felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(aa): refractor template to allow multiple templates.

Browse source
This commit is contained in:
Alexandre Pujol 2024-04-17 18:02:41 +01:00
parent 890275fb22
commit 8ef858ad35
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
20 changed files with 347 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

0
pkg/aa/templates/file.j2 → pkg/aa/templates/apparmor.j2
View file

228
pkg/aa/templates/profile.j2
View file

@ -18,13 +18,14 @@
{{- with .Flags -}}
{{ " flags=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- "{\n" -}}
{{- " {\n" -}}
{{- end -}}
{{- $oldtype := "" -}}
{{- range .Rules -}}
{{- $type := typeof . -}}
{{- if eq $type "Rule" -}}
{{- template "comment" . -}}
{{- "\n" -}}
{{- continue -}}
{{- end -}}
@ -38,252 +39,63 @@
{{- end -}}
{{- if eq $type "Rlimit" -}}
{{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }}
{{- template "rlimit" . -}}
{{- end -}}
{{- if eq $type "Userns" -}}
{{- if .Create -}}
{{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }}
{{- end -}}
{{- template "userns" . -}}
{{- end -}}
{{- if eq $type "Capability" -}}
{{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }}
{{- template "capability" . -}}
{{- end -}}
{{- if eq $type "Network" -}}
{{- template "qualifier" . -}}
{{ "network" }}
{{- with .Domain -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Type -}}
{{ " " }}{{ . }}
{{- else -}}
{{- with .Protocol -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "network" . -}}
{{- end -}}
{{- if eq $type "Mount" -}}
{{- template "qualifier" . -}}
{{- "mount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .Source -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .MountPoint -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}
{{- if eq $type "Umount" -}}
{{- template "qualifier" . -}}
{{- "umount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "mount" . -}}
{{- end -}}
{{- if eq $type "Remount" -}}
{{- template "qualifier" . -}}
{{- "remount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "remount" . -}}
{{- end -}}
{{- if eq $type "Umount" -}}
{{- template "umount" . -}}
{{- end -}}
{{- if eq $type "PivotRoot" -}}
{{- template "qualifier" . -}}
{{- "pivot_root" -}}
{{- with .OldRoot -}}
{{ " oldroot=" }}{{ . }}
{{- end -}}
{{- with .NewRoot -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .TargetProfile -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "pivot_root" . -}}
{{- end -}}
{{- if eq $type "ChangeProfile" -}}
{{- template "qualifier" . -}}
{{- "change_profile" -}}
{{- with .ExecMode -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Exec -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .ProfileName -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "change_profile" . -}}
{{- end -}}
{{- if eq $type "Mqueue" -}}
{{- template "qualifier" . -}}
{{- "mqueue" -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}
{{- end -}}
{{- with .Label -}}
{{ " label=" }}{{ . }}
{{- end -}}
{{- with .Name -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "mqueue" . -}}
{{- end -}}
{{- if eq $type "Unix" -}}
{{- template "qualifier" . -}}
{{- "unix" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}
{{- end -}}
{{- with .Protocol -}}
{{ " protocol=" }}{{ . }}
{{- end -}}
{{- with .Address -}}
{{ " addr=" }}{{ . }}
{{- end -}}
{{- with .Label -}}
{{ " label=" }}{{ . }}
{{- end -}}
{{- if and .PeerLabel .PeerAddr -}}
{{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }}
{{- else -}}
{{- with .PeerLabel -}}
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .PeerAddr -}}
{{ overindent "peer=(addr=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "unix" . -}}
{{- end -}}
{{- if eq $type "Ptrace" -}}
{{- template "qualifier" . -}}
{{- "ptrace" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "ptrace" . -}}
{{- end -}}
{{- if eq $type "Signal" -}}
{{- template "qualifier" . -}}
{{- "signal" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Set -}}
{{ " set=(" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "signal" . -}}
{{- end -}}
{{- if eq $type "Dbus" -}}
{{- template "qualifier" . -}}
{{- "dbus" -}}
{{- if eq .Access "bind" -}}
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
{{- else -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Bus -}}
{{ " bus=" }}{{ . }}
{{- end -}}
{{- with .Path -}}
{{ " path=" }}{{ . }}
{{- end -}}
{{ "\n" }}
{{- with .Interface -}}
{{ overindent "interface=" }}{{ . }}{{ "\n" }}
{{- end -}}
{{- with .Member -}}
{{ overindent "member=" }}{{ . }}{{ "\n" }}
{{- end -}}
{{- if and .PeerName .PeerLabel -}}
{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }}
{{- else -}}
{{- with .PeerName -}}
{{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .PeerLabel -}}
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "dbus" . -}}
{{- end -}}
{{- if eq $type "File" -}}
{{- template "qualifier" . -}}
{{- if .Owner -}}
{{- "owner " -}}
{{- end -}}
{{- .Path -}}
{{- " " -}}
{{- with .Padding -}}
{{ . }}
{{- end -}}
{{- .Access -}}
{{- with .Target -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- template "file" . -}}
{{- end -}}
{{- if eq $type "Profile" -}}

