From d350b0e9d269940596af7ec28d12c3408b4754ec Mon Sep 17 00:00:00 2001
From: Ashish Tiwari <ashishjaitiwari15112000@gmail.com>
Date: Thu, 2 Nov 2023 21:25:57 +0530
Subject: [PATCH] fix: use backtick to format static strings used in apparmor
 profiles (#1270)

* enhance: use backtick to format static strings used in apparmor profiles

Signed-off-by: revolyssup <ashishjaitiwari15112000@gmail.com>

* remove redundant spaces

Signed-off-by: Ashish Tiwari <ashishjaitiwari15112000@gmail.com>

---------

Signed-off-by: revolyssup <ashishjaitiwari15112000@gmail.com>
Signed-off-by: Ashish Tiwari <ashishjaitiwari15112000@gmail.com>
---
 KubeArmor/enforcer/appArmorEnforcer.go    | 114 +++++++++++-----------
 KubeArmor/enforcer/appArmorHostProfile.go |  37 ++++---
 2 files changed, 74 insertions(+), 77 deletions(-)

diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
index 7b239dc52f..99cc8a12eb 100644
--- a/KubeArmor/enforcer/appArmorEnforcer.go
+++ b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -49,43 +49,42 @@ func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer {
 	ae.Logger = logger
 
 	// default profile
-	ae.ApparmorDefault = "## == Managed by KubeArmor == ##\n" +
-		"\n" +
-		"#include <tunables/global>\n" +
-		"\n" +
-		"profile apparmor-default flags=(attach_disconnected,mediate_deleted) {\n" +
-		"  ## == PRE START == ##\n" +
-		"  #include <abstractions/base>\n" +
-		"  umount,\n" +
-		"  file,\n" +
-		"  network,\n" +
-		"  capability,\n" +
-		"  ## == PRE END == ##\n" +
-		"\n" +
-		"  ## == POLICY START == ##\n" +
-		"  ## == POLICY END == ##\n" +
-		"\n" +
-		"  ## == POST START == ##\n" +
-		"  /lib/x86_64-linux-gnu/{*,**} rm,\n" +
-		"\n" +
-		"  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,\n" +
-		"  deny @{PROC}/sysrq-trigger rwklx,\n" +
-		"  deny @{PROC}/mem rwklx,\n" +
-		"  deny @{PROC}/kmem rwklx,\n" +
-		"  deny @{PROC}/kcore rwklx,\n" +
-		"\n" +
-		"  deny mount,\n" +
-		"\n" +
-		"  deny /sys/[^f]*/** wklx,\n" +
-		"  deny /sys/f[^s]*/** wklx,\n" +
-		"  deny /sys/fs/[^c]*/** wklx,\n" +
-		"  deny /sys/fs/c[^g]*/** wklx,\n" +
-		"  deny /sys/fs/cg[^r]*/** wklx,\n" +
-		"  deny /sys/firmware/efi/efivars/** rwklx,\n" +
-		"  deny /sys/kernel/security/** rwklx,\n" +
-		"  ## == POST END == ##\n" +
-		"}\n"
-
+	ae.ApparmorDefault = `## == Managed by KubeArmor == ##
+	
+#include <tunables/global>
+profile apparmor-default flags=(attach_disconnected,mediate_deleted) {
+## == PRE START == ##	
+#include <abstractions/base>	
+umount,
+file,
+network,
+capability,
+## == PRE END == ##
+
+## == POLICY START == ##
+## == POLICY END == ##
+
+## == POST START == ##
+/lib/x86_64-linux-gnu/{*,**} rm,
+
+deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
+deny @{PROC}/sysrq-trigger rwklx,
+deny @{PROC}/mem rwklx,
+deny @{PROC}/kmem rwklx,
+deny @{PROC}/kcore rwklx,
+
+deny mount,
+
+deny /sys/[^f]*/** wklx,
+deny /sys/f[^s]*/** wklx,
+deny /sys/fs/[^c]*/** wklx,
+deny /sys/fs/c[^g]*/** wklx,
+deny /sys/fs/cg[^r]*/** wklx,
+deny /sys/firmware/efi/efivars/** rwklx,
+deny /sys/kernel/security/** rwklx,
+## == POST END == ##
+}
+`
 	// host profile
 	ae.HostProfile = ""
 
@@ -340,28 +339,27 @@ func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error {
 		return nil
 	}
 
-	apparmorHostDefault := "## == Managed by KubeArmor == ##\n" +
-		"\n" +
-		"#include <tunables/global>\n" +
-		"\n" +
-		"profile kubearmor.host /{usr/,}bin/*sh flags=(attach_disconnected,mediate_deleted) {\n" +
-		"  ## == PRE START == ##\n" +
-		"  #include <abstractions/base>\n" +
-		"  mount,\n" +
-		"  umount,\n" +
-		"  signal,\n" +
-		"  unix,\n" +
-		"  ptrace,\n" +
-		"\n" +
-		"  file,\n" +
-		"  network,\n" +
-		"  capability,\n" +
-		"  ## == PRE END == ##\n" +
-		"\n" +
-		"  ## == POLICY START == ##\n" +
-		"  ## == POLICY END == ##\n" +
-		"}\n"
+	apparmorHostDefault := `## == Managed by KubeArmor == ##
+#include <tunables/global>
+
+profile kubearmor.host /{usr/,}bin/*sh flags=(attach_disconnected,mediate_deleted) {
+## == PRE START == ##
+#include <abstractions/base>
+mount,
+umount,
+signal,
+unix,
+ptrace,
 
+file,
+network,
+capability,
+## == PRE END == ##
+
+## == POLICY START == ##
+## == POLICY END == ##
+}
+`
 	newfile, err := os.Create(filepath.Clean(appArmorHostFile))
 	if err != nil {
 		ae.Logger.Warnf("Unable to open the KubeArmor host profile in %s (%s)", cfg.GlobalCfg.Host, err.Error())
diff --git a/KubeArmor/enforcer/appArmorHostProfile.go b/KubeArmor/enforcer/appArmorHostProfile.go
index 01ffbcc7d2..34cede33b5 100644
--- a/KubeArmor/enforcer/appArmorHostProfile.go
+++ b/KubeArmor/enforcer/appArmorHostProfile.go
@@ -518,25 +518,24 @@ func (ae *AppArmorEnforcer) BlockedHostCapabilitiesMatchCapabilities(cap tp.Capa
 
 // GenerateHostProfileHead Function
 func (ae *AppArmorEnforcer) GenerateHostProfileHead() string {
-	profileHead := "## == Managed by KubeArmor == ##\n" +
-		"\n" +
-		"#include <tunables/global>\n" +
-		"\n" +
-		"profile kubearmor.host /{usr/,}bin/*sh flags=(attach_disconnected,mediate_deleted) {\n" +
-		"  ## == PRE START == ##\n" +
-		"  #include <abstractions/base>\n" +
-		"  mount,\n" +
-		"  umount,\n" +
-		"  signal,\n" +
-		"  unix,\n" +
-		"  ptrace,\n" +
-		"\n" +
-		"  file,\n" +
-		"  network,\n" +
-		"  capability,\n" +
-		"  ## == PRE END == ##\n" +
-		"\n"
-
+	profileHead := `## == Managed by KubeArmor == ##
+
+#include <tunables/global>
+
+profile kubearmor.host /{usr/,}bin/*sh flags=(attach_disconnected,mediate_deleted) {
+## == PRE START == ##
+#include <abstractions/base>
+mount,
+umount,
+signal,
+unix,
+ptrace,
+
+file,
+network,
+capability,
+## == PRE END == ##
+`
 	return profileHead
 }