From f763d31a07ca6a9a8824beca56ae6e8bb2bf0117 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 23:41:47 +0100 Subject: [PATCH] feat(aa): a Constraint and Kind method to the Rule interface. --- pkg/aa/base.go | 18 +++++++++++++++++- pkg/aa/capability.go | 10 +++++++++- pkg/aa/change_profile.go | 8 ++++++++ pkg/aa/dbus.go | 10 +++++++++- pkg/aa/file.go | 9 +++++++-- pkg/aa/io_uring.go | 10 +++++++++- pkg/aa/mount.go | 30 +++++++++++++++++++++++++++--- pkg/aa/mqueue.go | 10 +++++++++- pkg/aa/network.go | 10 +++++++++- pkg/aa/pivot_root.go | 10 +++++++++- pkg/aa/preamble.go | 34 +++++++++++++++++++++++++++++++++- pkg/aa/profile.go | 10 +++++++++- pkg/aa/ptrace.go | 10 +++++++++- pkg/aa/rlimit.go | 10 +++++++++- pkg/aa/rules.go | 10 ++++++++++ pkg/aa/signal.go | 10 +++++++++- pkg/aa/unix.go | 10 +++++++++- pkg/aa/userns.go | 10 +++++++++- 18 files changed, 210 insertions(+), 19 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index f9cdac6d7..f0806746a 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -66,6 +66,14 @@ func (r RuleBase) String() string { return renderTemplate("comment", r) } +func (r RuleBase) Constraint() constraint { + return anyKind +} + +func (r RuleBase) Kind() string { + return "base" +} + type Qualifier struct { Audit bool AccessType string @@ -104,5 +112,13 @@ func (r *All) Equals(other any) bool { } func (r *All) String() string { - return renderTemplate(tokALL, r) + return renderTemplate(r.Kind(), r) +} + +func (r *All) Constraint() constraint { + return blockKind +} + +func (r *All) Kind() string { + return tokALL } diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index 14b272091..f458350aa 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -39,5 +39,13 @@ func (r *Capability) Equals(other any) bool { } func (r *Capability) String() string { - return renderTemplate(tokCAPABILITY, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Capability) Constraint() constraint { + return blockKind +} + +func (r *Capability) Kind() string { + return tokCAPABILITY } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 32106f9bf..4d5ded150 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -47,3 +47,11 @@ func (r *ChangeProfile) Equals(other any) bool { func (r *ChangeProfile) String() string { return renderTemplate(tokCHANGEPROFILE, r) } + +func (r *ChangeProfile) Constraint() constraint { + return blockKind +} + +func (r *ChangeProfile) Kind() string { + return tokCHANGEPROFILE +} diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index 3ab30ae75..aa88266cb 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -81,5 +81,13 @@ func (r *Dbus) Equals(other any) bool { } func (r *Dbus) String() string { - return renderTemplate(tokDBUS, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Dbus) Constraint() constraint { + return blockKind +} + +func (r *Dbus) Kind() string { + return tokDBUS } diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 9390afbe7..8aabd577a 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -60,8 +60,13 @@ func (r *File) Equals(other any) bool { } func (r *File) String() string { - return renderTemplate("file", r) + return renderTemplate(r.Kind(), r) } - r.Target == o.Target && r.Qualifier.Equals(o.Qualifier) +func (r *File) Constraint() constraint { + return blockKind +} + +func (r *File) Kind() string { + return "file" } diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index eedee8452..4f76354c0 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -40,5 +40,13 @@ func (r *IOUring) Equals(other any) bool { } func (r *IOUring) String() string { - return renderTemplate(tokIOURING, r) + return renderTemplate(r.Kind(), r) +} + +func (r *IOUring) Constraint() constraint { + return blockKind +} + +func (r *IOUring) Kind() string { + return tokIOURING } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 7f0f5621e..7d7fef3a2 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -83,7 +83,15 @@ func (r *Mount) Equals(other any) bool { } func (r *Mount) String() string { - return renderTemplate(tokMOUNT, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Mount) Constraint() constraint { + return blockKind +} + +func (r *Mount) Kind() string { + return tokMOUNT } type Umount struct { @@ -121,7 +129,15 @@ func (r *Umount) Equals(other any) bool { } func (r *Umount) String() string { - return renderTemplate(tokUMOUNT, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Umount) Constraint() constraint { + return blockKind +} + +func (r *Umount) Kind() string { + return tokUMOUNT } type Remount struct { @@ -159,5 +175,13 @@ func (r *Remount) Equals(other any) bool { } func (r *Remount) String() string { - return renderTemplate(tokREMOUNT, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Remount) Constraint() constraint { + return blockKind +} + +func (r *Remount) Kind() string { + return tokREMOUNT } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 0035f2cd6..92a2252ce 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -58,5 +58,13 @@ func (r *Mqueue) Equals(other any) bool { } func (r *Mqueue) String() string { - return renderTemplate(tokMQUEUE, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Mqueue) Constraint() constraint { + return blockKind +} + +func (r *Mqueue) Kind() string { + return tokMQUEUE } diff --git a/pkg/aa/network.go b/pkg/aa/network.go index d4fd96690..36ef3ac07 