aa

package
v0.0.0-...-c3de88e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 4, 2024 License: GPL-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// Default indentation for apparmor profile (2 spaces)
	Indentation = "  "

	// The current indentation level
	IndentationLevel = 0
)
View Source 
var MagicRoot = paths.New("/etc/apparmor.d")

Default Apparmor magic directory: /etc/apparmor.d/.

Functions

func Must 

func Must[T any](v T, err error) T

Must is a helper that wraps a call to a function returning (any, error) and panics if the error is non-nil.

Types

type Abi 

type Abi struct {
	RuleBase
	Path    string
	IsMagic bool
}

func (*Abi) Constraint 

func (r *Abi) Constraint() constraint

func (*Abi) Equals 

func (r *Abi) Equals(other any) bool

func (*Abi) Kind 

func (r *Abi) Kind() Kind

func (*Abi) Less 

func (r *Abi) Less(other any) bool

func (*Abi) String 

func (r *Abi) String() string

func (*Abi) Validate 

func (r *Abi) Validate() error

type AddressExpr 

type AddressExpr struct {
	Source      string
	Destination string
	Port        string
}

func (AddressExpr) Equals 

func (r AddressExpr) Equals(other AddressExpr) bool

func (AddressExpr) Less 

func (r AddressExpr) Less(other AddressExpr) bool

type Alias 

type Alias struct {
	RuleBase
	Path          string
	RewrittenPath string
}

func (*Alias) Constraint 

func (r *Alias) Constraint() constraint

func (Alias) Equals 

func (r Alias) Equals(other any) bool

func (*Alias) Kind 

func (r *Alias) Kind() Kind

func (Alias) Less 

func (r Alias) Less(other any) bool

func (*Alias) String 

func (r *Alias) String() string

func (*Alias) Validate 

func (r *Alias) Validate() error

type All 

type All struct {
	RuleBase
}

func (*All) Constraint 

func (r *All) Constraint() constraint

func (*All) Equals 

func (r *All) Equals(other any) bool

func (*All) Kind 

func (r *All) Kind() Kind

func (*All) Less 

func (r *All) Less(other any) bool

func (*All) String 

func (r *All) String() string

func (*All) Validate 

func (r *All) Validate() error

type AppArmorProfileFile 

type AppArmorProfileFile struct {
	Preamble Rules
	Profiles []*Profile
}

AppArmorProfileFile represents a full apparmor profile file. Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):

  • Some rules are not supported yet (subprofile, hat...)
  • The structure is simplified as it only aims at writing profile, not parsing it.

func DefaultTunables 

func DefaultTunables() *AppArmorProfileFile

DefaultTunables return a minimal working profile to build the profile It should not be used when loading file from /etc/apparmor.d

func NewAppArmorProfile 

func NewAppArmorProfile() *AppArmorProfileFile

func (*AppArmorProfileFile) Format 

func (f *AppArmorProfileFile) Format()

Format the profile for better readability before printing it. Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block

func (*AppArmorProfileFile) GetDefaultProfile 

func (f *AppArmorProfileFile) GetDefaultProfile() *Profile

GetDefaultProfile ensure a profile is always present in the profile file and return it, as a default profile.

func (*AppArmorProfileFile) MergeRules 

func (f *AppArmorProfileFile) MergeRules()

MergeRules merge similar rules together. Steps:

  • Remove identical rules
  • Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw'

Note: logs.regCleanLogs helps a lot to do a first cleaning

func (*AppArmorProfileFile) Parse 

func (f *AppArmorProfileFile) Parse(input string) error

Parse an apparmor profile file.

Only supports parsing of apparmor file preamble and profile headers.

Warning: It is purposelly an uncomplete basic parser for apparmor profile, it is only aimed for internal tooling purpose. For "simplicity", it is not using antlr / participle. It is only used for experimental feature in the apparmor.d project.

Stop at the first profile header. Does not support multiline coma rules.

