newPivotRootFromLog(log map[string]string) Rule {
return &PivotRoot{ return &PivotRoot{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
OldRoot: log["srcname"], OldRoot: log["srcname"],
NewRoot: log["name"], NewRoot: log["name"],

22
pkg/aa/preamble.go
View file

@ -9,7 +9,7 @@ import (
) )
type Abi struct { type Abi struct {
Rule RuleBase
Path string Path string
IsMagic bool IsMagic bool
} }
@ -28,7 +28,7 @@ func (r *Abi) Equals(other any) bool {
} }
type Alias struct { type Alias struct {
Rule RuleBase
Path string Path string
RewrittenPath string RewrittenPath string
} }
@ -47,7 +47,7 @@ func (r Alias) Equals(other any) bool {
} }
type Include struct { type Include struct {
Rule RuleBase
IfExists bool IfExists bool
Path string Path string
IsMagic bool IsMagic bool
@ -70,18 +70,20 @@ func (r *Include) Equals(other any) bool {
} }
type Variable struct { type Variable struct {
Rule RuleBase
Name string Name string
Values []string Values []string
} }
func (r *Variable) Less(other Variable) bool { func (r *Variable) Less(other any) bool {
if r.Name != other.Name { o, _ := other.(*Variable)
return r.Name < other.Name if r.Name != o.Name {
return r.Name < o.Name
} }
return len(r.Values) < len(other.Values) return len(r.Values) < len(o.Values)
} }
func (r *Variable) Equals(other Variable) bool { func (r *Variable) Equals(other any) bool {
return r.Name == other.Name && slices.Equal(r.Values, other.Values) o, _ := other.(*Variable)
return r.Name == o.Name && slices.Equal(r.Values, o.Values)
} }

18
pkg/aa/profile.go
View file

@ -12,7 +12,7 @@ import (
// Profile represents a single AppArmor profile. // Profile represents a single AppArmor profile.
type Profile struct { type Profile struct {
Rule RuleBase
Header Header
Rules Rules Rules Rules
} }
@ -25,17 +25,17 @@ type Header struct {
Flags []string Flags []string
} }
func (r *Profile) Less(other any) bool { func (p *Profile) Less(other any) bool {
o, _ := other.(*Profile) o, _ := other.(*Profile)
if r.Name != o.Name { if p.Name != o.Name {
return r.Name < o.Name return p.Name < o.Name
} }
return len(r.Attachments) < len(o.Attachments) return len(p.Attachments) < len(o.Attachments)
} }
func (r *Profile) Equals(other any) bool { func (p *Profile) Equals(other any) bool {
o, _ := other.(*Profile) o, _ := other.(*Profile)
return r.Name == o.Name && slices.Equal(r.Attachments, o.Attachments) && return p.Name == o.Name && slices.Equal(p.Attachments, o.Attachments) &&
maps.Equal(r.Attributes, o.Attributes) && maps.Equal(p.Attributes, o.Attributes) &&
slices.Equal(r.Flags, o.Flags) slices.Equal(p.Flags, o.Flags)
} }

6
pkg/aa/ptrace.go
View file

@ -5,15 +5,15 @@
package aa package aa
type Ptrace struct { type Ptrace struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Peer string Peer string
} }
func newPtraceFromLog(log map[string]string) *Ptrace { func newPtraceFromLog(log map[string]string) Rule {
return &Ptrace{ return &Ptrace{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: toAccess(log["requested_mask"]), Access: toAccess(log["requested_mask"]),
Peer: log["peer"], Peer: log["peer"],

12
pkg/aa/rlimit.go
View file

@ -5,18 +5,18 @@
package aa package aa
type Rlimit struct { type Rlimit struct {
Rule RuleBase
Key string Key string
Op string Op string
Value string Value string
} }
func newRlimitFromLog(log map[string]string) *Rlimit { func newRlimitFromLog(log map[string]string) Rule {
return &Rlimit{ return &Rlimit{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Key: log["key"], Key: log["key"],
Op: log["op"], Op: log["op"],
Value: log["value"], Value: log["value"],
} }
} }

