{{- /* apparmor.d - Full set of apparmor profiles */ -}} {{- /* Copyright (C) 2021-2023 Alexandre Pujol */ -}} {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- range .Abi -}} {{- if .IsMagic -}} {{ "abi <" }}{{ .Path }}{{ ">,\n" }} {{- else -}} {{ "abi \"" }}{{ .Path }}{{ "\",\n" }} {{- end }} {{ end -}} {{- range .Aliases -}} {{ "alias " }}{{ .Path }}{{ " -> " }}{{ .RewrittenPath }}{{ ",\n" }} {{ end -}} {{- range .Includes -}} {{- "include " -}} {{- if .IfExists -}} {{- "if exists " -}} {{- end -}} {{- if .IsMagic -}} {{ "<" }}{{ .Path }}{{ ">,\n" }} {{- else -}} {{ "\"" }}{{ .Path }}{{ "\",\n" }} {{- end }} {{ end -}} {{- range .Variables -}} {{ "@{" }}{{ .Name }}{{ "} = " }} {{- range .Values -}} {{ . }}{{ " " }} {{- end }} {{ end -}} {{- "profile " -}} {{- with .Name -}} {{ . }}{{ " " }} {{- end -}} {{- with .Attachments -}} {{ join . }}{{ " " }} {{- end -}} {{- with .Attributes -}} {{ "xattrs=(" }}{{ join . }}{{ ") " }} {{- end -}} {{- with .Flags -}} {{ "flags=(" }}{{ join . }}{{ ") " }} {{- end -}} {{ "{\n" }} {{- $oldtype := "" -}} {{- range .Rules -}} {{- $type := typeof . -}} {{- if and (ne $type $oldtype) (ne $oldtype "") -}} {{- "\n" -}} {{- end -}} {{- indent "" -}} {{- if eq $type "Include" -}} {{- "include " -}} {{- if .IfExists -}} {{ "if exists " }} {{- end -}} {{- if .IsMagic -}} {{ "<" }}{{ .Path }}{{ ">" }} {{- else -}} {{ "\"" }}{{ .Path }}{{ "\"" }} {{- end -}} {{- end -}} {{- if eq $type "Rlimit" -}} {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }} {{- end -}} {{- if eq $type "Capability" -}} {{ "capability " }}{{ .Name }}{{ "," }} {{- end -}} {{- if eq $type "Network" -}} {{- if eq .AccessType "deny" -}} {{ "deny " }} {{- end -}} {{ "network " }} {{- with .Domain -}} {{ . }}{{ " " }} {{- end -}} {{- with .Type -}} {{ . }} {{- else -}} {{- with .Protocol -}} {{ . }} {{- end -}} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Mount" -}} {{- "mount " -}} {{- with .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }} {{- end -}} {{- with .Options -}} {{ "options=(" }}{{ join . }}{{ ") " }} {{- end -}} {{- with .Source -}} {{ . }}{{ " " }} {{- end -}} {{- with .MountPoint -}} {{ "-> " }}{{ . }} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Umount" -}} {{- "umount " -}} {{- with .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }} {{- end -}} {{- with .Options -}} {{ "options=(" }}{{ join . }}{{ ") " }} {{- end -}} {{- with .MountPoint -}} {{ . }} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Remount" -}} {{- "remount " -}} {{- with .FsType -}} {{ "fstype=" }}{{ . }}{{ " " }} {{- end -}} {{- with .Options -}} {{ "options=(" }}{{ join . }}{{ ") " }} {{- end -}} {{- with .Remount -}} {{ . }} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Unix" -}} {{- "unix " -}} {{- with .Access -}} {{ "(" }}{{ . }}{{ ") " }} {{- end -}} {{- with .Type -}} {{ "type=" }}{{ . }}{{ " " }} {{- end -}} {{- with .Address -}} {{ "addr=" }}{{ . }}{{ " " }} {{- end -}} {{- if .Peer -}} {{ "peer=(label=" }}{{ .Peer }} {{- with .PeerAddr -}} {{ ", addr="}}{{ . }} {{- end -}} {{- ")" -}} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Ptrace" -}} {{- "ptrace " -}} {{- with .Access -}} {{ "(" }}{{ . }}{{ ") " }} {{- end -}} {{- with .Peer -}} {{ "peer=" }}{{ . }} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Signal" -}} {{- "signal " -}} {{- with .Access -}} {{ "(" }}{{ . }}{{ ") " }} {{- end -}} {{- with .Set -}} {{ "set=(" }}{{ . }}{{ ") " }} {{- end -}} {{- with .Peer -}} {{ "peer=" }}{{ . }} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "Dbus" -}} {{- "dbus " -}} {{- if eq .Access "bind" -}} bind bus={{ .Bus }} name={{ .Name }} {{- else -}} {{ .Access }} bus={{ .Bus }} path={{ .Path }}{{ "\n" }} {{- with .Interface -}} {{ overindent "interface=" }}{{ . }}{{ "\n" }} {{- end -}} {{- with .Member -}} {{ overindent "member=" }}{{ . }}{{ " " }}{{ "\n" }} {{- end -}} {{- if and .Name .Label -}} {{ overindent "peer=(name=" }}{{ .Name }}{{ ", label="}}{{ .Label }}{{ ")" }} {{- else -}} {{- with .Name -}} {{ overindent "peer=(name=" }}{{ . }}{{ ")" }} {{- end -}} {{- with .Label -}} {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} {{- end -}} {{- end -}} {{- "," -}} {{- end -}} {{- if eq $type "File" -}} {{- if .Owner -}} {{- "owner " -}} {{- end -}} {{ .Path }}{{ " " }}{{ .Access }} {{- with .Target -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} {{- if .FileInherit -}} {{- " # file_inherit" -}} {{- end -}} {{- if .NoNewPrivs -}} {{- " # no new privs" -}} {{- end -}} {{- end -}} {{- "\n" -}} {{- $oldtype = $type -}} {{- end -}} {{- "}\n" -}}