feat(aa): add support for advanced network rule.

pkg/aa/network.go

@@ -33,34 +33,54 @@ func init() {
 	}
 }
 
-type AddressExpr struct {
+type LocalAddress struct {
-	Source      string
+	IP   string
-	Destination string
+	Port string
-	Port        string
 }
 
-func newAddressExprFromLog(log map[string]string) AddressExpr {
+func newLocalAddressFromLog(log map[string]string) LocalAddress {
-	return AddressExpr{
+	return LocalAddress{
-		Source:      log["laddr"],
+		IP:   log["laddr"],
-		Destination: log["faddr"],
+		Port: log["lport"],
-		Port:        log["lport"],
 	}
 }
 
-func (r AddressExpr) Compare(other AddressExpr) int {
+func (r LocalAddress) Compare(other LocalAddress) int {
-	if res := compare(r.Source, other.Source); res != 0 {
+	if res := compare(r.IP, other.IP); res != 0 {
-		return res
-	}
-	if res := compare(r.Destination, other.Destination); res != 0 {
 		return res
 	}
 	return compare(r.Port, other.Port)
 }
 
+type PeerAddress struct {
+	IP   string
+	Port string
+	Src  string
+}
+
+func newPeerAddressFromLog(log map[string]string) PeerAddress {
+	return PeerAddress{
+		IP:   log["faddr"],
+		Port: log["fport"],
+		Src:  log["saddr"],
+	}
+}
+
+func (r PeerAddress) Compare(other PeerAddress) int {
+	if res := compare(r.IP, other.IP); res != 0 {
+		return res
+	}
+	if res := compare(r.Port, other.Port); res != 0 {
+		return res
+	}
+	return compare(r.Src, other.Src)
+}
+
 type Network struct {
 	Base
 	Qualifier
-	AddressExpr
+	LocalAddress
+	PeerAddress
 	Domain   string
 	Type     string
 	Protocol string
@@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) {
 
 func newNetworkFromLog(log map[string]string) Rule {
 	return &Network{
-		Base:        newBaseFromLog(log),
+		Base:         newBaseFromLog(log),
-		Qualifier:   newQualifierFromLog(log),
+		Qualifier:    newQualifierFromLog(log),
-		AddressExpr: newAddressExprFromLog(log),
+		LocalAddress: newLocalAddressFromLog(log),
-		Domain:      log["family"],
+		PeerAddress:  newPeerAddressFromLog(log),
-		Type:        log["sock_type"],
+		Domain:       log["family"],
-		Protocol:    log["protocol"],
+		Type:         log["sock_type"],
+		Protocol:     log["protocol"],
 	}
 }
 
@@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int {
 	if res := compare(r.Protocol, o.Protocol); res != 0 {
 		return res
 	}
-	if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 {
+	if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 {
+		return res
+	}
+	if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 {
 		return res
 	}
 	return r.Qualifier.Compare(o.Qualifier)

pkg/aa/rule_test.go

@@ -216,6 +216,17 @@ var (
 			wMerge:    false,
 			wString:   "network netlink raw,",
 		},
+		{
+			name:      "network3",
+			fromLog:   newNetworkFromLog,
+			log:       network3Log,
+			rule:      network3,
+			wValidErr: true,
+			other:     network1,
+			wCompare:  -7,
+			wMerge:    false,
+			wString:   "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match",
+		},
 		{
 			name:     "mount",
 			fromLog:  newMountFromLog,

pkg/aa/templates/rule/network.j2

@@ -15,6 +15,22 @@
             {{ " " }}{{ . }}
         {{- end -}}
     {{- end -}}
+    {{- with .LocalAddress.IP -}}
+        {{ " ip=" }}{{ . }}
+    {{- end -}}
+    {{- with .LocalAddress.Port -}}
+        {{ " port=" }}{{ . }}
+    {{- end -}}
+    {{- if and .PeerAddress.IP .PeerAddress.Port -}}
+        {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }}
+    {{- else -}}
+        {{- with .PeerAddress.IP -}}
+            {{ " peer=(ip=" }}{{ . }}{{ ")" }}
+        {{- end -}}
+        {{- with .PeerAddress.Port -}}
+            {{ " peer=(port=" }}{{ . }}{{ ")" }}
+        {{- end -}}
+    {{- end -}}
     {{- "," -}}
     {{- template "comment" . -}}
 {{- end -}}