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -81,5 +81,13 @@ func (r *Network) Equals(other any) bool { } func (r *Network) String() string { - return renderTemplate(tokNETWORK, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Network) Constraint() constraint { + return blockKind +} + +func (r *Network) Kind() string { + return tokNETWORK } diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 66829f56c..3c421adf6 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -46,5 +46,13 @@ func (r *PivotRoot) Equals(other any) bool { } func (r *PivotRoot) String() string { - return renderTemplate(tokPIVOTROOT, r) + return renderTemplate(r.Kind(), r) +} + +func (r *PivotRoot) Constraint() constraint { + return blockKind +} + +func (r *PivotRoot) Kind() string { + return tokPIVOTROOT } diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 8459099ad..344ccaa1b 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -40,7 +40,7 @@ func (r *Comment) IsPreamble() bool { return true } -func (r *Comment) Constraint() RuleConstraint { +func (r *Comment) Constraint() constraint { return anyKind } @@ -71,6 +71,14 @@ func (r *Abi) String() string { return renderTemplate(tokABI, r) } +func (r *Abi) Constraint() constraint { + return preambleKind +} + +func (r *Abi) Kind() string { + return tokABI +} + type Alias struct { RuleBase Path string @@ -94,6 +102,14 @@ func (r *Alias) String() string { return renderTemplate(tokALIAS, r) } +func (r *Alias) Constraint() constraint { + return preambleKind +} + +func (r *Alias) Kind() string { + return tokALIAS +} + type Include struct { RuleBase IfExists bool @@ -121,6 +137,14 @@ func (r *Include) String() string { return renderTemplate(tokINCLUDE, r) } +func (r *Include) Constraint() constraint { + return anyKind +} + +func (r *Include) Kind() string { + return tokINCLUDE +} + type Variable struct { RuleBase Name string @@ -146,3 +170,11 @@ func (r *Variable) Equals(other any) bool { func (r *Variable) String() string { return renderTemplate("variable", r) } + +func (r *Variable) Constraint() constraint { + return preambleKind +} + +func (r *Variable) Kind() string { + return tokVARIABLE +} diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 8fff81109..974a9b2c2 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -48,7 +48,15 @@ func (p *Profile) Equals(other any) bool { } func (p *Profile) String() string { - return renderTemplate(tokPROFILE, p) + return renderTemplate(p.Kind(), p) +} + +func (p *Profile) Constraint() constraint { + return blockKind +} + +func (p *Profile) Kind() string { + return tokPROFILE } // Merge merge similar rules together. diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index ffe69dfc9..5a014bc74 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -40,5 +40,13 @@ func (r *Ptrace) Equals(other any) bool { } func (r *Ptrace) String() string { - return renderTemplate(tokPTRACE, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Ptrace) Constraint() constraint { + return blockKind +} + +func (r *Ptrace) Kind() string { + return tokPTRACE } diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index 585211e7e..4005cd220 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -43,5 +43,13 @@ func (r *Rlimit) Equals(other any) bool { } func (r *Rlimit) String() string { - return renderTemplate(tokRLIMIT, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Rlimit) Constraint() constraint { + return blockKind +} + +func (r *Rlimit) Kind() string { + return tokRLIMIT } diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index ba9cc2235..dc2eeebe2 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -16,11 +16,21 @@ const ( tokDENY = "deny" ) +type constraint uint + +const ( + anyKind constraint = iota // The rule can be found in either preamble or profile + preambleKind // The rule can only be found in the preamble + blockKind // The rule can only be found in a profile +) + // Rule generic interface for all AppArmor rules type Rule interface { Less(other any) bool Equals(other any) bool String() string + Constraint() constraint + Kind() string } type Rules []Rule diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 237607d2a..9a6da9350 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -46,5 +46,13 @@ func (r *Signal) Equals(other any) bool { } func (r *Signal) String() string { - return renderTemplate(tokSIGNAL, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Signal) Constraint() constraint { + return blockKind +} + +func (r *Signal) Kind() string { + return tokSIGNAL } diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index ee92fe381..3c53dc84e 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -78,5 +78,13 @@ func (r *Unix) Equals(other any) bool { } func (r *Unix) String() string { - return renderTemplate(tokUNIX, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Unix) Constraint() constraint { + return blockKind +} + +func (r *Unix) Kind() string { + return tokUNIX } diff --git a/pkg/aa/userns.go b/pkg/aa/userns.go index 24087e111..5e9437fab 100644 --- a/pkg/aa/userns.go +++ b/pkg/aa/userns.go @@ -34,5 +34,13 @@ func (r *Userns) Equals(other any) bool { } func (r *Userns) String() string { - return renderTemplate(tokUSERNS, r) + return renderTemplate(r.Kind(), r) +} + +func (r *Userns) Constraint() constraint { + return blockKind +} + +func (r *Userns) Kind() string { + return tokUSERNS }