felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(aa): handle appending value to defined variables.

Browse source
This commit is contained in:
Alexandre Pujol 2024-05-30 14:23:56 +01:00
parent 264f30cf12
commit 7f1de3626e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 59 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

15
pkg/aa/resolve.go
View file

@ -29,6 +29,21 @@ func (f *AppArmorProfileFile) Resolve() error {
// } // }
// } // }
// Append value to variable
seen := map[string]*Variable{}
for idx, variable := range f.Preamble.GetVariables() {
if _, ok := seen[variable.Name]; ok {
if variable.Define {
return fmt.Errorf("variable %s already defined", variable.Name)
}
seen[variable.Name].Values = append(seen[variable.Name].Values, variable.Values...)
f.Preamble = f.Preamble.Delete(idx)
}
if variable.Define {
seen[variable.Name] = variable
}
}
// Resolve variables // Resolve variables
for _, variable := range f.Preamble.GetVariables() { for _, variable := range f.Preamble.GetVariables() {
newValues := []string{} newValues := []string{}

50
pkg/aa/resolve_test.go
View file

@ -110,14 +110,37 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) {
func TestAppArmorProfileFile_Resolve(t *testing.T) { func TestAppArmorProfileFile_Resolve(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
variables Rules preamble Rules
attachements []string attachements []string
want *AppArmorProfileFile want *AppArmorProfileFile
wantErr bool wantErr bool
}{ }{
{ {
name: "firefox", name: "variables/append",
variables: Rules{ preamble: Rules{
&Variable{Name: "lib", Values: []string{"/{usr/,}lib"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "exec_path", Values: []string{"@{lib}/DiscoverNotifier"}, Define: true},
&Variable{Name: "exec_path", Values: []string{"@{lib}/@{multiarch}/{,libexec/}DiscoverNotifier"}, Define: false},
},
want: &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "lib", Values: []string{"/{usr/,}lib"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{
Name: "exec_path", Define: true,
Values: []string{
"/{usr/,}lib/DiscoverNotifier",
"/{usr/,}lib/*-linux-gnu*/{,libexec/}DiscoverNotifier",
},
},
},
},
wantErr: false,
},
{
name: "attachment/firefox",
preamble: Rules{
&Variable{Name: "firefox_name", Values: []string{"firefox{,-esr,-bin}"}, Define: true}, &Variable{Name: "firefox_name", Values: []string{"firefox{,-esr,-bin}"}, Define: true},
&Variable{Name: "firefox_lib_dirs", Values: []string{"/{usr/,}/lib{,32,64}/@{firefox_name}", "/opt/@{firefox_name}"}, Define: true}, &Variable{Name: "firefox_lib_dirs", Values: []string{"/{usr/,}/lib{,32,64}/@{firefox_name}", "/opt/@{firefox_name}"}, Define: true},
&Variable{Name: "exec_path", Values: []string{"/{usr/,}bin/@{firefox_name}", "@{firefox_lib_dirs}/@{firefox_name}"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"/{usr/,}bin/@{firefox_name}", "@{firefox_lib_dirs}/@{firefox_name}"}, Define: true},
@ -155,8 +178,8 @@ func TestAppArmorProfileFile_Resolve(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "chromium", name: "attachment/chromium",
variables: Rules{ preamble: Rules{
&Variable{Name: "name", Values: []string{"chromium"}, Define: true}, &Variable{Name: "name", Values: []string{"chromium"}, Define: true},
&Variable{Name: "lib_dirs", Values: []string{"/{usr/,}lib/@{name}"}, Define: true}, &Variable{Name: "lib_dirs", Values: []string{"/{usr/,}lib/@{name}"}, Define: true},
&Variable{Name: "path", Values: []string{"@{lib_dirs}/@{name}"}, Define: true}, &Variable{Name: "path", Values: []string{"@{lib_dirs}/@{name}"}, Define: true},
@ -177,8 +200,8 @@ func TestAppArmorProfileFile_Resolve(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "geoclue", name: "attachment/geoclue",
variables: Rules{ preamble: Rules{
&Variable{Name: "libexec", Values: []string{"/{usr/,}libexec"}, Define: true}, &Variable{Name: "libexec", Values: []string{"/{usr/,}libexec"}, Define: true},
&Variable{Name: "exec_path", Values: []string{"@{libexec}/geoclue", "@{libexec}/geoclue-2.0/demos/agent"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"@{libexec}/geoclue", "@{libexec}/geoclue-2.0/demos/agent"}, Define: true},
}, },
@ -206,8 +229,8 @@ func TestAppArmorProfileFile_Resolve(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "opera", name: "attachment/opera",
variables: Rules{ preamble: Rules{
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "name", Values: []string{"opera{,-beta,-developer}"}, Define: true}, &Variable{Name: "name", Values: []string{"opera{,-beta,-developer}"}, Define: true},
&Variable{Name: "lib_dirs", Values: []string{"/{usr/,}lib/@{multiarch}/@{name}"}, Define: true}, &Variable{Name: "lib_dirs", Values: []string{"/{usr/,}lib/@{multiarch}/@{name}"}, Define: true},
@ -234,12 +257,11 @@ func TestAppArmorProfileFile_Resolve(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got := &AppArmorProfileFile{ got := &AppArmorProfileFile{Preamble: tt.preamble}
Profiles: []*Profile{{ if tt.attachements != nil {
Header: Header{Attachments: tt.attachements}, got.Profiles = append(got.Profiles, &Profile{Header: Header{Attachments: tt.attachements}})
}},
} }
got.Preamble = tt.variables
if err := got.Resolve(); (err != nil) != tt.wantErr { if err := got.Resolve(); (err != nil) != tt.wantErr {
t.Errorf("AppArmorProfileFile.Resolve() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AppArmorProfileFile.Resolve() error = %v, wantErr %v", err, tt.wantErr)
} }

6
pkg/prebuild/directive/exec.go
View file

@ -42,8 +42,10 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) {
for name := range opt.ArgMap { for name := range opt.ArgMap {
profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name)) profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name))
dstProfile := aa.DefaultTunables() dstProfile := aa.DefaultTunables()
err := dstProfile.Parse(profiletoTransition) if err := dstProfile.Parse(profiletoTransition); err != nil {
if err != nil { return "", err
}
if err := dstProfile.Resolve(); err != nil {
return "", err return "", err
} }
for _, variable := range dstProfile.Preamble.GetVariables() { for _, variable := range dstProfile.Preamble.GetVariables() {

8
pkg/prebuild/directive/exec_test.go
View file

@ -31,8 +31,8 @@ func TestExec_Apply(t *testing.T) {
Raw: " #aa:exec DiscoverNotifier", Raw: " #aa:exec DiscoverNotifier",
}, },
profile: ` #aa:exec DiscoverNotifier`, profile: ` #aa:exec DiscoverNotifier`,
want: ` @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px, want: ` /{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}DiscoverNotifier Px,
@{lib}/DiscoverNotifier Px,`, /{,usr/}lib{,exec,32,64}/DiscoverNotifier Px,`,
}, },
{ {
name: "exec-unconfined", name: "exec-unconfined",
@ -45,8 +45,8 @@ func TestExec_Apply(t *testing.T) {
Raw: " #aa:exec U polkit-agent-helper", Raw: " #aa:exec U polkit-agent-helper",
}, },
profile: ` #aa:exec U polkit-agent-helper`, profile: ` #aa:exec U polkit-agent-helper`,
want: ` @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] Ux, want: ` /{,usr/}lib{,exec,32,64}/polkit-[0-9]/polkit-agent-helper-[0-9] Ux,
@{lib}/polkit-agent-helper-[0-9] Ux,`, /{,usr/}lib{,exec,32,64}/polkit-agent-helper-[0-9] Ux,`,
}, },
} }
for _, tt := range tests { for _, tt := range tests {