19
pkg/aa/rules.go
View file

@ -5,19 +5,18 @@
package aa package aa
import ( import (
"fmt"
"strings" "strings"
) )
// ApparmorRule generic interface // Rule generic interface for all AppArmor rules
type ApparmorRule interface { type Rule interface {
Less(other any) bool Less(other any) bool
Equals(other any) bool Equals(other any) bool
} }
type Rules []ApparmorRule type Rules []Rule
type Rule struct { type RuleBase struct {
Comment string Comment string
NoNewPrivs bool NoNewPrivs bool
FileInherit bool FileInherit bool
@ -26,7 +25,7 @@ type Rule struct {
Optional bool Optional bool
} }
func newRuleFromLog(log map[string]string) Rule { func newRuleFromLog(log map[string]string) RuleBase {
fileInherit := false fileInherit := false
if log["operation"] == "file_inherit" { if log["operation"] == "file_inherit" {
fileInherit = true fileInherit = true
@ -54,7 +53,7 @@ func newRuleFromLog(log map[string]string) Rule {
default: default:
} }
return Rule{ return RuleBase{
Comment: msg, Comment: msg,
NoNewPrivs: noNewPrivs, NoNewPrivs: noNewPrivs,
FileInherit: fileInherit, FileInherit: fileInherit,
@ -62,11 +61,11 @@ func newRuleFromLog(log map[string]string) Rule {
} }
} }
func (r Rule) Less(other any) bool { func (r RuleBase) Less(other any) bool {
return false return false
} }
func (r Rule) Equals(other any) bool { func (r RuleBase) Equals(other any) bool {
return false return false
} }
@ -95,7 +94,7 @@ func (r Qualifier) Equals(other Qualifier) bool {
} }
type All struct { type All struct {
Rule RuleBase
} }
func (r *All) Less(other any) bool { func (r *All) Less(other any) bool {

132
pkg/aa/rules_test.go
View file

@ -12,105 +12,81 @@ import (
func TestRule_FromLog(t *testing.T) { func TestRule_FromLog(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
fromLog func(map[string]string) ApparmorRule fromLog func(map[string]string) Rule
log map[string]string log map[string]string
want ApparmorRule want Rule
}{ }{
{ {
name: "capbability", name: "capbability",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newCapabilityFromLog,
return newCapabilityFromLog(m) log: capability1Log,
}, want: capability1,
log: capability1Log,
want: capability1,
}, },
{ {
name: "network", name: "network",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newNetworkFromLog,
return newNetworkFromLog(m) log: network1Log,
}, want: network1,
log: network1Log,
want: network1,
}, },
{ {
name: "mount", name: "mount",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newMountFromLog,
return newMountFromLog(m) log: mount1Log,
}, want: mount1,
log: mount1Log,
want: mount1,
}, },
{ {
name: "umount", name: "umount",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newUmountFromLog,
return newUmountFromLog(m) log: umount1Log,
}, want: umount1,
log: umount1Log,
want: umount1,
}, },
{ {
name: "pivotroot", name: "pivotroot",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newPivotRootFromLog,
return newPivotRootFromLog(m) log: pivotroot1Log,
}, want: pivotroot1,
log: pivotroot1Log,
want: pivotroot1,
}, },
{ {
name: "changeprofile", name: "changeprofile",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newChangeProfileFromLog,
return newChangeProfileFromLog(m) log: changeprofile1Log,
}, want: changeprofile1,
log: changeprofile1Log,
want: changeprofile1,
}, },
{ {
name: "signal", name: "signal",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newSignalFromLog,
return newSignalFromLog(m) log: signal1Log,
}, want: signal1,
log: signal1Log,
want: signal1,
}, },
{ {
name: "ptrace/xdg-document-portal", name: "ptrace/xdg-document-portal",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newPtraceFromLog,
return newPtraceFromLog(m) log: ptrace1Log,
}, want: ptrace1,
log: ptrace1Log,
want: ptrace1,
}, },
{ {
name: "ptrace/snap-update-ns.firefox", name: "ptrace/snap-update-ns.firefox",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newPtraceFromLog,
return newPtraceFromLog(m) log: ptrace2Log,
}, want: ptrace2,
log: ptrace2Log,
want: ptrace2,
}, },
{ {
name: "unix", name: "unix",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newUnixFromLog,
return newUnixFromLog(m) log: unix1Log,
}, want: unix1,
log: unix1Log,
want: unix1,
}, },
{ {
name: "dbus", name: "dbus",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newDbusFromLog,
return newDbusFromLog(m) log: dbus1Log,
}, want: dbus1,
log: dbus1Log,
want: dbus1,
}, },
{ {
name: "file", name: "file",
fromLog: func(m map[string]string) ApparmorRule { fromLog: newFileFromLog,
return newFileFromLog(m) log: file1Log,
}, want: file1,
log: file1Log,
want: file1,
}, },
} }
for _, tt := range tests { for _, tt := range tests {
@ -125,8 +101,8 @@ func TestRule_FromLog(t *testing.T) {
func TestRule_Less(t *testing.T) { func TestRule_Less(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
rule ApparmorRule rule Rule
other ApparmorRule other Rule
want bool want bool
}{ }{
{ {
@ -299,8 +275,8 @@ func TestRule_Less(t *testing.T) {
func TestRule_Equals(t *testing.T) { func TestRule_Equals(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
rule ApparmorRule rule Rule
other ApparmorRule other Rule
want bool want bool
}{ }{
{ {

