Documentation
¶
Overview ¶
Package requestrules provides support for storing request rules for AppArmor prompting.
Index ¶
- type Rule
- type RuleDB
- func (rdb *RuleDB) AddRule(user uint32, snap string, iface string, constraints *prompting.Constraints, ...) (*Rule, error)
- func (rdb *RuleDB) Close() error
- func (rdb *RuleDB) IsPathAllowed(user uint32, snap string, iface string, path string, permission string) (bool, error)
- func (rdb *RuleDB) PatchRule(user uint32, id prompting.IDType, constraints *prompting.Constraints, ...) (r *Rule, err error)
- func (rdb *RuleDB) RemoveRule(user uint32, id prompting.IDType) (*Rule, error)
- func (rdb *RuleDB) RemoveRulesForInterface(user uint32, iface string) ([]*Rule, error)
- func (rdb *RuleDB) RemoveRulesForSnap(user uint32, snap string) ([]*Rule, error)
- func (rdb *RuleDB) RemoveRulesForSnapInterface(user uint32, snap string, iface string) ([]*Rule, error)
- func (rdb *RuleDB) RuleWithID(user uint32, id prompting.IDType) (*Rule, error)
- func (rdb *RuleDB) Rules(user uint32) []*Rule
- func (rdb *RuleDB) RulesForInterface(user uint32, iface string) []*Rule
- func (rdb *RuleDB) RulesForSnap(user uint32, snap string) []*Rule
- func (rdb *RuleDB) RulesForSnapInterface(user uint32, snap string, iface string) []*Rule
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Rule ¶
type Rule struct {
ID prompting.IDType `json:"id"`
Timestamp time.Time `json:"timestamp"`
User uint32 `json:"user"`
Snap string `json:"snap"`
Interface string `json:"interface"`
Constraints *prompting.Constraints `json:"constraints"`
Outcome prompting.OutcomeType `json:"outcome"`
Lifespan prompting.LifespanType `json:"lifespan"`
Expiration time.Time `json:"expiration,omitempty"`
}
Rule stores the contents of a request rule.
type RuleDB ¶
type RuleDB struct {
// contains filtered or unexported fields
}
RuleDB stores a mapping from rule ID to rule, and a tree of rule IDs searchable by user, snap, interface, permission, and pattern variant.
func New ¶
func New(notifyRule func(userID uint32, ruleID prompting.IDType, data map[string]string) error) (*RuleDB, error)
New creates a new rule database, loads existing rules from the database file, and returns the populated database.
The given notifyRule closure may be called before `New()` returns, if a previously-saved rule has expired or if there are conflicts between rules.
The given notifyRule closure will be called when a rule is added, modified, expired, or removed. In order to guarantee the order of notices, notifyRule is called with the prompt DB lock held, so it should not block for a substantial amount of time (such as to lock and modify snapd state).
func (*RuleDB) AddRule ¶
func (rdb *RuleDB) AddRule(user uint32, snap string, iface string, constraints *prompting.Constraints, outcome prompting.OutcomeType, lifespan prompting.LifespanType, duration string) (*Rule, error)
Creates a rule with the given information and adds it to the rule database. If any of the given parameters are invalid, returns an error. Otherwise, returns the newly-added rule, and saves the database to disk.
func (*RuleDB) IsPathAllowed ¶
func (rdb *RuleDB) IsPathAllowed(user uint32, snap string, iface string, path string, permission string) (bool, error)
IsPathAllowed checks whether the given path with the given permission is allowed or denied by existing rules for the given user, snap, and interface. If no rule applies, returns prompting_errors.ErrNoMatchingRule.
func (*RuleDB) PatchRule ¶
func (rdb *RuleDB) PatchRule(user uint32, id prompting.IDType, constraints *prompting.Constraints, outcome prompting.OutcomeType, lifespan prompting.LifespanType, duration string) (r *Rule, err error)
PatchRule modifies the rule with the given ID by updating the rule's fields corresponding to any of the given parameters which are set/non-empty.
Any of the parameters which are equal to the default/unset value for their types are left unchanged from the existing rule. Even if the given new rule contents exactly match the existing rule contents, the timestamp of the rule is updated to the current time. If there is any error while modifying the rule, the rule is rolled back to its previous unmodified state, leaving the database unchanged. If the database is changed, it is saved to disk.
func (*RuleDB) RemoveRule ¶
RemoveRule the rule with the given ID from the rule database. If the rule does not apply to the given user, returns prompting_errors.ErrRuleNotAllowed. If successful, saves the database to disk.
func (*RuleDB) RemoveRulesForInterface ¶
RemoveRulesForInterface removes all rules pertaining to the given interface for the user with the given user ID.
func (*RuleDB) RemoveRulesForSnap ¶
RemoveRulesForSnap removes all rules pertaining to the given snap for the user with the given user ID.
func (*RuleDB) RemoveRulesForSnapInterface ¶
func (rdb *RuleDB) RemoveRulesForSnapInterface(user uint32, snap string, iface string) ([]*Rule, error)
RemoveRulesForSnapInterface removes all rules pertaining to the given snap and interface for the user with the given user ID.
func (*RuleDB) RuleWithID ¶
RuleWithID returns the rule with the given ID. If the rule is not found, returns ErrRuleNotFound. If the rule does not apply to the given user, returns prompting_errors.ErrRuleNotAllowed.
func (*RuleDB) RulesForInterface ¶
RulesForInterface returns all rules which apply to the given user and interface.
func (*RuleDB) RulesForSnap ¶
RulesForSnap returns all rules which apply to the given user and snap.
Source Files