7
pkg/aa/templates/rule/capability.j2 Normal file
View file

@ -0,0 +1,7 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "capability" -}}
{{ template "qualifier" . }}{{ "capability " }}{{ .Name }}{{ "," }}{{ template "comment" . }}
{{- end -}}

19
pkg/aa/templates/rule/change_profile.j2 Normal file
View file

@ -0,0 +1,19 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "change_profile" -}}
{{- template "qualifier" . -}}
{{- "change_profile" -}}
{{- with .ExecMode -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Exec -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .ProfileName -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

4
pkg/aa/templates/comment.j2 → pkg/aa/templates/rule/comment.j2
View file

@ -1,3 +1,7 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "comment" -}}
{{- if or .FileInherit .NoNewPrivs .Optional .Comment -}}
{{- " #" -}}

40
pkg/aa/templates/rule/dbus.j2 Normal file
View file

@ -0,0 +1,40 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "dbus" -}}
{{- template "qualifier" . -}}
{{- "dbus" -}}
{{- if eq .Access "bind" -}}
{{ " bind bus=" }}{{ .Bus }}{{ " name=" }}{{ .Name }}
{{- else -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Bus -}}
{{ " bus=" }}{{ . }}
{{- end -}}
{{- with .Path -}}
{{ " path=" }}{{ . }}
{{- end -}}
{{ "\n" }}
{{- with .Interface -}}
{{ overindent "interface=" }}{{ . }}{{ "\n" }}
{{- end -}}
{{- with .Member -}}
{{ overindent "member=" }}{{ . }}{{ "\n" }}
{{- end -}}
{{- if and .PeerName .PeerLabel -}}
{{ overindent "peer=(name=" }}{{ .PeerName }}{{ ", label="}}{{ .PeerLabel }}{{ ")" }}
{{- else -}}
{{- with .PeerName -}}
{{ overindent "peer=(name=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .PeerLabel -}}
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

21
pkg/aa/templates/rule/file.j2 Normal file
View file

@ -0,0 +1,21 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "file" -}}
{{- template "qualifier" . -}}
{{- if .Owner -}}
{{- "owner " -}}
{{- end -}}
{{- .Path -}}
{{- " " -}}
{{- with .Padding -}}
{{ . }}
{{- end -}}
{{- .Access -}}
{{- with .Target -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

4
pkg/aa/templates/include.j2 → pkg/aa/templates/rule/include.j2
View file

@ -1,3 +1,7 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "include" -}}
{{- "include" -}}
{{- if .IfExists -}}

54
pkg/aa/templates/rule/mount.j2 Normal file
View file

@ -0,0 +1,54 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "mount" -}}
{{- template "qualifier" . -}}
{{- "mount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .Source -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .MountPoint -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}
{{- define "remount" -}}
{{- template "qualifier" . -}}
{{- "remount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}
{{- define "umount" -}}
{{- template "qualifier" . -}}
{{- "umount" -}}
{{- with .FsType -}}
{{ " fstype=" }}{{ . }}
{{- end -}}
{{- with .Options -}}
{{ " options=(" }}{{ join . }}{{ ")" }}
{{- end -}}
{{- with .MountPoint -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

22
pkg/aa/templates/rule/mqueue.j2 Normal file
View file

@ -0,0 +1,22 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "mqueue" -}}
{{- template "qualifier" . -}}
{{- "mqueue" -}}
{{- with .Access -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}
{{- end -}}
{{- with .Label -}}
{{ " label=" }}{{ . }}
{{- end -}}
{{- with .Name -}}
{{ " " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

20
pkg/aa/templates/rule/network.j2 Normal file
View file

@ -0,0 +1,20 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "network" -}}
{{- template "qualifier" . -}}
{{ "network" }}
{{- with .Domain -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .Type -}}
{{ " " }}{{ . }}
{{- else -}}
{{- with .Protocol -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

19
pkg/aa/templates/rule/pivot_root.j2 Normal file
View file

@ -0,0 +1,19 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "pivot_root" -}}
{{- template "qualifier" . -}}
{{- "pivot_root" -}}
{{- with .OldRoot -}}
{{ " oldroot=" }}{{ . }}
{{- end -}}
{{- with .NewRoot -}}
{{ " " }}{{ . }}
{{- end -}}
{{- with .TargetProfile -}}
{{ " -> " }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

16
pkg/aa/templates/rule/ptrace.j2 Normal file
View file

@ -0,0 +1,16 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "ptrace" -}}
{{- template "qualifier" . -}}
{{- "ptrace" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

4
pkg/aa/templates/qualifier.j2 → pkg/aa/templates/rule/qualifier.j2
View file

@ -1,3 +1,7 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "qualifier" -}}
{{- with .Prefix -}}
{{ . }}

7
pkg/aa/templates/rule/rlimit.j2 Normal file
View file

@ -0,0 +1,7 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "rlimit" -}}
{{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }}
{{- end -}}

19
pkg/aa/templates/rule/signal.j2 Normal file
View file

@ -0,0 +1,19 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "signal" -}}
{{- template "qualifier" . -}}
{{- "signal" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Set -}}
{{ " set=(" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Peer -}}
{{ " peer=" }}{{ . }}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

35
pkg/aa/templates/rule/unix.j2 Normal file
View file

@ -0,0 +1,35 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "unix" -}}
{{- template "qualifier" . -}}
{{- "unix" -}}
{{- with .Access -}}
{{ " (" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .Type -}}
{{ " type=" }}{{ . }}
{{- end -}}
{{- with .Protocol -}}
{{ " protocol=" }}{{ . }}
{{- end -}}
{{- with .Address -}}
{{ " addr=" }}{{ . }}
{{- end -}}
{{- with .Label -}}
{{ " label=" }}{{ . }}
{{- end -}}
{{- if and .PeerLabel .PeerAddr -}}
{{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }}
{{- else -}}
{{- with .PeerLabel -}}
{{ overindent "peer=(label=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- with .PeerAddr -}}
{{ overindent "peer=(addr=" }}{{ . }}{{ ")" }}
{{- end -}}
{{- end -}}
{{- "," -}}
{{- template "comment" . -}}
{{- end -}}

9
pkg/aa/templates/rule/userns.j2 Normal file
View file

@ -0,0 +1,9 @@
{{- /* apparmor.d - Full set of apparmor profiles */ -}}
{{- /* Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io> */ -}}
{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}}
{{- define "userns" -}}
{{- if .Create -}}
{{ template "qualifier" . }}{{ "userns," }}{{ template "comment" . }}
{{- end -}}
{{- end -}}