feat(aa-log): add a new apparmor profile struct

Also rewrite variables resolution to this new struct.
2023-08-17 23:00:52 +01:00 · 2023-08-17 23:00:52 +01:00 · a8470dfa38
commit a8470dfa38
parent b2d093e125
5 changed files with 379 additions and 156 deletions
--- a/pkg/aa/rules.go
+++ b/pkg/aa/rules.go
@ -0,0 +1,202 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package aa
+
+// Preamble section of a profile
+type Preamble struct {
+	Abi              []Abi
+	PreambleIncludes []Include
+	Aliases          []Alias
+	Variables        []Variable
+}
+
+// Profile section of a profile
+type Profile struct {
+	Name        string
+	Attachments []string
+	Attributes  []string
+	Flags       []string
+	Rules
+}
+
+type Rules struct {
+	Includes      []Include
+	Rlimit        []Rlimit
+	Userns        Userns
+	Capability    []Capability
+	Network       []Network
+	Mount         []Mount
+	Umount        []Umount
+	Remount       []Remount
+	PivotRoot     []PivotRoot
+	ChangeProfile []ChangeProfile
+	Unix          []Unix
+	Ptrace        []Ptrace
+	Signal        []Signal
+	Dbus          []Dbus
+	File          []File
+}
+
+
+// Qualifier to apply extra settings to a rule
+type Qualifier struct {
+	Audit       bool
+	AccessType  string
+	Owner       bool
+	NoNewPrivs  bool
+	FileInherit bool
+}
+
+// Preamble rules
+
+type Abi struct {
+	AbsPath   string
+	MagicPath string
+}
+
+type Alias struct {
+	Path          string
+	RewrittenPath string
+}
+
+type Include struct {
+	IfExists  bool
+	AbsPath   string
+	MagicPath string
+}
+
+type Variable struct {
+	Name   string
+	Values []string
+}
+
+// Profile rules
+
+type Rlimit struct {
+	Key   string
+	Op    string
+	Value string
+}
+
+type Userns struct {
+	Qualifier
+	Create bool
+}
+
+type Capability struct {
+	Qualifier
+	Name string
+}
+
+type AddressExpr struct {
+	Source      string
+	Destination string
+	Port        string
+}
+
+type Network struct {
+	Qualifier
+	Domain   string
+	Type     string
+	Protocol string
+	AddressExpr
+}
+
+type MountConditions struct {
+	Fs      string
+	Op      string
+	FsType  string
+	Options []string
+}
+
+type Mount struct {
+	Qualifier
+	MountConditions
+	Source     string
+	MountPoint string
+}
+
+type Umount struct {
+	Qualifier
+	MountConditions
+	MountPoint string
+}
+
+type Remount struct {
+	Qualifier
+	MountConditions
+	MountPoint string
+}
+
+type PivotRoot struct {
+	Qualifier
+	OldRoot       string
+	NewRoot       string
+	TargetProfile string
+}
+
+type ChangeProfile struct {
+	ExecMode    string
+	Exec        string
+	ProfileName string
+}
+
+type IOUring struct {
+	Qualifier
+	Access string
+	Label  string
+}
+
+type Signal struct {
+	Qualifier
+	Access string
+	Set    string
+	Peer   string
+}
+
+type Ptrace struct {
+	Qualifier
+	Access string
+	Peer   string
+}
+
+type Unix struct {
+	Qualifier
+	Access   string
+	Type     string
+	Protocol string
+	Address  string
+	Label    string
+	Attr     string
+	Opt      string
+	Peer     string
+	PeerAddr string
+}
+
+type Mqueue struct {
+	Qualifier
+	Access string
+	Type   string
+	Label  string
+}
+
+type Dbus struct {
+	Qualifier
+	Access    string
+	Bus       string
+	Name      string
+	Path      string
+	Interface string
+	Member    string
+	Label     string
+}
+
+type File struct {
+	Qualifier
+	Path   string
+	Access string
+	Target string
+}
+