6
pkg/aa/signal.go
View file

@ -5,16 +5,16 @@
package aa package aa
type Signal struct { type Signal struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Set string Set string
Peer string Peer string
} }
func newSignalFromLog(log map[string]string) *Signal { func newSignalFromLog(log map[string]string) Rule {
return &Signal{ return &Signal{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: toAccess(log["requested_mask"]), Access: toAccess(log["requested_mask"]),
Set: log["signal"], Set: log["signal"],

6
pkg/aa/unix.go
View file

@ -5,7 +5,7 @@
package aa package aa
type Unix struct { type Unix struct {
Rule RuleBase
Qualifier Qualifier
Access string Access string
Type string Type string
@ -18,9 +18,9 @@ type Unix struct {
PeerAddr string PeerAddr string
} }
func newUnixFromLog(log map[string]string) *Unix { func newUnixFromLog(log map[string]string) Rule {
return &Unix{ return &Unix{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Access: toAccess(log["requested_mask"]), Access: toAccess(log["requested_mask"]),
Type: log["sock_type"], Type: log["sock_type"],

6
pkg/aa/userns.go
View file

@ -5,14 +5,14 @@
package aa package aa
type Userns struct { type Userns struct {
Rule RuleBase
Qualifier Qualifier
Create bool Create bool
} }
func newUsernsFromLog(log map[string]string) *Userns { func newUsernsFromLog(log map[string]string) Rule {
return &Userns{ return &Userns{
Rule: newRuleFromLog(log), RuleBase: newRuleFromLog(log),
Qualifier: newQualifierFromLog(log), Qualifier: newQualifierFromLog(log),
Create: true, Create: true,
} }

4
pkg/logs/logs_test.go
View file

@ -303,13 +303,13 @@ func TestAppArmorLogs_ParseToProfiles(t *testing.T) {
Header: aa.Header{Name: "kmod"}, Header: aa.Header{Name: "kmod"},
Rules: aa.Rules{ Rules: aa.Rules{
&aa.Unix{ &aa.Unix{
Rule: aa.Rule{FileInherit: true}, RuleBase: aa.RuleBase{FileInherit: true},
Access: "send receive", Access: "send receive",
Type: "stream", Type: "stream",
Protocol: "0", Protocol: "0",
}, },
&aa.Unix{ &aa.Unix{
Rule: aa.Rule{FileInherit: true}, RuleBase: aa.RuleBase{FileInherit: true},
Access: "send receive", Access: "send receive",
Type: "stream", Type: "stream",
Protocol: "0", Protocol: "0",