build: add the ability to set enforce all profiles.

Do not do that!!! It forces ALL profiles in enforce mode.
2024-11-14 23:43:56 +01:00 · 2023-09-05 19:44:36 +01:00 · 2023-09-05 19:44:36 +01:00 · cad27a3f78
commit cad27a3f78
parent 7c24dde028
4 changed files with 45 additions and 6 deletions
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@ -13,20 +13,22 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )

-const usage = `prebuild [-h] [--full] [--complain]
+const usage = `prebuild [-h] [--full] [--complain | --enforce]

-    Internal tool to prebuild apparmor.d profiles for a given distribution.
+    Prebuild apparmor.d profiles for a given distribution.

 Options:
    -h, --help      Show this help message and exit.
    -f, --full      Set AppArmor for full system policy.
    -c, --complain  Set complain flag on all profiles.
+    -e, --enforce   Set enforce flag on all profiles.
 `

 var (
 	help     bool
 	full     bool
 	complain bool
+	enforce  bool
 )

 func init() {
@ -36,6 +38,8 @@ func init() {
 	flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
 	flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
 	flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
+	flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
+	flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
 }

 func aaPrebuild() error {
@ -46,6 +50,8 @@ func aaPrebuild() error {
 	}
 	if complain {
 		prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain)
+	} else if enforce {
+		prebuild.Builds = append(prebuild.Builds, prebuild.BuildEnforce)
 	}

 	if err := prebuild.Prepare(); err != nil {
@ -60,6 +66,8 @@ func aaPrebuild() error {
 	logging.Bullet("Bypass userspace tools restriction")
 	if complain {
 		logging.Bullet("Set complain flag on all profiles")
+	} else if enforce {
+		logging.Bullet("All profiles have been enforced")
 	}
 	return nil
 }
--- a/pkg/prebuild/build.go
+++ b/pkg/prebuild/build.go
@ -19,7 +19,7 @@ var Builds = []BuildFunc{

 var (
 	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
-	regFlagComplain  = regexp.MustCompile(`flags=\(([^)]+)\)`)
+	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
 	regProfileHeader = regexp.MustCompile(` {`)
 )

@ -28,7 +28,7 @@ type BuildFunc func(string) string
 // Set complain flag on all profiles
 func BuildComplain(profile string) string {
 	flags := []string{}
-	matches := regFlagComplain.FindStringSubmatch(profile)
+	matches := regFlags.FindStringSubmatch(profile)
 	if len(matches) != 0 {
 		flags = strings.Split(matches[1], ",")
 		if slices.Contains(flags, "complain") {
@ -39,7 +39,30 @@ func BuildComplain(profile string) string {
 	strFlags := " flags=(" + strings.Join(flags, ",") + ") {"

 	// Remove all flags definition, then set manifest' flags
-	profile = regFlagComplain.ReplaceAllLiteralString(profile, "")
+	profile = regFlags.ReplaceAllLiteralString(profile, "")
+	return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
+}
+
+// Set all profiles in enforce mode
+func BuildEnforce(profile string) string {
+	matches := regFlags.FindStringSubmatch(profile)
+	if len(matches) == 0 {
+		return profile
+	}
+
+	flags := strings.Split(matches[1], ",")
+	idx := slices.Index(flags, "complain")
+	if idx == -1 {
+		return profile
+	}
+	flags = slices.Delete(flags, idx, idx+1)
+	strFlags := "{"
+	if len(flags) >= 1 {
+		strFlags = " flags=(" + strings.Join(flags, ",") + ") {"
+	}
+
+	// Remove all flags definition, then set new flags
+	profile = regFlags.ReplaceAllLiteralString(profile, "")
 	return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
 }

--- a/pkg/prebuild/prebuild_test.go
+++ b/pkg/prebuild/prebuild_test.go
@ -28,6 +28,7 @@ func Test_PreBuild(t *testing.T) {
 		wantErr  bool
 		full     bool
 		complain bool
+		enforce  bool
 		dist     string
 	}{
 		{
@ -35,6 +36,7 @@ func Test_PreBuild(t *testing.T) {
 			wantErr:  false,
 			full:     false,
 			complain: true,
+			enforce:  false,
 			dist:     "arch",
 		},
 		{
@ -42,6 +44,7 @@ func Test_PreBuild(t *testing.T) {
 			wantErr:  false,
 			full:     true,
 			complain: false,
+			enforce:  true,
 			dist:     "ubuntu",
 		},
 		{
@ -49,6 +52,7 @@ func Test_PreBuild(t *testing.T) {
 			wantErr:  false,
 			full:     true,
 			complain: false,
+			enforce:  false,
 			dist:     "debian",
 		},
 		{
@ -56,6 +60,7 @@ func Test_PreBuild(t *testing.T) {
 			wantErr:  false,
 			full:     true,
 			complain: true,
+			enforce:  false,
 			dist:     "opensuse",
 		},
 		// {
@ -76,6 +81,9 @@ func Test_PreBuild(t *testing.T) {
 			if tt.complain {
 				Builds = append(Builds, BuildComplain)
 			}
+			if tt.enforce {
+				Builds = append(Builds, BuildEnforce)
+			}
 			if err := Prepare(); (err != nil) != tt.wantErr {
 				t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr)
 			}
--- a/pkg/prebuild/prepare.go
+++ b/pkg/prebuild/prepare.go
@ -161,7 +161,7 @@ func SetFlags() error {
 				}

 				// Remove all flags definition, then set manifest' flags
-				res := regFlagComplain.ReplaceAllLiteralString(string(content), "")
+				res := regFlags.ReplaceAllLiteralString(string(content), "")
 				res = regProfileHeader.ReplaceAllLiteralString(res, flags)
 				if err := file.WriteFile([]byte(res)); err != nil {
 					return err