1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2014-2015 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
// Package policy provides helpers for keeping a framework's security policies
// up to date on install/remove.
package policy
import (
"fmt"
"os"
"path/filepath"
"launchpad.net/snappy/helpers"
)
var (
// SecBase is the directory to which the security policies and templates
// are copied
SecBase = "/var/lib/snappy"
)
type policyOp uint
const (
install policyOp = iota
remove
)
func (op policyOp) String() string {
switch op {
case remove:
return "Remove"
case install:
return "Install"
default:
return fmt.Sprintf("policyOp(%d)", op)
}
}
// iterOp iterates over all the files found with the given glob, making the
// basename (with the given prefix prepended) the target file in the given
// target directory. It then performs op on that target file: either copying
// from the globbed file to the target file, or removing the target file.
// Directories are created as needed. Errors out with any of the things that
// could go wrong with this, including a file found by glob not being a
// regular file.
func iterOp(op policyOp, glob, targetDir, prefix string) (err error) {
if err = os.MkdirAll(targetDir, 0755); err != nil {
return fmt.Errorf("unable to make %v directory: %v", targetDir, err)
}
files, err := filepath.Glob(glob)
if err != nil {
// filepath.Glob seems to not return errors ever right
// now. This might be a bug in Go, or it might be by
// design. Better play safe.
return fmt.Errorf("unable to glob %v: %v", glob, err)
}
for _, file := range files {
s, err := os.Lstat(file)
if err != nil {
return fmt.Errorf("unable to stat %v: %v", file, err)
}
if !s.Mode().IsRegular() {
return fmt.Errorf("unable to do %s for %v: not a regular file", op, file)
}
targetFile := filepath.Join(targetDir, prefix+filepath.Base(file))
switch op {
case remove:
if err := os.Remove(targetFile); err != nil {
return fmt.Errorf("unable to remove %v: %v", targetFile, err)
}
case install:
// do the copy
if err := helpers.CopyFile(file, targetFile, helpers.CopyFlagSync); err != nil {
return err
}
default:
return fmt.Errorf("unknown operation %s", op)
}
}
return nil
}
// frameworkOp perform the given operation (either Install or Remove) on the
// given package that's installed in the given path.
func frameworkOp(op policyOp, pkgName, instPath, rootDir string) error {
pol := filepath.Join(instPath, "meta", "framework-policy")
for _, i := range []string{"apparmor", "seccomp"} {
for _, j := range []string{"policygroups", "templates"} {
if err := iterOp(op, filepath.Join(pol, i, j, "*"), filepath.Join(rootDir, SecBase, i, j), pkgName+"_"); err != nil {
return err
}
}
}
return nil
}
// Install sets up the framework's policy from the given snap that's
// installed in the given path.
func Install(pkgName, instPath, rootDir string) error {
return frameworkOp(install, pkgName, instPath, rootDir)
}
// Remove cleans up the framework's policy from the given snap that's
// installed in the given path.
func Remove(pkgName, instPath, rootDir string) error {
return frameworkOp(remove, pkgName, instPath, rootDir)
}
func aaUp(old, new, dir, pfx string) map[string]bool {
return helpers.DirUpdated(filepath.Join(old, dir), filepath.Join(new, dir), pfx)
}
// AppArmorDelta returns which policies and templates are updated in the package
// at newPath, as compared to those installed in the system. The given prefix is
// applied to the keys of the returns maps.
func AppArmorDelta(oldPath, newPath, prefix string) (policies map[string]bool, templates map[string]bool) {
newaa := filepath.Join(newPath, "meta", "framework-policy", "apparmor")
oldaa := filepath.Join(oldPath, "meta", "framework-policy", "apparmor")
return aaUp(oldaa, newaa, "policygroups", prefix), aaUp(oldaa, newaa, "templates", prefix)
}
|