Documentation ¶
Index ¶
- Variables
- func Must[T any](v T, err error) T
- type Abi
- type AddressExpr
- type Alias
- type All
- type AppArmorProfileFile
- func (f *AppArmorProfileFile) Format()
- func (f *AppArmorProfileFile) GetDefaultProfile() *Profile
- func (f *AppArmorProfileFile) MergeRules()
- func (f *AppArmorProfileFile) Parse(input string) error
- func (f *AppArmorProfileFile) Resolve() error
- func (f *AppArmorProfileFile) Sort()
- func (f *AppArmorProfileFile) String() string
- func (f *AppArmorProfileFile) Validate() error
- type AppArmorProfileFiles
- type Capability
- type ChangeProfile
- type Comment
- type Dbus
- type File
- type Hat
- type Header
- type IOUring
- type Include
- type Kind
- type Link
- type Mount
- type MountConditions
- type Mqueue
- type Network
- type PivotRoot
- type Profile
- func (p *Profile) AddRule(log map[string]string)
- func (p *Profile) Constraint() constraint
- func (p *Profile) Equals(other any) bool
- func (p *Profile) Format()
- func (p *Profile) GetAttachments() string
- func (p *Profile) Kind() Kind
- func (p *Profile) Less(other any) bool
- func (p *Profile) Merge()
- func (p *Profile) Sort()
- func (p *Profile) String() string
- func (r *Profile) Validate() error
- type Ptrace
- type Qualifier
- type Remount
- type Rlimit
- type Rule
- type RuleBase
- type Rules
- func (r Rules) Delete(i int) Rules
- func (r Rules) DeleteKind(kind Kind) Rules
- func (r Rules) Filter(filter Kind) Rules
- func (r Rules) Format() Rules
- func (r Rules) GetIncludes() []*Include
- func (r Rules) GetVariables() []*Variable
- func (r Rules) Index(item Rule) int
- func (r Rules) Insert(i int, rules ...Rule) Rules
- func (r Rules) Merge() Rules
- func (r Rules) Replace(i int, rules ...Rule) Rules
- func (r Rules) Sort() Rules
- func (r Rules) String() string
- func (r Rules) Validate() error
- type Signal
- type Umount
- type Unix
- type Userns
- type Variable
Constants ¶
This section is empty.
Variables ¶
var ( // Default indentation for apparmor profile (2 spaces) Indentation = " " // The current indentation level IndentationLevel = 0 )
var MagicRoot = paths.New("/etc/apparmor.d")
Default Apparmor magic directory: /etc/apparmor.d/.
Functions ¶
Types ¶
type Abi ¶
func (*Abi) Constraint ¶
func (r *Abi) Constraint() constraint
type AddressExpr ¶
func (AddressExpr) Equals ¶
func (r AddressExpr) Equals(other AddressExpr) bool
func (AddressExpr) Less ¶
func (r AddressExpr) Less(other AddressExpr) bool
type Alias ¶
func (*Alias) Constraint ¶
func (r *Alias) Constraint() constraint
type All ¶
type All struct {
RuleBase
}
func (*All) Constraint ¶
func (r *All) Constraint() constraint
type AppArmorProfileFile ¶
AppArmorProfileFile represents a full apparmor profile file. Warning: close to the BNF grammar of apparmor profile but not exactly the same (yet):
- Some rules are not supported yet (subprofile, hat...)
- The structure is simplified as it only aims at writing profile, not parsing it.
func DefaultTunables ¶
func DefaultTunables() *AppArmorProfileFile
DefaultTunables return a minimal working profile to build the profile It should not be used when loading file from /etc/apparmor.d
func NewAppArmorProfile ¶
func NewAppArmorProfile() *AppArmorProfileFile
func (*AppArmorProfileFile) Format ¶
func (f *AppArmorProfileFile) Format()
Format the profile for better readability before printing it. Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block
func (*AppArmorProfileFile) GetDefaultProfile ¶
func (f *AppArmorProfileFile) GetDefaultProfile() *Profile
GetDefaultProfile ensure a profile is always present in the profile file and return it, as a default profile.
func (*AppArmorProfileFile) MergeRules ¶
func (f *AppArmorProfileFile) MergeRules()
MergeRules merge similar rules together. Steps:
- Remove identical rules
- Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw'
Note: logs.regCleanLogs helps a lot to do a first cleaning
func (*AppArmorProfileFile) Parse ¶
func (f *AppArmorProfileFile) Parse(input string) error
Parse an apparmor profile file.
