From 8a8808194bb37c4335bcd3134747257c5aaa1f19 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Apr 2024 13:31:22 +0100 Subject: [PATCH] refractor(aa): move base rule & qualifier to their own file. --- pkg/aa/base.go | 108 ++++++++++++++++++++++++++++++++++++++++++++++++ pkg/aa/rules.go | 100 -------------------------------------------- 2 files changed, 108 insertions(+), 100 deletions(-) create mode 100644 pkg/aa/base.go diff --git a/pkg/aa/base.go b/pkg/aa/base.go new file mode 100644 index 000000000..f9cdac6d7 --- /dev/null +++ b/pkg/aa/base.go @@ -0,0 +1,108 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package aa + +import "strings" + +type RuleBase struct { + IsLineRule bool + Comment string + NoNewPrivs bool + FileInherit bool + Prefix string + Padding string + Optional bool +} + + +func newRuleFromLog(log map[string]string) RuleBase { + fileInherit := false + if log["operation"] == "file_inherit" { + fileInherit = true + } + + noNewPrivs := false + optional := false + msg := "" + switch log["error"] { + case "-1": + if strings.Contains(log["info"], "optional:") { + optional = true + msg = strings.Replace(log["info"], "optional: ", "", 1) + } else { + noNewPrivs = true + } + case "-13": + ignoreProfileInfo := []string{"namespace", "disconnected path"} + for _, info := range ignoreProfileInfo { + if strings.Contains(log["info"], info) { + break + } + } + msg = log["info"] + default: + } + + return RuleBase{ + IsLineRule: false, + Comment: msg, + NoNewPrivs: noNewPrivs, + FileInherit: fileInherit, + Optional: optional, + } +} + +func (r RuleBase) Less(other any) bool { + return false +} + +func (r RuleBase) Equals(other any) bool { + return false +} + +func (r RuleBase) String() string { + return renderTemplate("comment", r) +} + +type Qualifier struct { + Audit bool + AccessType string +} + +func newQualifierFromLog(log map[string]string) Qualifier { + audit := false + if log["apparmor"] == "AUDIT" { + audit = true + } + return Qualifier{Audit: audit} +} + +func (r Qualifier) Less(other Qualifier) bool { + if r.Audit != other.Audit { + return r.Audit + } + return r.AccessType < other.AccessType +} + +func (r Qualifier) Equals(other Qualifier) bool { + return r.Audit == other.Audit && r.AccessType == other.AccessType +} + +type All struct { + RuleBase +} + + +func (r *All) Less(other any) bool { + return false +} + +func (r *All) Equals(other any) bool { + return false +} + +func (r *All) String() string { + return renderTemplate(tokALL, r) +} diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index 0b8180385..ba9cc2235 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -7,7 +7,6 @@ package aa import ( "reflect" "sort" - "strings" ) const ( @@ -50,102 +49,3 @@ func (r Rules) Sort() { return r[i].Less(r[j]) }) } - -type RuleBase struct { - IsLineRule bool - Comment string - NoNewPrivs bool - FileInherit bool - Prefix string - Padding string - Optional bool -} - -func newRuleFromLog(log map[string]string) RuleBase { - fileInherit := false - if log["operation"] == "file_inherit" { - fileInherit = true - } - - noNewPrivs := false - optional := false - msg := "" - switch log["error"] { - case "-1": - if strings.Contains(log["info"], "optional:") { - optional = true - msg = strings.Replace(log["info"], "optional: ", "", 1) - } else { - noNewPrivs = true - } - case "-13": - ignoreProfileInfo := []string{"namespace", "disconnected path"} - for _, info := range ignoreProfileInfo { - if strings.Contains(log["info"], info) { - break - } - } - msg = log["info"] - default: - } - - return RuleBase{ - IsLineRule: false, - Comment: msg, - NoNewPrivs: noNewPrivs, - FileInherit: fileInherit, - Optional: optional, - } -} - -func (r RuleBase) Less(other any) bool { - return false -} - -func (r RuleBase) Equals(other any) bool { - return false -} - -func (r RuleBase) String() string { - return renderTemplate("comment", r) -} - -type Qualifier struct { - Audit bool - AccessType string -} - -func newQualifierFromLog(log map[string]string) Qualifier { - audit := false - if log["apparmor"] == "AUDIT" { - audit = true - } - return Qualifier{Audit: audit} -} - -func (r Qualifier) Less(other Qualifier) bool { - if r.Audit != other.Audit { - return r.Audit - } - return r.AccessType < other.AccessType -} - -func (r Qualifier) Equals(other Qualifier) bool { - return r.Audit == other.Audit && r.AccessType == other.AccessType -} - -type All struct { - RuleBase -} - -func (r *All) Less(other any) bool { - return false -} - -func (r *All) Equals(other any) bool { - return false -} - -func (r *All) String() string { - return renderTemplate(tokALL, r) -}