Merge branch 'feat/aa'

Improve go apparmor lib.

* aa: (62 commits)
  feat(aa): handle appending value to defined variables.
  chore(aa): cosmetic.
  fix: userspace prebuild test.
  chore: cleanup unit test.
  feat(aa): improve log conversion.
  feat(aa): move conversion function to its own file & add unit tests.
  fix: go linter issue & not defined variables.
  tests(aa): improve aa unit tests.
  tests(aa): improve rules unit tests.
  feat(aa): ensure the prebuild jobs are working.
  feat(aa): add more unit tests.
  chore(aa): cleanup.
  feat(aa): Move sort, merge and format methods to the rules interface.
  feat(aa): add the hat template.
  feat(aa): add the Kind struct to manage aa rules.
  feat(aa): cleanup rules methods.
  feat(aa): add function to resolve include preamble.
  feat(aa): updaqte mount flags order.
  feat(aa): update default tunable selection.
  feat(aa): parse apparmor preamble files.
  ...

pkg/aa/apparmor.go

@@ -0,0 +1,105 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package aa
+
+import (
+	"github.com/roddhjav/apparmor.d/pkg/paths"
+)
+
+// Default Apparmor magic directory: /etc/apparmor.d/.
+var MagicRoot = paths.New("/etc/apparmor.d")
+
+// AppArmorProfileFiles represents a full set of apparmor profiles
+type AppArmorProfileFiles map[string]*AppArmorProfileFile
+
+// AppArmorProfileFile represents a full apparmor profile file.
+// Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
+//   - Some rules are not supported yet (subprofile, hat...)
+//   - The structure is simplified as it only aims at writing profile, not parsing it.
+type AppArmorProfileFile struct {
+	Preamble Rules
+	Profiles []*Profile
+}
+
+func NewAppArmorProfile() *AppArmorProfileFile {
+	return &AppArmorProfileFile{}
+}
+
+// DefaultTunables return a minimal working profile to build the profile
+// It should not be used when loading file from /etc/apparmor.d
+func DefaultTunables() *AppArmorProfileFile {
+	return &AppArmorProfileFile{
+		Preamble: Rules{
+			&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+			&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
+			&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
+			&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
+			&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
+			&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+			&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
+			&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
+			&Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true},
+			&Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true},
+			&Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true},
+			&Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true},
+			&Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true},
+		},
+	}
+}
+
+// String returns the formatted representation of a profile file as a string
+func (f *AppArmorProfileFile) String() string {
+	return renderTemplate("apparmor", f)
+}
+
+// Validate the profile file
+func (f *AppArmorProfileFile) Validate() error {
+	if err := f.Preamble.Validate(); err != nil {
+		return err
+	}
+	for _, p := range f.Profiles {
+		if err := p.Validate(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetDefaultProfile ensure a profile is always present in the profile file and
+// return it, as a default profile.
+func (f *AppArmorProfileFile) GetDefaultProfile() *Profile {
+	if len(f.Profiles) == 0 {
+		f.Profiles = append(f.Profiles, &Profile{})
+	}
+	return f.Profiles[0]
+}
+
+// Sort the rules in the profile
+// Follow: https://apparmor.pujol.io/development/guidelines/#guidelines
+func (f *AppArmorProfileFile) Sort() {
+	for _, p := range f.Profiles {
+		p.Sort()
+	}
+}
+
+// MergeRules merge similar rules together.
+// Steps:
+//   - Remove identical rules
+//   - Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw'
+//
+// Note: logs.regCleanLogs helps a lot to do a first cleaning
+func (f *AppArmorProfileFile) MergeRules() {
+	for _, p := range f.Profiles {
+		p.Merge()
+	}
+}
+
+// Format the profile for better readability before printing it.
+// Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block
+func (f *AppArmorProfileFile) Format() {
+	for _, p := range f.Profiles {
+		p.Format()
+	}
+}