feat(aa-log): ensure rule access is always present.

2025-01-31 07:17:22 +01:00 · 2024-02-29 00:19:26 +00:00 · 2024-02-29 00:19:26 +00:00 · e3daaf3d4c
commit e3daaf3d4c
parent 45a6e0bf21
6 changed files with 25 additions and 38 deletions
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@ -15,7 +15,7 @@ func FileFromLog(log map[string]string) ApparmorRule {
 	return &File{
 		Qualifier: NewQualifierFromLog(log),
 		Path:      log["name"],
-		Access:    maskToAccess[log["requested_mask"]],
+		Access:    toAccess(log["requested_mask"]),
 		Target:    log["target"],
 	}
 }
--- a/pkg/aa/mqueue.go
+++ b/pkg/aa/mqueue.go
@ -23,7 +23,7 @@ func MqueueFromLog(log map[string]string) ApparmorRule {
 	}
 	return &Mqueue{
 		Qualifier: NewQualifierFromLog(log),
-		Access:    maskToAccess[log["requested"]],
+		Access:    toAccess(log["requested"]),
 		Type:      mqueueType,
 		Label:     log["label"],
 		Name:      log["name"],
--- a/pkg/aa/ptrace.go
+++ b/pkg/aa/ptrace.go
@ -13,7 +13,7 @@ type Ptrace struct {
 func PtraceFromLog(log map[string]string) ApparmorRule {
 	return &Ptrace{
 		Qualifier: NewQualifierFromLog(log),
-		Access:    maskToAccess[log["requested_mask"]],
+		Access:    toAccess(log["requested_mask"]),
 		Peer:      log["peer"],
 	}
 }
--- a/pkg/aa/signal.go
+++ b/pkg/aa/signal.go
@ -14,7 +14,7 @@ type Signal struct {
 func SignalFromLog(log map[string]string) ApparmorRule {
 	return &Signal{
 		Qualifier: NewQualifierFromLog(log),
-		Access:    maskToAccess[log["requested_mask"]],
+		Access:    toAccess(log["requested_mask"]),
 		Set:       log["signal"],
 		Peer:      log["peer"],
 	}
--- a/pkg/aa/template.go
+++ b/pkg/aa/template.go
@ -30,39 +30,19 @@ var (
 	tmplAppArmorProfile = generateTemplate()

 	// convert apparmor requested mask to apparmor access mode
-	// TODO: Should be a map of slice, not exhaustive yet
-	maskToAccess = map[string]string{
-		"a":            "w",
-		"ac":           "w",
-		"c":            "w",
-		"create":       "create",
-		"d":            "w",
-		"delete":       "delete",
-		"getattr":      "getattr",
-		"k":            "k",
-		"l":            "l",
-		"m":            "rm",
-		"open":         "open",
-		"r":            "r",
-		"ra":           "rw",
-		"read write":   "read write",
-		"read":         "read",
-		"readby":       "readby",
-		"receive":      "receive",
-		"rm":           "rm",
-		"rw":           "rw",
-		"send receive": "send receive",
-		"send":         "send",
-		"setattr":      "setattr",
-		"w":            "w",
-		"wc":           "w",
-		"wd":           "w",
-		"wk":           "wk",
-		"wr":           "rw",
-		"wrc":          "rw",
-		"wrd":          "rw",
-		"write":        "write",
-		"x":            "rix",
+	requestedMaskToAccess = map[string]string{
+		"a":   "w",
+		"ac":  "w",
+		"c":   "w",
+		"d":   "w",
+		"m":   "rm",
+		"ra":  "rw",
+		"wc":  "w",
+		"wd":  "w",
+		"wr":  "rw",
+		"wrc": "rw",
+		"wrd": "rw",
+		"x":   "rix",
 	}

 	// The order the apparmor rules should be sorted
@ -168,3 +148,10 @@ func getLetterIn(alphabet []string, in string) string {
 	}
 	return ""
 }
+
+func toAccess(mask string) string {
+	if requestedMaskToAccess[mask] != "" {
+		return requestedMaskToAccess[mask]
+	}
+	return mask
+}
--- a/pkg/aa/unix.go
+++ b/pkg/aa/unix.go
@ -20,7 +20,7 @@ type Unix struct {
 func UnixFromLog(log map[string]string) ApparmorRule {
 	return &Unix{
 		Qualifier: NewQualifierFromLog(log),
-		Access:    maskToAccess[log["requested_mask"]],
+		Access:    toAccess(log["requested_mask"]),
 		Type:      log["sock_type"],
 		Protocol:  log["protocol"],
 		Address:   log["addr"],