From 7cc7f47424980d55f63167c96fcb5e083af93857 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Wed, 6 Nov 2024 08:46:08 -0700
Subject: [PATCH 1/3] parser: fix and cleanup libapparmor_re/Makefile

The Makefile is missing some of its .h depenedncies causing compiles
to either fail or worse result in bad builds when rebuilding in an
already built tree.

Move the header dependencies into a variable and use it for each
target. While some targets don't need every include as a dependency
and this will result in unnecessary rebuilds in some cases, it makes
the Makefile cleaner, easier to maintain and makes sure a dependency
isn't accidentally missed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/Makefile | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/parser/libapparmor_re/Makefile b/parser/libapparmor_re/Makefile
index 620dd297e..43d0cee5c 100644
--- a/parser/libapparmor_re/Makefile
+++ b/parser/libapparmor_re/Makefile
@@ -14,6 +14,14 @@ AR ?= ar
 CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
 CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
 
+LIB_HDRS = aare_rules.h flex-tables.h apparmor_re.h hfa.h chfa.h parse.h \
+	expr-tree.h policy_compat.h
+
+OTHER_HDRS =  ../common_optarg.h ../common_flags.h ../immunix.h \
+	../policydb.h ../perms.h ../rule.h
+
+HDRS = ${LIB_HDRS} ${OTHER_HDRS}
+
 ARFLAGS=-rcs
 
 BISON := bison
@@ -27,17 +35,17 @@ libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o policy_compat.o
 
 expr-tree.o: expr-tree.cc expr-tree.h
 
-hfa.o: hfa.cc apparmor_re.h hfa.h ../immunix.h  policy_compat.h
+hfa.o: hfa.cc ${HDRS}
 
-aare_rules.o: aare_rules.cc aare_rules.h apparmor_re.h expr-tree.h hfa.h chfa.h parse.h ../immunix.h
+aare_rules.o: aare_rules.cc ${HDRS}
 
-chfa.o: chfa.cc chfa.h ../immunix.h
+chfa.o: chfa.cc ${HDRS}
 
-policy_compat.o: policy_compat.cc policy_compat.h ../perms.h ../immunix.h
+policy_compat.o: policy_compat.cc ${HDRS}
 
-parse.o : parse.cc apparmor_re.h expr-tree.h
+parse.o : parse.cc ${HDRS}
 
-parse.cc : parse.y parse.h flex-tables.h ../immunix.h
+parse.cc : parse.y ${HDRS}
 	${BISON} -o $@ $<
 
 clean:

From 00dedf10ad9a4895790b6b4aa239e1106bed4511 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Wed, 6 Nov 2024 08:50:47 -0700
Subject: [PATCH 2/3] parser: add the accept2 table entry to the chfa dump

The chfa dump is missing information about the accept2 entry. The
accept2 information is necessary to help with debugging state machine
builds as accept2 is used to store quiet and audit information in the
old format or conditional information in the extended perms format.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/chfa.cc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/parser/libapparmor_re/chfa.cc b/parser/libapparmor_re/chfa.cc
index f6e103681..8d1150300 100644
--- a/parser/libapparmor_re/chfa.cc
+++ b/parser/libapparmor_re/chfa.cc
@@ -307,11 +307,16 @@ void CHFA::dump(ostream &os)
 		st.insert(make_pair(i->second, i->first));
 	}
 
-	os << "size=" << default_base.size() << " (accept, default, base):  {state} -> {default state}" << "\n";
+	os << "size=" << default_base.size() << " (accept, accept2, default, base):  {state} -> {default state}" << "\n";
 	for (size_t i = 0; i < default_base.size(); i++) {
 		os << i << ": ";
-		os << "(" << accept[i] << ", " << num[default_base[i].first]
-		   << ", " << default_base[i].second << ")";
+		os << "(" << accept[i] << ", ";
+		if (accept2.size() > 0)
+			os << accept2[i];
+		else
+			os << "---, ";
+		os << num[default_base[i].first] << ", " <<
+			default_base[i].second << ")";
 		if (st[i])
 			os << " " << *st[i];
 		if (default_base[i].first)

From 45964d34e7d141214340920402cd0964c6565027 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Mon, 28 Oct 2024 09:22:02 -0600
Subject: [PATCH 3/3] parser: add the abilitiy to dump the permissions table

Instead of encoding permissions in the accept and accept2 tables
extended perms uses a permissions table and accept becomes an index
into the table.

Add the ability to dump the permissions table so that it can be
compared and debugged.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/aare_rules.cc | 14 ++++++++++-
 parser/libapparmor_re/hfa.cc        |  3 +--
 parser/perms.h                      | 37 +++++++++++++++++++++++++++--
 3 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index 96b46e16a..d4b9e28b2 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -306,7 +306,19 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-		  dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table, prompt);
+			// TODO: move perms table to a class
+			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
+				cerr << "Perms Table size: " << perms_table.size() << "\n";
+				perms_table[0].dump_header(cerr);
+				for (size_t i = 0; i < perms_table.size(); i++) {
+					perms_table[i].dump(cerr);
+					cerr << "accept1: 0x";
+					cerr << ", accept2: 0x";
+					cerr << "\n";
+				}
+				cerr << "\n";
+			}
 		}
 		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc
index 9318f8562..575d72073 100644
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -1334,8 +1334,7 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);
 
 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	if (filedfa)
-	  compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
 	compute_perms_table_ent(start, 1, perms_table, prompt);
 
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
diff --git a/parser/perms.h b/parser/perms.h
index ab92632eb..5cbfde1e1 100644
--- a/parser/perms.h
+++ b/parser/perms.h
@@ -24,6 +24,11 @@
  * older versions
  */
 
+#include <ostream>
+#include <iostream>
+using std::ostream;
+using std::cerr;
+
 #include <stdint.h>
 #include <sys/apparmor.h>
 
@@ -79,7 +84,7 @@
  * - exec type - which determines how the executable name and index are used
  * - flags - which modify how the destination name is applied
  */
-#define AA_X_INDEX_MASK		AA_INDEX_MASK
+#define AA_X_INDEX_MASK		0xffffff
 
 #define AA_X_TYPE_MASK		0x0c000000
 #define AA_X_NONE		AA_INDEX_NONE
@@ -93,7 +98,8 @@
 
 typedef uint32_t perm32_t;
 
-struct aa_perms {
+class aa_perms {
+public:
 	perm32_t allow;
 	perm32_t deny;	/* explicit deny, or conflict if allow also set */
 
@@ -112,6 +118,33 @@ struct aa_perms {
 	uint32_t xindex;
 	uint32_t tag;	/* tag string index, if present */
 	uint32_t label;	/* label string index, if present */
+
+	void dump_header(ostream &os)
+	{
+		os << "(allow/deny/prompt//audit/quiet//xindex)\n";
+	}
+
+	void dump(ostream &os)
+	{
+		os << std::hex << "(0x" << allow << "/0x" << deny << "/0x"
+		   << prompt << "//0x" << audit << "/0x" << quiet
+		   << std::dec << "//";
+		if (xindex & AA_X_UNSAFE)
+			os << "unsafe ";
+		if (xindex & AA_X_TYPE_MASK) {
+			if (xindex & AA_X_CHILD)
+				os << "c";
+			else
+				os << "p";
+		}
+		if (xindex & AA_X_INHERIT)
+			os << "i";
+		if (xindex & AA_X_UNCONFINED)
+			os << "u";
+		os << (xindex & AA_X_INDEX_MASK);
+		os << ")";
+	}
+
 };
 
 #endif /* __AA_PERM_H */