diff --git a/parser/network.cc b/parser/network.cc index 5329c3871..3698514cb 100644 --- a/parser/network.cc +++ b/parser/network.cc @@ -309,7 +309,7 @@ void network_rule::set_netperm(unsigned int family, unsigned int type) network_rule::network_rule(const char *family, const char *type, const char *protocol): - perms_rule_t(AA_CLASS_NETV8) + dedup_perms_rule_t(AA_CLASS_NETV8) { if (!family && !type && !protocol) { size_t family_index; @@ -337,7 +337,7 @@ network_rule::network_rule(const char *family, const char *type, } network_rule::network_rule(unsigned int family, unsigned int type): - perms_rule_t(AA_CLASS_NETV8) + dedup_perms_rule_t(AA_CLASS_NETV8) { network_map[family].push_back({ family, type, 0xFFFFFFFF }); set_netperm(family, type); @@ -421,7 +421,7 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS), - perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0, + dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0, parseopts)) return false; @@ -520,3 +520,25 @@ void network_rule::update_compat_net(void) } } } + +static int cmp_network_map(std::unordered_map lhs, + std::unordered_map rhs) +{ + int res; + size_t family_index; + for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) { + res = lhs[family_index] - rhs[family_index]; + if (res) + return res; + } + return 0; +} + +int network_rule::cmp(rule_t const &rhs) const +{ + int res = dedup_perms_rule_t::cmp(rhs); + if (res) + return res; + network_rule const &nrhs = rule_cast(rhs); + return cmp_network_map(network_perms, nrhs.network_perms); +}; diff --git a/parser/network.h b/parser/network.h index 2e4fe27f3..a649ea165 100644 --- a/parser/network.h +++ b/parser/network.h @@ -104,7 +104,7 @@ int net_find_type_val(const char *type); const char *net_find_type_name(int type); const char *net_find_af_name(unsigned int af); -class network_rule: public perms_rule_t { +class network_rule: public dedup_perms_rule_t { public: std::unordered_map> network_map; std::unordered_map network_perms; @@ -112,7 +112,7 @@ public: /* empty constructor used only for the profile to access * static elements to maintain compatibility with * AA_CLASS_NET */ - network_rule(): perms_rule_t(AA_CLASS_NETV8) { } + network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { } network_rule(const char *family, const char *type, const char *protocol); network_rule(unsigned int family, unsigned int type); @@ -150,7 +150,10 @@ public: virtual ostream &dump(ostream &os); virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); - // TODO: implement rule dedup cmp member function + + virtual bool is_mergeable(void) { return true; } + virtual int cmp(rule_t const &rhs) const; + /* array of type masks indexed by AF_FAMILY */ /* allow, audit, deny and quiet are used for compatibility with AA_CLASS_NET */ static unsigned int *allow;