felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tests(check): add support for blocl ignore, handle inline comments.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-26 22:28:54 +02:00 committed by Alex
parent dfb0762625
commit c0b43c86b6
6 changed files with 65 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/common/app
View file

@ -56,11 +56,12 @@
owner @{HOME}/.var/app/** rmix, owner @{HOME}/.var/app/** rmix,
owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{HOME}/** rwmlk -> @{HOME}/**,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide
owner @{user_games_dirs}/** rmix, owner @{user_games_dirs}/** rmix,
owner @{tmp}/** rmwk, #aa:lint ignore #aa:lint ignore=too_wide
owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
owner /var/tmp/etilqs_@{sqlhex} rw, owner /var/tmp/etilqs_@{sqlhex} rw,

6
apparmor.d/abstractions/ibus.d/complete
View file

@ -8,6 +8,7 @@
type=stream type=stream
peer=(addr="@/tmp/ibus/dbus-????????"), peer=(addr="@/tmp/ibus/dbus-????????"),
#aa:lint ignore=tunables
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
# This should use this, but due to LP: #1856738 we cannot # This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send) #unix (connect, receive, send)
@ -15,11 +16,10 @@
# peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"),
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore peer=(addr="@/home/*/.cache/ibus/dbus-????????"),
unix (connect, send, receive, accept, bind, listen) unix (connect, send, receive, accept, bind, listen)
type=stream type=stream
addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore addr="@/home/*/.cache/ibus/dbus-????????",
dbus receive bus=session path=/org/freedesktop/IBus dbus receive bus=session path=/org/freedesktop/IBus
interface=org.freedesktop.DBus.Peer interface=org.freedesktop.DBus.Peer

7
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/.fscrypt/protectors/ r, /.fscrypt/protectors/ r,
owner /.fscrypt/protectors/@{hex16} r, owner /.fscrypt/protectors/@{hex16} r,
#aa:lint ignore=tunables
/home/ r, /home/ r,
/home/.fscrypt/policies/ r, #aa:lint ignore /home/.fscrypt/policies/ r,
owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore owner /home/.fscrypt/policies/@{hex32} r,
owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore owner /home/.fscrypt/protectors/@{hex16}.link r,
owner @{HOME}/.pam_environment r, owner @{HOME}/.pam_environment r,

2
apparmor.d/groups/virt/dockerd
View file

@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/ps rPx, @{bin}/ps rPx,
@{sbin}/runc rUx, @{sbin}/runc rUx,
@{bin}/runc rUx, #aa:lint ignore @{bin}/runc rUx, #aa:lint ignore=sbin
@{bin}/unpigz rix, @{bin}/unpigz rix,
@{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-nft-multi rCx -> nft,
@{sbin}/xtables-legacy-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft,

4
apparmor.d/profiles-g-l/hwinfo
View file

@ -13,9 +13,9 @@ profile hwinfo @{exec_path} {
include <abstractions/disks-read> include <abstractions/disks-read>
capability net_raw, # Needed for network related options capability net_raw, # Needed for network related options
capability sys_admin, # Needed for @{PROC}/ioports capability sys_admin, # Needed for /proc/ioports
capability sys_rawio, # Needed for disk related options capability sys_rawio, # Needed for disk related options
capability syslog, # Needed for @{PROC}/kmsg capability syslog, # Needed for /proc/kmsg
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