Current use case:

  • Parse include and tunables
  • Parse variable in profile preamble and in tunable files
  • Parse (sub) profiles header to edit flags

func (*AppArmorProfileFile) Resolve 

func (f *AppArmorProfileFile) Resolve() error

Resolve resolves variables and includes definied in the profile preamble

func (*AppArmorProfileFile) Sort 

func (f *AppArmorProfileFile) Sort()

Sort the rules in the profile Follow: https://apparmor.pujol.io/development/guidelines/#guidelines

func (*AppArmorProfileFile) String 

func (f *AppArmorProfileFile) String() string

String returns the formatted representation of a profile file as a string

func (*AppArmorProfileFile) Validate 

func (f *AppArmorProfileFile) Validate() error

Validate the profile file

type AppArmorProfileFiles 

type AppArmorProfileFiles map[string]*AppArmorProfileFile

AppArmorProfileFiles represents a full set of apparmor profiles

type Capability 

type Capability struct {
	RuleBase
	Qualifier
	Names []string
}

func (*Capability) Constraint 

func (r *Capability) Constraint() constraint

func (*Capability) Equals 

func (r *Capability) Equals(other any) bool

func (*Capability) Kind 

func (r *Capability) Kind() Kind

func (*Capability) Less 

func (r *Capability) Less(other any) bool

func (*Capability) String 

func (r *Capability) String() string

func (*Capability) Validate 

func (r *Capability) Validate() error

type ChangeProfile 

type ChangeProfile struct {
	RuleBase
	Qualifier
	ExecMode    string
	Exec        string
	ProfileName string
}

func (*ChangeProfile) Constraint 

func (r *ChangeProfile) Constraint() constraint

func (*ChangeProfile) Equals 

func (r *ChangeProfile) Equals(other any) bool

func (*ChangeProfile) Kind 

func (r *ChangeProfile) Kind() Kind

func (*ChangeProfile) Less 

func (r *ChangeProfile) Less(other any) bool

func (*ChangeProfile) String 

func (r *ChangeProfile) String() string

func (*ChangeProfile) Validate 

func (r *ChangeProfile) Validate() error

type Comment 

type Comment struct {
	RuleBase
}

func (*Comment) Constraint 

func (r *Comment) Constraint() constraint

func (*Comment) Equals 

func (r *Comment) Equals(other any) bool

func (*Comment) IsPreamble 

func (r *Comment) IsPreamble() bool

func (*Comment) Kind 

func (r *Comment) Kind() Kind

func (*Comment) Less 

func (r *Comment) Less(other any) bool

func (*Comment) String 

func (r *Comment) String() string

func (*Comment) Validate 

func (r *Comment) Validate() error

type Dbus 

type Dbus struct {
	RuleBase
	Qualifier
	Access    []string
	Bus       string
	Name      string
	Path      string
	Interface string
	Member    string
	PeerName  string
	PeerLabel string
}

func (*Dbus) Constraint 

func (r *Dbus) Constraint() constraint

func (*Dbus) Equals 

func (r *Dbus) Equals(other any) bool

func (*Dbus) Kind 

func (r *Dbus) Kind() Kind

func (*Dbus) Less 

func (r *Dbus) Less(other any) bool

func (*Dbus) String 

func (r *Dbus) String() string

func (*Dbus) Validate 

func (r *Dbus) Validate() error

type File 

type File struct {
	RuleBase
	Qualifier
	Owner  bool
	Path   string
	Access []string
	Target string
}

func (*File) Constraint 

func (r *File) Constraint() constraint

func (*File) Equals 

func (r *File) Equals(other any) bool

func (*File) Kind 

func (r *File) Kind() Kind

func (*File) Less 

func (r *File) Less(other any) bool

func (*File) String 

func (r *File) String() string

func (*File) Validate 

func (r *File) Validate() error

type Hat 

type Hat struct {
	RuleBase
	Name  string
	Rules Rules
}

Hat represents a single AppArmor hat.

func (*Hat) Constraint 

func (p *Hat) Constraint() constraint

func (*Hat) Equals 

func (p *Hat) Equals(other any) bool

func (*Hat) Kind 

func (p *Hat) Kind() Kind

func (*Hat) Less 

func (p *Hat) Less(other any) bool

func (*Hat) String 

func (p *Hat) String() string

func (*Hat) Validate 

func (r *Hat) Validate() error
type Header struct {
	Name        string
	Attachments []string
	Attributes  map[string]string
	Flags       []string
}

Header represents the header of a profile.

