Affected by 
Documentation
¶
Overview ¶
Package requestrules provides support for storing request rules for AppArmor prompting.
Index ¶
- type Rule
- type RuleDB
- func (rdb *RuleDB) AddRule(user uint32, snap string, iface string, constraints *prompting.Constraints) (*Rule, error)
- func (rdb *RuleDB) Close() error
- func (rdb *RuleDB) IsPathAllowed(user uint32, snap string, iface string, path string, permission string) (bool, error)
- func (rdb *RuleDB) PatchRule(user uint32, id prompting.IDType, ...) (r *Rule, err error)
- func (rdb *RuleDB) RemoveRule(user uint32, id prompting.IDType) (*Rule, error)
- func (rdb *RuleDB) RemoveRulesForInterface(user uint32, iface string) ([]*Rule, error)
- func (rdb *RuleDB) RemoveRulesForSnap(user uint32, snap string) ([]*Rule, error)
- func (rdb *RuleDB) RemoveRulesForSnapInterface(user uint32, snap string, iface string) ([]*Rule, error)
- func (rdb *RuleDB) RuleWithID(user uint32, id prompting.IDType) (*Rule, error)
- func (rdb *RuleDB) Rules(user uint32) []*Rule
- func (rdb *RuleDB) RulesForInterface(user uint32, iface string) []*Rule
- func (rdb *RuleDB) RulesForSnap(user uint32, snap string) []*Rule
- func (rdb *RuleDB) RulesForSnapInterface(user uint32, snap string, iface string) []*Rule
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Rule ¶
type Rule struct {
ID prompting.IDType `json:"id"`
Timestamp time.Time `json:"timestamp"`
User uint32 `json:"user"`
Snap string `json:"snap"`
Interface string `json:"interface"`
Constraints *prompting.RuleConstraints `json:"constraints"`
}
Rule stores the contents of a request rule.
type RuleDB ¶
type RuleDB struct {
// contains filtered or unexported fields
}
RuleDB stores a mapping from rule ID to rule, and a tree of rule IDs searchable by user, snap, interface, permission, and pattern variant.
func New ¶
func New(notifyRule func(userID uint32, ruleID prompting.IDType, data map[string]string) error) (*RuleDB, error)
New creates a new rule database, loads existing rules from the database file, and returns the populated database.
The given notifyRule closure may be called before `New()` returns, if a previously-saved rule has expired or if there are conflicts between rules.
The given notifyRule closure will be called when a rule is added, modified, expired, or removed. In order to guarantee the order of notices, notifyRule is called with the prompt DB lock held, so it should not block for a substantial amount of time (such as to lock and modify snapd state).
func (*RuleDB) AddRule ¶
func (rdb *RuleDB) AddRule(user uint32, snap string, iface string, constraints *prompting.Constraints) (*Rule, error)
Creates a rule with the given information and adds it to the rule database. If any of the given parameters are invalid, returns an error. Otherwise, returns the newly-added rule, and saves the database to disk.
func (*RuleDB) IsPathAllowed ¶
func (rdb *RuleDB) IsPathAllowed(user uint32, snap string, iface string, path string, permission string) (bool, error)
IsPathAllowed checks whether the given path with the given permission is allowed or denied by existing rules for the given user, snap, and interface. If no rule applies, returns prompting_errors.ErrNoMatchingRule.
func (*RuleDB) PatchRule ¶
func (rdb *RuleDB) PatchRule(user uint32, id prompting.IDType, constraintsPatch *prompting.RuleConstraintsPatch) (r *Rule, err error)
PatchRule modifies the rule with the given ID by updating the rule's constraints for any patch field or permission which is set/non-empty.
If the path pattern is nil in the patch, it is left unchanged from the existing rule. Any permissions which are omitted from the permissions map in the patch are left unchanged from the existing rule. To remove an existing permission from the rule, the permission in the patch should map to nil.
Permission entries must be provided as complete units, containing both outcome and lifespan (and duration, if lifespan is timespan). Since neither outcome nor lifespan are omitempty, the unmarshaller enforces this for us.
Even if the given patch contents exactly match the existing rule contents, the timestamp of the rule is updated to the current time. If there is any error while modifying the rule, the rule is rolled back to its previous unmodified state, leaving the database unchanged. If the database is changed, it is saved to disk.
XXX: Is there a client use-case for this API method? Clients can always delete a rule and re-add it later, which is basically what this method already does.
func (*RuleDB) RemoveRule ¶
RemoveRule the rule with the given ID from the rule database. If the rule does not apply to the given user, returns prompting_errors.ErrRuleNotAllowed. If successful, saves the database to disk.
func (*RuleDB) RemoveRulesForInterface ¶
RemoveRulesForInterface removes all rules pertaining to the given interface for the user with the given user ID.
func (*RuleDB) RemoveRulesForSnap ¶
RemoveRulesForSnap removes all rules pertaining to the given snap for the user with the given user ID.
func (*RuleDB) RemoveRulesForSnapInterface ¶
func (rdb *RuleDB) RemoveRulesForSnapInterface(user uint32, snap string, iface string) ([]*Rule, error)
RemoveRulesForSnapInterface removes all rules pertaining to the given snap and interface for the user with the given user ID.
func (*RuleDB) RuleWithID ¶
RuleWithID returns the rule with the given ID. If the rule is not found, returns ErrRuleNotFound. If the rule does not apply to the given user, returns prompting_errors.ErrRuleNotAllowed.
func (*RuleDB) RulesForInterface ¶
RulesForInterface returns all rules which apply to the given user and interface.
func (*RuleDB) RulesForSnap ¶
RulesForSnap returns all rules which apply to the given user and snap.
Source Files