Only supports parsing of apparmor file preamble and profile headers.
Warning: It is purposelly an uncomplete basic parser for apparmor profile, it is only aimed for internal tooling purpose. For "simplicity", it is not using antlr / participle. It is only used for experimental feature in the apparmor.d project.
Stop at the first profile header. Does not support multiline coma rules.
Current use case:
- Parse include and tunables
- Parse variable in profile preamble and in tunable files
- Parse (sub) profiles header to edit flags
func (*AppArmorProfileFile) Resolve ¶
func (f *AppArmorProfileFile) Resolve() error
Resolve resolves variables and includes definied in the profile preamble
func (*AppArmorProfileFile) Sort ¶
func (f *AppArmorProfileFile) Sort()
Sort the rules in the profile Follow: https://apparmor.pujol.io/development/guidelines/#guidelines
func (*AppArmorProfileFile) String ¶
func (f *AppArmorProfileFile) String() string
String returns the formatted representation of a profile file as a string
func (*AppArmorProfileFile) Validate ¶
func (f *AppArmorProfileFile) Validate() error
Validate the profile file
type AppArmorProfileFiles ¶
type AppArmorProfileFiles map[string]*AppArmorProfileFile
AppArmorProfileFiles represents a full set of apparmor profiles
type Capability ¶
func (*Capability) Constraint ¶
func (r *Capability) Constraint() constraint
func (*Capability) Equals ¶
func (r *Capability) Equals(other any) bool
func (*Capability) Kind ¶
func (r *Capability) Kind() Kind
func (*Capability) Less ¶
func (r *Capability) Less(other any) bool
func (*Capability) String ¶
func (r *Capability) String() string
func (*Capability) Validate ¶
func (r *Capability) Validate() error
type ChangeProfile ¶
func (*ChangeProfile) Constraint ¶
func (r *ChangeProfile) Constraint() constraint
func (*ChangeProfile) Equals ¶
func (r *ChangeProfile) Equals(other any) bool
func (*ChangeProfile) Kind ¶
func (r *ChangeProfile) Kind() Kind
func (*ChangeProfile) Less ¶
func (r *ChangeProfile) Less(other any) bool
func (*ChangeProfile) String ¶
func (r *ChangeProfile) String() string
func (*ChangeProfile) Validate ¶
func (r *ChangeProfile) Validate() error
type Comment ¶
type Comment struct {
RuleBase
}
func (*Comment) Constraint ¶
func (r *Comment) Constraint() constraint
func (*Comment) IsPreamble ¶
type Dbus ¶
type Dbus struct { RuleBase Qualifier Access []string Bus string Name string Path string Interface string Member string PeerName string PeerLabel string }
func (*Dbus) Constraint ¶
func (r *Dbus) Constraint() constraint
type File ¶
func (*File) Constraint ¶
func (r *File) Constraint() constraint
type Hat ¶
Hat represents a single AppArmor hat.
func (*Hat) Constraint ¶
func (p *Hat) Constraint() constraint
type IOUring ¶
func (*IOUring) Constraint ¶
func (r *IOUring) Constraint() constraint
type Include ¶
func (*Include) Constraint ¶
func (r *Include) Constraint() constraint
type Kind ¶
type Kind string
Kind represents an AppArmor rule kind.