type IOUring 

type IOUring struct {
	RuleBase
	Qualifier
	Access []string
	Label  string
}

func (*IOUring) Constraint 

func (r *IOUring) Constraint() constraint

func (*IOUring) Equals 

func (r *IOUring) Equals(other any) bool

func (*IOUring) Kind 

func (r *IOUring) Kind() Kind

func (*IOUring) Less 

func (r *IOUring) Less(other any) bool

func (*IOUring) String 

func (r *IOUring) String() string

func (*IOUring) Validate 

func (r *IOUring) Validate() error

type Include 

type Include struct {
	RuleBase
	IfExists bool
	Path     string
	IsMagic  bool
}

func (*Include) Constraint 

func (r *Include) Constraint() constraint

func (*Include) Equals 

func (r *Include) Equals(other any) bool

func (*Include) Kind 

func (r *Include) Kind() Kind

func (*Include) Less 

func (r *Include) Less(other any) bool

func (*Include) String 

func (r *Include) String() string

func (*Include) Validate 

func (r *Include) Validate() error

type Kind 

type Kind string

Kind represents an AppArmor rule kind. 

const (
	LINK Kind = "link"
	FILE Kind = "file"
)
const (
	MOUNT   Kind = "mount"
	REMOUNT Kind = "remount"
	UMOUNT  Kind = "umount"
)
const (
	ABI      Kind = "abi"
	ALIAS    Kind = "alias"
	INCLUDE  Kind = "include"
	VARIABLE Kind = "variable"
	COMMENT  Kind = "comment"
)
const (
	ALL Kind = "all"
)
const CAPABILITY Kind = "capability"
const CHANGEPROFILE Kind = "change_profile"
const DBUS Kind = "dbus"
const (
	HAT Kind = "hat"
)
const IOURING Kind = "io_uring"
const MQUEUE Kind = "mqueue"
const NETWORK Kind = "network"
const PIVOTROOT Kind = "pivot_root"
const (
	PROFILE Kind = "profile"
)
const PTRACE Kind = "ptrace"
const (
	RLIMIT Kind = "rlimit"
)
const SIGNAL Kind = "signal"
const UNIX Kind = "unix"
const USERNS Kind = "userns"

func (Kind) String 

func (k Kind) String() string

func (Kind) Tok 

func (k Kind) Tok() string
type Link struct {
	RuleBase
	Qualifier
	Owner  bool
	Subset bool
	Path   string
	Target string
}

func (*Link) Constraint 

func (r *Link) Constraint() constraint

func (*Link) Equals 

func (r *Link) Equals(other any) bool

func (*Link) Kind 

func (r *Link) Kind() Kind

func (*Link) Less 

func (r *Link) Less(other any) bool

func (*Link) String 

func (r *Link) String() string

func (*Link) Validate 

func (r *Link) Validate() error

type Mount 

type Mount struct {
	RuleBase
	Qualifier
	MountConditions
	Source     string
	MountPoint string
}

func (*Mount) Constraint 

func (r *Mount) Constraint() constraint

func (*Mount) Equals 

func (r *Mount) Equals(other any) bool

func (*Mount) Kind 

func (r *Mount) Kind() Kind

func (*Mount) Less 

func (r *Mount) Less(other any) bool

func (*Mount) String 

func (r *Mount) String() string

func (*Mount) Validate 

func (r *Mount) Validate() error

type MountConditions 

type MountConditions struct {
	FsType  string
	Options []string
}

func (MountConditions) Equals 

func (m MountConditions) Equals(other MountConditions) bool

func (MountConditions) Less 

func (m MountConditions) Less(other MountConditions) bool

func (MountConditions) Validate 

func (m MountConditions) Validate() error

type Mqueue 

type Mqueue struct {
	RuleBase
	Qualifier
	Access []string
	Type   string
	Label  string
	Name   string
}

func (*Mqueue) Constraint 

func (r *Mqueue) Constraint() constraint

func (*Mqueue) Equals 

func (r *Mqueue) Equals(other any) bool

func (*Mqueue) Kind 

func (r *Mqueue) Kind() Kind

func (*Mqueue) Less 

func (r *Mqueue) Less(other any) bool

func (*Mqueue) String 

func (r *Mqueue) String() string

func (*Mqueue) Validate 

func (r *Mqueue) Validate() error

type Network 

type Network struct {
	RuleBase
	Qualifier
	AddressExpr
	Domain   string
	Type     string
	Protocol string
}

func (*Network) Constraint 

func (r *Network) Constraint() constraint

func (*Network) Equals 

func (r *Network) Equals(other any) bool

func (*Network) Kind 

func (r *Network) Kind() Kind

func (*Network) Less 

func (r *Network) Less(other any) bool

func (*Network) String 

func (r *Network) String() string

func (*Network) Validate 

func (r *Network) Validate() error

type PivotRoot 

type PivotRoot struct {
	RuleBase
	Qualifier
	OldRoot       string
	NewRoot       string
	TargetProfile string
}

