mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
62 lines
1.8 KiB
Go
62 lines
1.8 KiB
Go
// apparmor.d - Full set of apparmor profiles
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
package directive
|
|
|
|
import (
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
|
|
"github.com/roddhjav/apparmor.d/pkg/util"
|
|
)
|
|
|
|
var (
|
|
regRules = regexp.MustCompile(`(?m)^profile.*{$((.|\n)*)}`)
|
|
regEndOfRules = regexp.MustCompile(`(?m)([\t ]*include if exists <.*>\n)+}`)
|
|
regCleanStakedRules = util.ToRegexRepl([]string{
|
|
`(?m)^.*include <abstractions/base>.*$`, ``, // Remove mandatory base abstraction
|
|
`(?m)^.*@{exec_path}.*$`, ``, // Remove entry point
|
|
`(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove transition rules
|
|
`(?m)^(?:[\t ]*(?:\r?\n))+`, ``, // Remove empty lines
|
|
})
|
|
)
|
|
|
|
type Stack struct {
|
|
cfg.Base
|
|
}
|
|
|
|
func init() {
|
|
RegisterDirective(&Stack{
|
|
Base: cfg.Base{
|
|
Keyword: "stack",
|
|
Msg: "Stack directive applied",
|
|
Help: Keyword + `stack profiles...`,
|
|
},
|
|
})
|
|
}
|
|
|
|
func (s Stack) Apply(opt *Option, profile string) (string, error) {
|
|
res := ""
|
|
for name := range opt.ArgMap {
|
|
stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name))
|
|
m := regRules.FindStringSubmatch(stackedProfile)
|
|
if len(m) < 2 {
|
|
return "", fmt.Errorf("No profile found in %s", name)
|
|
}
|
|
stackedRules := m[1]
|
|
stackedRules = regCleanStakedRules.Replace(stackedRules)
|
|
res += " # Stacked profile: " + name + "\n" + stackedRules + "\n"
|
|
}
|
|
|
|
// Insert the stacked profile at the end of the current profile, remove the stack directive
|
|
m := regEndOfRules.FindStringSubmatch(profile)
|
|
if len(m) <= 1 {
|
|
return "", fmt.Errorf("No end of rules found in %s", opt.File)
|
|
}
|
|
profile = strings.Replace(profile, m[0], res+m[0], -1)
|
|
profile = strings.Replace(profile, opt.Raw, "", -1)
|
|
return profile, nil
|
|
}
|