mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
265b7c44d1
* sandbox/apparmor: add GenerateAAREExclusionPatterns
This function is generic (and complex) enough to be able to handle all of the
overlapping and wildcard behavior we need in docker-support, and it could also
serve to replace numerous other places in the codebase where we need this sort
of complex behavior. It is a generalization of the existing
aareExclusionPatterns helper, though it's actually unclear if this exact
implementation will currently be able to serve the use case from that helper
directly or if more options/adjustments are needed to enable that use case as
well.
To keep the diff smaller, this patch does not actually change any of the
profiles/interfaces, just TODO's are left for where to use it.
Note that the generated rules are slightly more condensed in terms of number of
rules but significantly more verbose in terms of alternations, not sharing more
of repeated substrings between alternations inside the patterns. This was done
explicitly to keep the generating code simpler and easier to understand, but it
may prove to have performance effects, either detrimental or benevolent but
that should be measured before deciding to make the generation code even more
complex than it already is.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: generate AARE exclusion patterns with helper func
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: unexport helper functions
These were not meant to be exported, only the fully generic one is meant to be
exported.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt
Thanks to Alberto for spotting this :-)
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix format issues introduced during rebase
* sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl
* sandbox/apparmor: add checks for unsupported cases and improve documentation
* sandbox/apparmor: update tests to compare the apparmor binary instead of source
* interfaces/builtin/docker_support: check if userns is supported before adding it to the profile
* interfaces/builtin/docker_support: fix dependencies
* sandbox/apparmor: use placeholders
* i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet
* testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command
* {sandbox,testutil}/apparmor: minor format fixes
* move helper to find common prefix to strutil
* add copyright info
* use string builder
* i/b/docker_support_test.go: update accordingly to 277fbc266e (many: add components to interfaces.SnapAppSet (#13837))
* strutil/commonprefix.go: remove extra empty line
* sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same
* sandbox/apparmor/apparmor.go: remove extra empty line
* i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable
---------
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
84 lines
1.5 KiB
Go
84 lines
1.5 KiB
Go
// -*- Mode: Go; indent-tabs-mode: t -*-
|
|
|
|
/*
|
|
* Copyright (C) 2018 Canonical Ltd
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 3 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
package strutil_test
|
|
|
|
import (
|
|
. "gopkg.in/check.v1"
|
|
|
|
"github.com/snapcore/snapd/strutil"
|
|
)
|
|
|
|
type commonPrefixSuite struct{}
|
|
|
|
var _ = Suite(&commonPrefixSuite{})
|
|
|
|
func (s *commonPrefixSuite) TestCommonPrefix(c *C) {
|
|
tt := []struct {
|
|
patterns []string
|
|
commonPrefix string
|
|
err string
|
|
}{
|
|
{
|
|
[]string{},
|
|
"",
|
|
"no patterns provided",
|
|
},
|
|
{
|
|
[]string{
|
|
"/one/single/pattern",
|
|
},
|
|
"/one/single/pattern",
|
|
"",
|
|
},
|
|
{
|
|
[]string{
|
|
"/pattern/n/one",
|
|
"/pattern/n/two",
|
|
},
|
|
"/pattern/n/",
|
|
"",
|
|
},
|
|
{
|
|
[]string{
|
|
"/one/",
|
|
"/one/two/",
|
|
},
|
|
"/one/",
|
|
"",
|
|
},
|
|
{
|
|
[]string{
|
|
"$ONE",
|
|
"/one/two/",
|
|
},
|
|
"",
|
|
"",
|
|
},
|
|
}
|
|
|
|
for _, t := range tt {
|
|
commonPrefix, err := strutil.FindCommonPrefix(t.patterns)
|
|
c.Assert(commonPrefix, Equals, t.commonPrefix)
|
|
if t.err != "" {
|
|
c.Assert(err, ErrorMatches, t.err)
|
|
}
|
|
}
|
|
}
|