func (*PivotRoot) Constraint 

func (r *PivotRoot) Constraint() constraint

func (*PivotRoot) Equals 

func (r *PivotRoot) Equals(other any) bool

func (*PivotRoot) Kind 

func (r *PivotRoot) Kind() Kind

func (*PivotRoot) Less 

func (r *PivotRoot) Less(other any) bool

func (*PivotRoot) String 

func (r *PivotRoot) String() string

func (*PivotRoot) Validate 

func (r *PivotRoot) Validate() error

type Profile 

type Profile struct {
	RuleBase
	Header
	Rules Rules
}

Profile represents a single AppArmor profile.

func (*Profile) AddRule 

func (p *Profile) AddRule(log map[string]string)

func (*Profile) Constraint 

func (p *Profile) Constraint() constraint

func (*Profile) Equals 

func (p *Profile) Equals(other any) bool

func (*Profile) Format 

func (p *Profile) Format()

func (*Profile) GetAttachments 

func (p *Profile) GetAttachments() string

GetAttachments return a nested attachment string

func (*Profile) Kind 

func (p *Profile) Kind() Kind

func (*Profile) Less 

func (p *Profile) Less(other any) bool

func (*Profile) Merge 

func (p *Profile) Merge()

func (*Profile) Sort 

func (p *Profile) Sort()

func (*Profile) String 

func (p *Profile) String() string

func (*Profile) Validate 

func (r *Profile) Validate() error

type Ptrace 

type Ptrace struct {
	RuleBase
	Qualifier
	Access []string
	Peer   string
}

func (*Ptrace) Constraint 

func (r *Ptrace) Constraint() constraint

func (*Ptrace) Equals 

func (r *Ptrace) Equals(other any) bool

func (*Ptrace) Kind 

func (r *Ptrace) Kind() Kind

func (*Ptrace) Less 

func (r *Ptrace) Less(other any) bool

func (*Ptrace) String 

func (r *Ptrace) String() string

func (*Ptrace) Validate 

func (r *Ptrace) Validate() error

type Qualifier 

type Qualifier struct {
	Audit      bool
	AccessType string
}

func (Qualifier) Equals 

func (r Qualifier) Equals(other Qualifier) bool

func (Qualifier) Less 

func (r Qualifier) Less(other Qualifier) bool

type Remount 

type Remount struct {
	RuleBase
	Qualifier
	MountConditions
	MountPoint string
}

func (*Remount) Constraint 

func (r *Remount) Constraint() constraint

func (*Remount) Equals 

func (r *Remount) Equals(other any) bool

func (*Remount) Kind 

func (r *Remount) Kind() Kind

func (*Remount) Less 

func (r *Remount) Less(other any) bool

func (*Remount) String 

func (r *Remount) String() string

func (*Remount) Validate 

func (r *Remount) Validate() error

type Rlimit 

type Rlimit struct {
	RuleBase
	Key   string
	Op    string
	Value string
}

func (*Rlimit) Constraint 

func (r *Rlimit) Constraint() constraint

func (*Rlimit) Equals 

func (r *Rlimit) Equals(other any) bool

func (*Rlimit) Kind 

func (r *Rlimit) Kind() Kind

func (*Rlimit) Less 

func (r *Rlimit) Less(other any) bool

func (*Rlimit) String 

func (r *Rlimit) String() string

func (*Rlimit) Validate 

func (r *Rlimit) Validate() error

type Rule 

type Rule interface {
	Validate() error
	Less(other any) bool
	Equals(other any) bool
	String() string
	Constraint() constraint
	Kind() Kind
}

Rule generic interface for all AppArmor rules

type RuleBase 

type RuleBase struct {
	IsLineRule  bool
	Comment     string
	NoNewPrivs  bool
	FileInherit bool
	Prefix      string
	Padding     string
	Optional    bool
}

func (RuleBase) Constraint 

func (r RuleBase) Constraint() constraint

func (RuleBase) Equals 

func (r RuleBase) Equals(other any) bool

func (RuleBase) Kind 

func (r RuleBase) Kind() Kind

func (RuleBase) Less 

func (r RuleBase) Less(other any) bool

func (RuleBase) String 

func (r RuleBase) String() string

type Rules 

type Rules []Rule

func (Rules) Delete 

func (r Rules) Delete(i int) Rules

Delete removes the elements r[i] from r, returning the modified slice.