const (
ALL Kind = "all"
)
const CAPABILITY Kind = "capability"
const CHANGEPROFILE Kind = "change_profile"
const DBUS Kind = "dbus"
const (
HAT Kind = "hat"
)
const IOURING Kind = "io_uring"
const MQUEUE Kind = "mqueue"
const NETWORK Kind = "network"
const PIVOTROOT Kind = "pivot_root"
const (
PROFILE Kind = "profile"
)
const PTRACE Kind = "ptrace"
const (
RLIMIT Kind = "rlimit"
)
const SIGNAL Kind = "signal"
const UNIX Kind = "unix"
const USERNS Kind = "userns"
type Link ¶
func (*Link) Constraint ¶
func (r *Link) Constraint() constraint
type Mount ¶
type Mount struct { RuleBase Qualifier MountConditions Source string MountPoint string }
func (*Mount) Constraint ¶
func (r *Mount) Constraint() constraint
type MountConditions ¶
func (MountConditions) Equals ¶
func (m MountConditions) Equals(other MountConditions) bool
func (MountConditions) Less ¶
func (m MountConditions) Less(other MountConditions) bool
func (MountConditions) Validate ¶
func (m MountConditions) Validate() error
type Mqueue ¶
func (*Mqueue) Constraint ¶
func (r *Mqueue) Constraint() constraint
type Network ¶
func (*Network) Constraint ¶
func (r *Network) Constraint() constraint
type PivotRoot ¶
func (*PivotRoot) Constraint ¶
func (r *PivotRoot) Constraint() constraint
type Profile ¶
Profile represents a single AppArmor profile.
func (*Profile) Constraint ¶
func (p *Profile) Constraint() constraint
func (*Profile) GetAttachments ¶
GetAttachments return a nested attachment string
type Ptrace ¶
func (*Ptrace) Constraint ¶
func (r *Ptrace) Constraint() constraint
type Remount ¶
type Remount struct { RuleBase Qualifier MountConditions MountPoint string }
func (*Remount) Constraint ¶
func (r *Remount) Constraint() constraint
type Rlimit ¶
func (*Rlimit) Constraint ¶
func (r *Rlimit) Constraint() constraint
type Rule ¶
type Rule interface { Validate() error Less(other any) bool Equals(other any) bool String() string Constraint() constraint Kind() Kind }
Rule generic interface for all AppArmor rules
type RuleBase ¶
type RuleBase struct { IsLineRule bool Comment string NoNewPrivs bool FileInherit bool Prefix string Padding string Optional bool }
func (RuleBase) Constraint ¶
func (r RuleBase) Constraint() constraint
type Rules ¶
type Rules []Rule
func (Rules) DeleteKind ¶
func (Rules) Format ¶
Format the rules for better readability before printing it. Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block
func (Rules) GetIncludes ¶
func (Rules) GetVariables ¶
func (Rules) Index ¶
Index returns the index of the first occurrence of rule rin r, or -1 if not present.
func (Rules) Merge ¶
Merge merge similar rules together. Steps:
- Remove identical rules
- Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw'
Note: logs.regCleanLogs helps a lot to do a first cleaning
func (Rules) Replace ¶
Replace replaces the elements r[i] by the given rules, and returns the modified slice.
func (Rules) Sort ¶
Sort the rules according to the guidelines: https://apparmor.pujol.io/development/guidelines/#guidelines
type Signal ¶
func (*Signal) Constraint ¶
func (r *Signal) Constraint() constraint
type Umount ¶
type Umount struct { RuleBase Qualifier MountConditions MountPoint string }
func (*Umount) Constraint ¶
func (r *Umount) Constraint() constraint
type Unix ¶
type Unix struct { RuleBase Qualifier Access []string Type string Protocol string Address string Label string Attr string Opt string PeerLabel string PeerAddr string }
func (*Unix) Constraint ¶
func (r *Unix) Constraint() constraint
type Userns ¶
func (*Userns) Constraint ¶
func (r *Userns) Constraint() constraint
type Variable ¶
func (*Variable) Constraint ¶
func (r *Variable) Constraint() constraint