mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
build: add the ability to set enforce all profiles.
Do not do that!!! It forces ALL profiles in enforce mode.
This commit is contained in:
parent
7c24dde028
commit
cad27a3f78
4 changed files with 45 additions and 6 deletions
|
@ -13,20 +13,22 @@ import (
|
|||
"github.com/roddhjav/apparmor.d/pkg/prebuild"
|
||||
)
|
||||
|
||||
const usage = `prebuild [-h] [--full] [--complain]
|
||||
const usage = `prebuild [-h] [--full] [--complain | --enforce]
|
||||
|
||||
Internal tool to prebuild apparmor.d profiles for a given distribution.
|
||||
Prebuild apparmor.d profiles for a given distribution.
|
||||
|
||||
Options:
|
||||
-h, --help Show this help message and exit.
|
||||
-f, --full Set AppArmor for full system policy.
|
||||
-c, --complain Set complain flag on all profiles.
|
||||
-e, --enforce Set enforce flag on all profiles.
|
||||
`
|
||||
|
||||
var (
|
||||
help bool
|
||||
full bool
|
||||
complain bool
|
||||
enforce bool
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
@ -36,6 +38,8 @@ func init() {
|
|||
flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
|
||||
flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
|
||||
flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
|
||||
flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
|
||||
flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
|
||||
}
|
||||
|
||||
func aaPrebuild() error {
|
||||
|
@ -46,6 +50,8 @@ func aaPrebuild() error {
|
|||
}
|
||||
if complain {
|
||||
prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain)
|
||||
} else if enforce {
|
||||
prebuild.Builds = append(prebuild.Builds, prebuild.BuildEnforce)
|
||||
}
|
||||
|
||||
if err := prebuild.Prepare(); err != nil {
|
||||
|
@ -60,6 +66,8 @@ func aaPrebuild() error {
|
|||
logging.Bullet("Bypass userspace tools restriction")
|
||||
if complain {
|
||||
logging.Bullet("Set complain flag on all profiles")
|
||||
} else if enforce {
|
||||
logging.Bullet("All profiles have been enforced")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@ var Builds = []BuildFunc{
|
|||
|
||||
var (
|
||||
regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
|
||||
regFlagComplain = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
||||
regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`)
|
||||
regProfileHeader = regexp.MustCompile(` {`)
|
||||
)
|
||||
|
||||
|
@ -28,7 +28,7 @@ type BuildFunc func(string) string
|
|||
// Set complain flag on all profiles
|
||||
func BuildComplain(profile string) string {
|
||||
flags := []string{}
|
||||
matches := regFlagComplain.FindStringSubmatch(profile)
|
||||
matches := regFlags.FindStringSubmatch(profile)
|
||||
if len(matches) != 0 {
|
||||
flags = strings.Split(matches[1], ",")
|
||||
if slices.Contains(flags, "complain") {
|
||||
|
@ -39,7 +39,30 @@ func BuildComplain(profile string) string {
|
|||
strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
|
||||
|
||||
// Remove all flags definition, then set manifest' flags
|
||||
profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
|
||||
profile = regFlags.ReplaceAllLiteralString(profile, "")
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||
}
|
||||
|
||||
// Set all profiles in enforce mode
|
||||
func BuildEnforce(profile string) string {
|
||||
matches := regFlags.FindStringSubmatch(profile)
|
||||
if len(matches) == 0 {
|
||||
return profile
|
||||
}
|
||||
|
||||
flags := strings.Split(matches[1], ",")
|
||||
idx := slices.Index(flags, "complain")
|
||||
if idx == -1 {
|
||||
return profile
|
||||
}
|
||||
flags = slices.Delete(flags, idx, idx+1)
|
||||
strFlags := "{"
|
||||
if len(flags) >= 1 {
|
||||
strFlags = " flags=(" + strings.Join(flags, ",") + ") {"
|
||||
}
|
||||
|
||||
// Remove all flags definition, then set new flags
|
||||
profile = regFlags.ReplaceAllLiteralString(profile, "")
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||
}
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@ func Test_PreBuild(t *testing.T) {
|
|||
wantErr bool
|
||||
full bool
|
||||
complain bool
|
||||
enforce bool
|
||||
dist string
|
||||
}{
|
||||
{
|
||||
|
@ -35,6 +36,7 @@ func Test_PreBuild(t *testing.T) {
|
|||
wantErr: false,
|
||||
full: false,
|
||||
complain: true,
|
||||
enforce: false,
|
||||
dist: "arch",
|
||||
},
|
||||
{
|
||||
|
@ -42,6 +44,7 @@ func Test_PreBuild(t *testing.T) {
|
|||
wantErr: false,
|
||||
full: true,
|
||||
complain: false,
|
||||
enforce: true,
|
||||
dist: "ubuntu",
|
||||
},
|
||||
{
|
||||
|
@ -49,6 +52,7 @@ func Test_PreBuild(t *testing.T) {
|
|||
wantErr: false,
|
||||
full: true,
|
||||
complain: false,
|
||||
enforce: false,
|
||||
dist: "debian",
|
||||
},
|
||||
{
|
||||
|
@ -56,6 +60,7 @@ func Test_PreBuild(t *testing.T) {
|
|||
wantErr: false,
|
||||
full: true,
|
||||
complain: true,
|
||||
enforce: false,
|
||||
dist: "opensuse",
|
||||
},
|
||||
// {
|
||||
|
@ -76,6 +81,9 @@ func Test_PreBuild(t *testing.T) {
|
|||
if tt.complain {
|
||||
Builds = append(Builds, BuildComplain)
|
||||
}
|
||||
if tt.enforce {
|
||||
Builds = append(Builds, BuildEnforce)
|
||||
}
|
||||
if err := Prepare(); (err != nil) != tt.wantErr {
|
||||
t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
|
|
|
@ -161,7 +161,7 @@ func SetFlags() error {
|
|||
}
|
||||
|
||||
// Remove all flags definition, then set manifest' flags
|
||||
res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
|
||||
res := regFlags.ReplaceAllLiteralString(string(content), "")
|
||||
res = regProfileHeader.ReplaceAllLiteralString(res, flags)
|
||||
if err := file.WriteFile([]byte(res)); err != nil {
|
||||
return err
|
||||
|
|
Loading…
Reference in a new issue