{{- /* apparmor.d - Full set of apparmor profiles */ -}} {{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "profile" -}} {{- with .Header -}} {{- "profile" -}} {{- with .Name -}} {{ " " }}{{ . }} {{- end -}} {{- with .Attachments -}} {{ " " }}{{ join . }} {{- end -}} {{- with .Attributes -}} {{ " xattrs=(" }}{{ join . }}{{ ")" }} {{- end -}} {{- with .Flags -}} {{ " flags=(" }}{{ join . }}{{ ")" }} {{- end -}} {{- "{\n" -}} {{- end -}} {{- $oldtype := "" -}} {{- range .Rules -}} {{- $type := typeof . -}} {{- if eq $type "Rule" -}} {{- "\n" -}} {{- continue -}} {{- end -}} {{- if and (ne $type $oldtype) (ne $oldtype "") -}} {{- "\n" -}} {{- end -}} {{- indent "" -}} {{- if eq $type "Include" -}} {{ template "include" . }} {{- end -}} {{- if eq $type "Rlimit" -}} {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }} {{- end -}} {{- if eq $type "Userns" -}} {{- if .Create -}} {{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }} {{- end -}} {{- end -}} {{- if eq $type "Capability" -}} {{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }} {{- end -}} {{- if eq $type "Network" -}} {{- template "qualifier" . -}} {{ "network" }} {{- with .Domain -}} {{ " " }}{{ . }} {{- end -}} {{- with .Type -}} {{ " " }}{{ . }} {{- else -}} {{- with .Protocol -}} {{ " " }}{{ . }} {{- end -}} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Mount" -}} {{- template "qualifier" . -}} {{- "mount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} {{ " options=(" }}{{ join . }}{{ ")" }} {{- end -}} {{- with .Source -}} {{ " " }}{{ . }} {{- end -}} {{- with .MountPoint -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Umount" -}} {{- template "qualifier" . -}} {{- "umount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} {{ " options=(" }}{{ join . }}{{ ")" }} {{- end -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Remount" -}} {{- template "qualifier" . -}} {{- "remount" -}} {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} {{- with .Options -}} {{ " options=(" }}{{ join . }}{{ ")" }} {{- end -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "PivotRoot" -}} {{- template "qualifier" . -}} {{- "pivot_root" -}} {{- with .OldRoot -}} {{ " oldroot=" }}{{ . }} {{- end -}} {{- with .NewRoot -}} {{ " " }}{{ . }} {{- end -}} {{- with .TargetProfile -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "ChangeProfile" -}} {{- template "qualifier" . -}} {{- "change_profile" -}} {{- with .ExecMode -}} {{ " " }}{{ . }} {{- end -}} {{- with .Exec -}} {{ " " }}{{ . }} {{- end -}} {{- with .ProfileName -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Mqueue" -}} {{- template "qualifier" . -}} {{- "mqueue" -}} {{- with .Access -}} {{ " " }}{{ . }} {{- end -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} {{- with .Name -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Unix" -}} {{- template "qualifier" . -}} {{- "unix" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} {{- end -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} {{- with .Protocol -}} {{ " protocol=" }}{{ . }} {{- end -}} {{- with .Address -}} {{ " addr=" }}{{ . }} {{- end -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} {{- if and .PeerLabel .PeerAddr -}} {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} {{- else -}} {{- with .PeerLabel -}} {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} {{- with .PeerAddr -}} {{ overindent "peer=(addr=" }}{{ . }}{{ ")" }} {{- end -}} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Ptrace" -}} {{- template "qualifier" . -}} {{- "ptrace" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} {{- end -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Signal" -}} {{- template "qualifier" . -}} {{- "signal" -}} {{- with .Access -}} {{ " (" }}{{ . }}{{ ")" }} {{- end -}} {{- with .Set -}} {{ " set=(" }}{{ . }}{{ ")" }} {{- end -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Dbus" -}} {{- template "qualifier" . -}} {{- "dbus" -}} {{- if eq .Access "bind" -}} {{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }} {{- else -}} {{- with .Access -}} {{ " " }}{{ . }} {{- end -}} {{- with .Bus -}} {{ " bus=" }}{{ . }} {{- end -}} {{- with .Path -}} {{ " path=" }}{{ . }} {{- end -}} {{ "\n" }} {{- with .Interface -}} {{ overindent "interface=" }}{{ . }}{{ "\n" }} {{- end -}} {{- with .Member -}} {{ overindent "member=" }}{{ . }}{{ "\n" }} {{- end -}} {{- if and .PeerName .PeerLabel -}} {{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }} {{- else -}} {{- with .PeerName -}} {{ overindent "peer=(name=" }}{{ . }}{{ ")" }} {{- end -}} {{- with .PeerLabel -}} {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} {{- end -}} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "File" -}} {{- template "qualifier" . -}} {{- if .Owner -}} {{- "owner " -}} {{- end -}} {{- .Path -}} {{- " " -}} {{- with .Padding -}} {{ . }} {{- end -}} {{- .Access -}} {{- with .Target -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} {{- if eq $type "Profile" -}} {{ template "profile" . }} {{- end -}} {{- "\n" -}} {{- $oldtype = $type -}} {{- end -}} {{- with .Header -}} {{- "}\n" -}} {{- end -}} {{- end -}}