From 05de4b82e7c812b6fc6c46cf28c215ce4598f406 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Wed, 2 Aug 2023 17:58:38 -0300 Subject: [PATCH] parser: implement dedup of network rules Since network rules don't use the "perms" attribute, it is using the dedup class in which duplicate rules are removed. Signed-off-by: Georgia Garcia --- parser/network.cc | 28 +++++++++++++++++++++++++--- parser/network.h | 9 ++++++--- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/parser/network.cc b/parser/network.cc index 5329c3871..3698514cb 100644 --- a/parser/network.cc +++ b/parser/network.cc @@ -309,7 +309,7 @@ void network_rule::set_netperm(unsigned int family, unsigned int type) network_rule::network_rule(const char *family, const char *type, const char *protocol): - perms_rule_t(AA_CLASS_NETV8) + dedup_perms_rule_t(AA_CLASS_NETV8) { if (!family && !type && !protocol) { size_t family_index; @@ -337,7 +337,7 @@ network_rule::network_rule(const char *family, const char *type, } network_rule::network_rule(unsigned int family, unsigned int type): - perms_rule_t(AA_CLASS_NETV8) + dedup_perms_rule_t(AA_CLASS_NETV8) { network_map[family].push_back({ family, type, 0xFFFFFFFF }); set_netperm(family, type); @@ -421,7 +421,7 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS), - perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0, + dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0, parseopts)) return false; @@ -520,3 +520,25 @@ void network_rule::update_compat_net(void) } } } + +static int cmp_network_map(std::unordered_map lhs, + std::unordered_map rhs) +{ + int res; + size_t family_index; + for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) { + res = lhs[family_index] - rhs[family_index]; + if (res) + return res; + } + return 0; +} + +int network_rule::cmp(rule_t const &rhs) const +{ + int res = dedup_perms_rule_t::cmp(rhs); + if (res) + return res; + network_rule const &nrhs = rule_cast(rhs); + return cmp_network_map(network_perms, nrhs.network_perms); +}; diff --git a/parser/network.h b/parser/network.h index 2e4fe27f3..a649ea165 100644 --- a/parser/network.h +++ b/parser/network.h @@ -104,7 +104,7 @@ int net_find_type_val(const char *type); const char *net_find_type_name(int type); const char *net_find_af_name(unsigned int af); -class network_rule: public perms_rule_t { +class network_rule: public dedup_perms_rule_t { public: std::unordered_map> network_map; std::unordered_map network_perms; @@ -112,7 +112,7 @@ public: /* empty constructor used only for the profile to access * static elements to maintain compatibility with * AA_CLASS_NET */ - network_rule(): perms_rule_t(AA_CLASS_NETV8) { } + network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { } network_rule(const char *family, const char *type, const char *protocol); network_rule(unsigned int family, unsigned int type); @@ -150,7 +150,10 @@ public: virtual ostream &dump(ostream &os); virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); - // TODO: implement rule dedup cmp member function + + virtual bool is_mergeable(void) { return true; } + virtual int cmp(rule_t const &rhs) const; + /* array of type masks indexed by AF_FAMILY */ /* allow, audit, deny and quiet are used for compatibility with AA_CLASS_NET */ static unsigned int *allow;