apparmor.d/pkg/prebuild/builder/userspace.go
Alexandre Pujol 59ac54e2fc
build: reorganise build: abi4, fallback, prebuild cli
- ABI4 by default, fallback to abi 3.
- aa-prebuild cli that can be used by other project shipping profiles.
- --file option to cli to only build one dev profile.
- add abi version filter to only & exclude directives.
2024-10-02 16:22:46 +01:00

62 lines
1.5 KiB
Go

// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
package builder
import (
"fmt"
"regexp"
"strings"
"github.com/roddhjav/apparmor.d/pkg/aa"
"github.com/roddhjav/apparmor.d/pkg/prebuild"
)
const tokATTACHMENT = "@{exec_path}"
var (
regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`)
)
type Userspace struct {
prebuild.Base
}
func init() {
RegisterBuilder(&Userspace{
Base: prebuild.Base{
Keyword: "userspace",
Msg: "Bypass userspace tools restriction",
},
})
}
func (b Userspace) Apply(opt *Option, profile string) (string, error) {
if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok {
return profile, nil
}
if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok {
return profile, nil
}
f := aa.DefaultTunables()
if _, err := f.Parse(profile); err != nil {
return "", err
}
if len(f.GetDefaultProfile().Attachments) > 0 &&
f.GetDefaultProfile().Attachments[0] != tokATTACHMENT {
return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT)
}
if err := f.Resolve(); err != nil {
return "", err
}
matches := regAttachments.FindAllString(profile, -1)
if len(matches) > 0 {
att := f.GetDefaultProfile().GetAttachments()
strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1)
return regAttachments.ReplaceAllLiteralString(profile, strheader), nil
}
return profile, nil
}