func (Rules) DeleteKind 

func (r Rules) DeleteKind(kind Kind) Rules

func (Rules) Filter 

func (r Rules) Filter(filter Kind) Rules

func (Rules) Format 

func (r Rules) Format() Rules

Format the rules for better readability before printing it. Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block

func (Rules) GetIncludes 

func (r Rules) GetIncludes() []*Include

func (Rules) GetVariables 

func (r Rules) GetVariables() []*Variable

func (Rules) Index 

func (r Rules) Index(item Rule) int

Index returns the index of the first occurrence of rule rin r, or -1 if not present.

func (Rules) Insert 

func (r Rules) Insert(i int, rules ...Rule) Rules

Insert inserts the rules into r at index i, returning the modified slice.

func (Rules) Merge 

func (r Rules) Merge() Rules

Merge merge similar rules together. Steps:

  • Remove identical rules
  • Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw'

Note: logs.regCleanLogs helps a lot to do a first cleaning

func (Rules) Replace 

func (r Rules) Replace(i int, rules ...Rule) Rules

Replace replaces the elements r[i] by the given rules, and returns the modified slice.

func (Rules) Sort 

func (r Rules) Sort() Rules

Sort the rules according to the guidelines: https://apparmor.pujol.io/development/guidelines/#guidelines

func (Rules) String 

func (r Rules) String() string

func (Rules) Validate 

func (r Rules) Validate() error

type Signal 

type Signal struct {
	RuleBase
	Qualifier
	Access []string
	Set    []string
	Peer   string
}

func (*Signal) Constraint 

func (r *Signal) Constraint() constraint

func (*Signal) Equals 

func (r *Signal) Equals(other any) bool

func (*Signal) Kind 

func (r *Signal) Kind() Kind

func (*Signal) Less 

func (r *Signal) Less(other any) bool

func (*Signal) String 

func (r *Signal) String() string

func (*Signal) Validate 

func (r *Signal) Validate() error

type Umount 

type Umount struct {
	RuleBase
	Qualifier
	MountConditions
	MountPoint string
}

func (*Umount) Constraint 

func (r *Umount) Constraint() constraint

func (*Umount) Equals 

func (r *Umount) Equals(other any) bool

func (*Umount) Kind 

func (r *Umount) Kind() Kind

func (*Umount) Less 

func (r *Umount) Less(other any) bool

func (*Umount) String 

func (r *Umount) String() string

func (*Umount) Validate 

func (r *Umount) Validate() error

type Unix 

type Unix struct {
	RuleBase
	Qualifier
	Access    []string
	Type      string
	Protocol  string
	Address   string
	Label     string
	Attr      string
	Opt       string
	PeerLabel string
	PeerAddr  string
}

func (*Unix) Constraint 

func (r *Unix) Constraint() constraint

func (*Unix) Equals 

func (r *Unix) Equals(other any) bool

func (*Unix) Kind 

func (r *Unix) Kind() Kind

func (*Unix) Less 

func (r *Unix) Less(other any) bool

func (*Unix) String 

func (r *Unix) String() string

func (*Unix) Validate 

func (r *Unix) Validate() error

type Userns 

type Userns struct {
	RuleBase
	Qualifier
	Create bool
}

func (*Userns) Constraint 

func (r *Userns) Constraint() constraint

func (*Userns) Equals 

func (r *Userns) Equals(other any) bool

func (*Userns) Kind 

func (r *Userns) Kind() Kind

func (*Userns) Less 

func (r *Userns) Less(other any) bool

func (*Userns) String 

func (r *Userns) String() string

func (*Userns) Validate 

func (r *Userns) Validate() error

type Variable 

type Variable struct {
	RuleBase
	Name   string
	Values []string
	Define bool
}

func (*Variable) Constraint 

func (r *Variable) Constraint() constraint

func (*Variable) Equals 

func (r *Variable) Equals(other any) bool

func (*Variable) Kind 

func (r *Variable) Kind() Kind

func (*Variable) Less 

func (r *Variable) Less(other any) bool

func (*Variable) String 

func (r *Variable) String() string

func (*Variable) Validate 

func (r *Variable) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.