From e38f5b46374028143af70c27e120ee8b0f33c22d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 May 2024 21:56:28 +0100 Subject: [PATCH] feat(aa): add the link rule. --- pkg/aa/file.go | 81 +++++++++++++++++++++++++++++------ pkg/aa/templates/rule/file.j2 | 20 ++++++++- pkg/aa/templates/rules.j2 | 4 ++ 3 files changed, 92 insertions(+), 13 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 4facc57a..330ec6a5 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -10,11 +10,12 @@ import ( ) const ( - tokLINK = "link" - tokOWNER = "owner" + tokLINK = "link" + tokFILE = "file" + tokOWNER = "owner" + tokSUBSET = "subset" ) - type File struct { RuleBase Qualifier @@ -25,17 +26,10 @@ type File struct { } func newFileFromLog(log map[string]string) Rule { - owner := false - fsuid, hasFsUID := log["fsuid"] - ouid, hasOuUID := log["ouid"] - isDbus := strings.Contains(log["operation"], "dbus") - if hasFsUID && hasOuUID && fsuid == ouid && ouid != "0" && !isDbus { - owner = true - } return &File{ RuleBase: newRuleFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: owner, + Owner: isOwner(log), Path: log["name"], Access: toAccess("file-log", log["requested_mask"]), Target: log["target"], @@ -79,5 +73,68 @@ func (r *File) Constraint() constraint { } func (r *File) Kind() string { - return "file" + return tokFILE +} + +type Link struct { + RuleBase + Qualifier + Owner bool + Subset bool + Path string + Target string +} + +func newLinkFromLog(log map[string]string) Rule { + return &Link{ + RuleBase: newRuleFromLog(log), + Qualifier: newQualifierFromLog(log), + Owner: isOwner(log), + Path: log["name"], + Target: log["target"], + } +} +func (r *Link) Less(other any) bool { + o, _ := other.(*Link) + if r.Path != o.Path { + return r.Path < o.Path + } + if r.Target != o.Target { + return r.Target < o.Target + } + if o.Owner != r.Owner { + return r.Owner + } + if r.Subset != o.Subset { + return r.Subset + } + return r.Qualifier.Less(o.Qualifier) +} + +func (r *Link) Equals(other any) bool { + o, _ := other.(*Link) + return r.Subset == o.Subset && r.Owner == o.Owner && r.Path == o.Path && + r.Target == o.Target && r.Qualifier.Equals(o.Qualifier) +} + +func (r *Link) String() string { + return renderTemplate(r.Kind(), r) +} + +func (r *Link) Constraint() constraint { + return blockKind +} + +func (r *Link) Kind() string { + return tokLINK +} + +func isOwner(log map[string]string) bool { + fsuid, hasFsUID := log["fsuid"] + ouid, hasOuUID := log["ouid"] + isDbus := strings.Contains(log["operation"], "dbus") + if hasFsUID && hasOuUID && fsuid == ouid && ouid != "0" && !isDbus { + return true + } + return false } diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 index 0021a874..57536d8d 100644 --- a/pkg/aa/templates/rule/file.j2 +++ b/pkg/aa/templates/rule/file.j2 @@ -20,4 +20,22 @@ {{- end -}} {{- "," -}} {{- template "comment" . -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "link" -}} + {{- template "qualifier" . -}} + {{- if .Owner -}} + {{- "owner " -}} + {{- end -}} + {{- "link " -}} + {{- if .Subset -}} + {{- "subset " -}} + {{- end -}} + {{- .Path -}} + {{- " " -}} + {{- with .Target -}} + {{ " -> " }}{{ . }} + {{- end -}} + {{- "," -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rules.j2 b/pkg/aa/templates/rules.j2 index f2099334..4b66ab38 100644 --- a/pkg/aa/templates/rules.j2 +++ b/pkg/aa/templates/rules.j2 @@ -106,6 +106,10 @@ {{- template "file" . -}} {{- end -}} + {{- if eq $type "Link" -}} + {{- template "link" . -}} + {{- end -}} + {{- if eq $type "Profile" -}} {{- template "profile" . -}} {{- end -}}