Merge branch 'feat/aa'
Improve go apparmor lib. * aa: (62 commits) feat(aa): handle appending value to defined variables. chore(aa): cosmetic. fix: userspace prebuild test. chore: cleanup unit test. feat(aa): improve log conversion. feat(aa): move conversion function to its own file & add unit tests. fix: go linter issue & not defined variables. tests(aa): improve aa unit tests. tests(aa): improve rules unit tests. feat(aa): ensure the prebuild jobs are working. feat(aa): add more unit tests. chore(aa): cleanup. feat(aa): Move sort, merge and format methods to the rules interface. feat(aa): add the hat template. feat(aa): add the Kind struct to manage aa rules. feat(aa): cleanup rules methods. feat(aa): add function to resolve include preamble. feat(aa): updaqte mount flags order. feat(aa): update default tunable selection. feat(aa): parse apparmor preamble files. ...
This commit is contained in:
Alexandre Pujol
commit
89abbae6bd
90 changed files with 4995 additions and 2012 deletions
|
|
@ -30,6 +30,6 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b ABI3) Apply(profile string) string {
|
||||
return regAbi4To3.Replace(profile)
|
||||
func (b ABI3) Apply(opt *Option, profile string) (string, error) {
|
||||
return regAbi4To3.Replace(profile), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,13 +30,13 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b Complain) Apply(profile string) string {
|
||||
func (b Complain) Apply(opt *Option, profile string) (string, error) {
|
||||
flags := []string{}
|
||||
matches := regFlags.FindStringSubmatch(profile)
|
||||
if len(matches) != 0 {
|
||||
flags = strings.Split(matches[1], ",")
|
||||
if slices.Contains(flags, "complain") {
|
||||
return profile
|
||||
return profile, nil
|
||||
}
|
||||
}
|
||||
flags = append(flags, "complain")
|
||||
|
|
@ -44,5 +44,5 @@ func (b Complain) Apply(profile string) string {
|
|||
|
||||
// Remove all flags definition, then set manifest' flags
|
||||
profile = regFlags.ReplaceAllLiteralString(profile, "")
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ package builder
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/roddhjav/apparmor.d/pkg/paths"
|
||||
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
|
||||
)
|
||||
|
||||
|
|
@ -21,7 +22,20 @@ var (
|
|||
// Main directive interface
|
||||
type Builder interface {
|
||||
cfg.BaseInterface
|
||||
Apply(profile string) string
|
||||
Apply(opt *Option, profile string) (string, error)
|
||||
}
|
||||
|
||||
// Builder options
|
||||
type Option struct {
|
||||
Name string
|
||||
File *paths.Path
|
||||
}
|
||||
|
||||
func NewOption(file *paths.Path) *Option {
|
||||
return &Option{
|
||||
Name: file.Base(),
|
||||
File: file,
|
||||
}
|
||||
}
|
||||
|
||||
func Register(names ...string) {
|
||||
|
|
@ -37,3 +51,15 @@ func Register(names ...string) {
|
|||
func RegisterBuilder(d Builder) {
|
||||
Builders[d.Name()] = d
|
||||
}
|
||||
|
||||
func Run(file *paths.Path, profile string) (string, error) {
|
||||
var err error
|
||||
opt := NewOption(file)
|
||||
for _, b := range Builds {
|
||||
profile, err = b.Apply(opt, profile)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("%s %s: %w", b.Name(), opt.File, err)
|
||||
}
|
||||
}
|
||||
return profile, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,8 @@ package builder
|
|||
import (
|
||||
"slices"
|
||||
"testing"
|
||||
|
||||
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
|
||||
)
|
||||
|
||||
func TestBuilder_Apply(t *testing.T) {
|
||||
|
|
@ -15,6 +17,7 @@ func TestBuilder_Apply(t *testing.T) {
|
|||
b Builder
|
||||
profile string
|
||||
want string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "abi3",
|
||||
|
|
@ -215,7 +218,7 @@ func TestBuilder_Apply(t *testing.T) {
|
|||
}`,
|
||||
},
|
||||
{
|
||||
name: "userspace-1",
|
||||
name: "userspace-2",
|
||||
b: Builders["userspace"],
|
||||
profile: `
|
||||
profile foo /usr/bin/foo {
|
||||
|
|
@ -237,7 +240,13 @@ func TestBuilder_Apply(t *testing.T) {
|
|||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := tt.b.Apply(tt.profile); got != tt.want {
|
||||
opt := &Option{File: cfg.RootApparmord.Join(tt.name)}
|
||||
got, err := tt.b.Apply(opt, tt.profile)
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
if got != tt.want {
|
||||
t.Errorf("Builder.Apply() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
|
|
@ -257,7 +266,6 @@ func TestRegister(t *testing.T) {
|
|||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
Register(tt.names...)
|
||||
for _, name := range tt.names {
|
||||
|
|
|
|||
|
|
@ -31,6 +31,6 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b Dev) Apply(profile string) string {
|
||||
return regDev.Replace(profile)
|
||||
func (b Dev) Apply(opt *Option, profile string) (string, error) {
|
||||
return regDev.Replace(profile), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,16 +24,16 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b Enforce) Apply(profile string) string {
|
||||
func (b Enforce) Apply(opt *Option, profile string) (string, error) {
|
||||
matches := regFlags.FindStringSubmatch(profile)
|
||||
if len(matches) == 0 {
|
||||
return profile
|
||||
return profile, nil
|
||||
}
|
||||
|
||||
flags := strings.Split(matches[1], ",")
|
||||
idx := slices.Index(flags, "complain")
|
||||
if idx == -1 {
|
||||
return profile
|
||||
return profile, nil
|
||||
}
|
||||
flags = slices.Delete(flags, idx, idx+1)
|
||||
strFlags := "{"
|
||||
|
|
@ -43,5 +43,5 @@ func (b Enforce) Apply(profile string) string {
|
|||
|
||||
// Remove all flags definition, then set new flags
|
||||
profile = regFlags.ReplaceAllLiteralString(profile, "")
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags)
|
||||
return regProfileHeader.ReplaceAllLiteralString(profile, strFlags), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,6 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b FullSystemPolicy) Apply(profile string) string {
|
||||
return regFullSystemPolicy.Replace(profile)
|
||||
func (b FullSystemPolicy) Apply(opt *Option, profile string) (string, error) {
|
||||
return regFullSystemPolicy.Replace(profile), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,15 +29,26 @@ func init() {
|
|||
})
|
||||
}
|
||||
|
||||
func (b Userspace) Apply(profile string) string {
|
||||
p := aa.DefaultTunables()
|
||||
p.ParseVariables(profile)
|
||||
p.ResolveAttachments()
|
||||
att := p.NestAttachments()
|
||||
func (b Userspace) Apply(opt *Option, profile string) (string, error) {
|
||||
if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok {
|
||||
return profile, nil
|
||||
}
|
||||
if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok {
|
||||
return profile, nil
|
||||
}
|
||||
|
||||
f := aa.DefaultTunables()
|
||||
if err := f.Parse(profile); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if err := f.Resolve(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
att := f.GetDefaultProfile().GetAttachments()
|
||||
matches := regAttachments.FindAllString(profile, -1)
|
||||
if len(matches) > 0 {
|
||||
strheader := strings.Replace(matches[0], "@{exec_path}", att, -1)
|
||||
return regAttachments.ReplaceAllLiteralString(profile, strheader)
|
||||
return regAttachments.ReplaceAllLiteralString(profile, strheader), nil
|
||||
}
|
||||
return profile
|
||||
return profile, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue