forked from canonical/snapd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sandbox/apparmor: aare exclusion rule generation (canonical#13488)
* sandbox/apparmor: add GenerateAAREExclusionPatterns This function is generic (and complex) enough to be able to handle all of the overlapping and wildcard behavior we need in docker-support, and it could also serve to replace numerous other places in the codebase where we need this sort of complex behavior. It is a generalization of the existing aareExclusionPatterns helper, though it's actually unclear if this exact implementation will currently be able to serve the use case from that helper directly or if more options/adjustments are needed to enable that use case as well. To keep the diff smaller, this patch does not actually change any of the profiles/interfaces, just TODO's are left for where to use it. Note that the generated rules are slightly more condensed in terms of number of rules but significantly more verbose in terms of alternations, not sharing more of repeated substrings between alternations inside the patterns. This was done explicitly to keep the generating code simpler and easier to understand, but it may prove to have performance effects, either detrimental or benevolent but that should be measured before deciding to make the generation code even more complex than it already is. Signed-off-by: Ian Johnson <[email protected]> * interfaces/docker-support: generate AARE exclusion patterns with helper func Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: unexport helper functions These were not meant to be exported, only the fully generic one is meant to be exported. Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt Thanks to Alberto for spotting this :-) Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix format issues introduced during rebase * sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl * sandbox/apparmor: add checks for unsupported cases and improve documentation * sandbox/apparmor: update tests to compare the apparmor binary instead of source * interfaces/builtin/docker_support: check if userns is supported before adding it to the profile * interfaces/builtin/docker_support: fix dependencies * sandbox/apparmor: use placeholders * i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet * testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command * {sandbox,testutil}/apparmor: minor format fixes * move helper to find common prefix to strutil * add copyright info * use string builder * i/b/docker_support_test.go: update accordingly to 277fbc2 (many: add components to interfaces.SnapAppSet (canonical#13837)) * strutil/commonprefix.go: remove extra empty line * sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same * sandbox/apparmor/apparmor.go: remove extra empty line * i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable --------- Signed-off-by: Ian Johnson <[email protected]> Co-authored-by: Ian Johnson <[email protected]>
- Loading branch information
1 parent
0476394
commit 265b7c4
Showing
12 changed files
with
1,527 additions
and
277 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.