69
tests/check.sh
View file

@ -12,6 +12,7 @@ RES=$(mktemp)
echo "false" >"$RES" echo "false" >"$RES"
MAX_JOBS=$(nproc) MAX_JOBS=$(nproc)
declare WITH_CHECK declare WITH_CHECK
declare _check_is_disabled
readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly RES MAX_JOBS APPARMORD="apparmor.d"
readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m"
_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; }
@ -39,7 +40,17 @@ _in_array() {
} }
_is_enabled() { _is_enabled() {
_in_array "$1" "${WITH_CHECK[@]}" local check="$1"
if _in_array "$check" "${WITH_CHECK[@]}"; then
if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then
return 0
fi
if _in_array "$check" "${_check_is_disabled[@]}"; then
return 1
fi
return 0
fi
return 1
} }
_wait() { _wait() {
@ -51,13 +62,34 @@ _wait() {
fi fi
} }
_IGNORE_LINT_BLOCK=false
readonly _IGNORE_LINT="#aa:lint ignore" readonly _IGNORE_LINT="#aa:lint ignore"
_ignore_lint() { _ignore_lint() {
local line="$1" local checks line="$1"
if [[ "$line" == *"$_IGNORE_LINT"* ]]; then
if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then
# Start of an ignore block
_IGNORE_LINT_BLOCK=true
checks="${line#*"$_IGNORE_LINT="}"
read -ra _check_is_disabled <<<"${checks//,/ }"
elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then
# New paragraph, end of block
_IGNORE_LINT_BLOCK=false
_check_is_disabled=()
elif [[ $_IGNORE_LINT_BLOCK == true ]]; then
# Nothing to do, we are in a block
return 0 return 0
elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then
# Inline ignore
checks="${line#*"$_IGNORE_LINT="}"
read -ra _check_is_disabled <<<"${checks//,/ }"
else
_check_is_disabled=()
fi fi
return 1
} }
_check() { _check() {
@ -66,9 +98,7 @@ _check() {
while IFS= read -r line; do while IFS= read -r line; do
line_number=$((line_number + 1)) line_number=$((line_number + 1))
if _ignore_lint "$line"; then _ignore_lint "$line"
continue
fi
# Style check # Style check
if [[ $line_number -lt 10 ]]; then if [[ $line_number -lt 10 ]]; then
@ -79,8 +109,11 @@ _check() {
_check_indentation _check_indentation
_check_vim _check_vim
# The following checks do not apply to comment lines # The following checks do not apply to commented lines
[[ "$line" =~ ^[[:space:]]*# ]] && continue [[ "$line" =~ ^[[:space:]]*# ]] && continue
if [[ "$line" =~ ,[[:space:]]*# ]]; then
line="${line%%#*}"
fi
# Rules checks # Rules checks
_check_abstractions _check_abstractions
@ -89,7 +122,7 @@ _check() {
_check_too_wide _check_too_wide
_check_transition _check_transition
_check_useless _check_useless
_check_variables _check_tunables
# Guidelines check # Guidelines check
_check_abi _check_abi
@ -227,7 +260,7 @@ _check_useless() {
done done
} }
declare -A VARIABLES_MISSING=( declare -A TUNABLES=(
# User variables # User variables
["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}"
["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}"
@ -260,14 +293,14 @@ declare -A VARIABLES_MISSING=(
["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}"
["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/"
) )
_check_variables() { _check_tunables() {
_is_enabled variables || return 0 _is_enabled tunables || return 0
for pattern in "${!VARIABLES_MISSING[@]}"; do for pattern in "${!TUNABLES[@]}"; do
rpattern="$pattern" rpattern="$pattern"
[[ "$rpattern" == /* ]] && rpattern=" $rpattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern"
if [[ "$line" =~ $rpattern ]]; then if [[ "$line" =~ $rpattern ]]; then
match="${BASH_REMATCH[0]}" match="${BASH_REMATCH[0]}"
_err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match"
fi fi
done done
} }
@ -452,7 +485,7 @@ check_sbin() {
for name in "${sbin[@]}"; do for name in "${sbin[@]}"; do
( (
mapfile -t files < <( mapfile -t files < <(
grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" apparmor.d |
cut -d: -f1,2 cut -d: -f1,2
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -488,7 +521,7 @@ check_profiles() {
) )
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent useless transition variables abstractions directory_mark equivalent useless transition tunables
abi include profile header tabs trailing indentation subprofiles vim abi include profile header tabs trailing indentation subprofiles vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -508,7 +541,7 @@ check_abstractions() {
mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true)
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide variables abstractions directory_mark equivalent too_wide tunables
abi include header tabs trailing indentation vim abi include header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -529,7 +562,7 @@ check_abstractions() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide variables abstractions directory_mark equivalent too_wide tunables
header tabs trailing indentation vim header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do