mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

parser: maintain compatibility for fine grained inet network mediation

Browse Source 
A simple rule without conditionals need to be generated for when the
kernel does not support fine grained inet network mediation.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-02-29 17:30:38 -03:00
parent dd0d145a19
commit 119e3f38f9
4 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
parser/network.cc
View File

@ -612,6 +612,15 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff); buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff);
} }
if (!features_supports_inet) {
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
parseopts))
return false;
return true;
}
if (perms & AA_PEER_NET_PERMS) { if (perms & AA_PEER_NET_PERMS) {
gen_ip_conds(buffer, peer, true, false); gen_ip_conds(buffer, peer, true, false);

1
parser/parser.h
View File

@ -341,6 +341,7 @@ extern int kernel_load;
extern int kernel_supports_setload; extern int kernel_supports_setload;
extern int features_supports_network; extern int features_supports_network;
extern int features_supports_networkv8; extern int features_supports_networkv8;
extern int features_supports_inet;
extern int kernel_supports_policydb; extern int kernel_supports_policydb;
extern int kernel_supports_diff_encode; extern int kernel_supports_diff_encode;
extern int features_supports_mount; extern int features_supports_mount;

1
parser/parser_common.c
View File

@ -69,6 +69,7 @@ int kernel_load = 1;
int kernel_supports_setload = 0; /* kernel supports atomic set loads */ int kernel_supports_setload = 0; /* kernel supports atomic set loads */
int features_supports_network = 0; /* kernel supports network rules */ int features_supports_network = 0; /* kernel supports network rules */
int features_supports_networkv8 = 0; /* kernel supports 4.17 network rules */ int features_supports_networkv8 = 0; /* kernel supports 4.17 network rules */
int features_supports_inet = 0; /* kernel supports inet network rules */
int features_supports_unix = 0; /* kernel supports unix socket rules */ int features_supports_unix = 0; /* kernel supports unix socket rules */
int kernel_supports_policydb = 0; /* kernel supports new policydb */ int kernel_supports_policydb = 0; /* kernel supports new policydb */
int features_supports_mount = 0; /* kernel supports mount rules */ int features_supports_mount = 0; /* kernel supports mount rules */

3
parser/parser_main.c
View File

@ -919,6 +919,9 @@ void set_supported_features()
features_supports_networkv8 = features_intersect(kernel_features, features_supports_networkv8 = features_intersect(kernel_features,
policy_features, policy_features,
"network_v8"); "network_v8");
features_supports_inet = features_intersect(kernel_features,
policy_features,
"network/af_inet");
features_supports_unix = features_intersect(kernel_features, features_supports_unix = features_intersect(kernel_features,
policy_features, policy_features,
"network/af_unix"); "network/af_unix");