snapd icon indicating copy to clipboard operation
snapd copied to clipboard

Published 20 hours ago verified publisher icon snapcore

sandbox/apparmor: add GenerateAAREExclusionPatterns

Open anonymouse64 opened this issue 2 years ago • 2 comments

I just couldn't resist the l33tcodeness of the problem of generating these rules with a helper so I fell into a hole and wrote this complex monster of a helper function.

Hope this helps! :smile:

I only changed the docker-support interface to use this new helper and left TODO's elsewhere in the codebase that it could be used for future followups in the interest of time. Also happy to drop the docker-support changes to land this more quickly if reviewing it is too complex but I think it's also useful to see here how it's used in a prototypical manner.

This function is generic (and complex) enough to be able to handle all of the overlapping and wildcard behavior we need in docker-support, and it could also serve to replace numerous other places in the codebase where we need this sort of complex behavior. It is a generalization of the existing aareExclusionPatterns helper, though it's actually unclear if this exact implementation will currently be able to serve the use case from that helper directly or if more options/adjustments are needed to enable that use case as well.

To keep the diff smaller, this patch does not actually change any of the profiles/interfaces, just TODO's are left for where to use it.

Note that the generated rules are slightly more condensed in terms of number of rules but significantly more verbose in terms of alternations, not sharing more of repeated substrings between alternations inside the patterns. This was done explicitly to keep the generating code simpler and easier to understand, but it may prove to have performance effects, either detrimental or benevolent but that should be measured before deciding to make the generation code even more complex than it already is.

anonymouse64 avatar Mar 24 '22 03:03 anonymouse64

Codecov Report

Merging #11567 (ad1936c) into master (1e7ef66) will increase coverage by 0.02%. The diff coverage is 92.69%.

@@            Coverage Diff             @@
##           master   #11567      +/-   ##
==========================================
+ Coverage   78.00%   78.03%   +0.02%     
==========================================
  Files         939      939              
  Lines      109526   110129     +603     
==========================================
+ Hits        85441    85938     +497     
- Misses      18796    18869      +73     
- Partials     5289     5322      +33
Flag Coverage Δ
unittests 78.03% <92.69%> (+0.02%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
interfaces/builtin/home.go 100.00% <ø> (ø)
interfaces/builtin/system_backup.go 100.00% <ø> (ø)
interfaces/builtin/utils.go 96.77% <ø> (ø)
interfaces/builtin/docker_support.go 83.17% <78.94%> (-5.51%) :arrow_down:
sandbox/apparmor/apparmor.go 95.82% <95.73%> (-0.12%) :arrow_down:
overlord/devicestate/handlers_install.go 66.46% <0.00%> (-1.05%) :arrow_down:
overlord/devicestate/devicemgr.go 78.64% <0.00%> (-0.01%) :arrow_down:
interfaces/builtin/network_manager.go 78.94% <0.00%> (ø)
interfaces/policy/helpers.go 98.32% <0.00%> (+0.04%) :arrow_up:
... and 4 more

:mega: Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

codecov-commenter avatar Mar 24 '22 03:03 codecov-commenter

(closed and reopened to see if that kicks github action into doing something ... )

anonymouse64 avatar Mar 25 '22 14:03 anonymouse64