mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

fix named transition, enable cx to imply transition to local profile, without having to specify name

Browse Source
This commit is contained in:
John Johansen
2008-04-16 06:54:51 +00:00
parent 015df061e3
commit 11f925abba
3 changed files with 47 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
parser/parser_interface.c
View File

@@ -545,6 +545,7 @@ int sd_serialize_xtable(sd_serialize *p, char **table)
if (!sd_write_array(p, NULL, count)) if (!sd_write_array(p, NULL, count))
return 0; return 0;
for (i = 4; i < count + 4; i++) { for (i = 4; i < count + 4; i++) {
int len = strlen(table[i]) + 1; int len = strlen(table[i]) + 1;
@@ -555,11 +556,13 @@ int sd_serialize_xtable(sd_serialize *p, char **table)
char *tmp = table[i] + 1; char *tmp = table[i] + 1;
strsep(&tmp, ":"); strsep(&tmp, ":");
} }
if (!sd_write_strn(p, table[i], len, NULL)); if (!sd_write_strn(p, table[i], len, NULL))
return 0; return 0;
} }
if (!sd_write_arrayend(p)) if (!sd_write_arrayend(p))
return 0; return 0;
if (!sd_write_structend(p)) if (!sd_write_structend(p))
return 0; return 0;
return 1; return 1;

56
parser/parser_policy.c
View File

@@ -93,32 +93,57 @@ void add_hat_to_policy(struct codomain *cod, struct codomain *hat)
} }
} }
static int add_named_transition(struct codomain *cod, char *namespace, char *trans) static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
{ {
char *name = NULL; char *name = NULL;
int i; int i;
/* check to see if it is a local transition */ /* check to see if it is a local transition */
if (!namespace) { if (!entry->namespace) {
if (strstr(name, "//")) { char *sub = strstr(entry->nt_name, "//");
free(trans); /* does the subprofile name match the rule */
return AA_EXEC_LOCAL; if (sub && strncmp(cod->name, sub, sub - entry->nt_name) &&
strcmp(sub + 2, entry->name) == 0) {
free(entry->nt_name);
entry->nt_name = NULL;
return AA_EXEC_LOCAL >> 10;
} else if (((entry->mode & AA_USER_EXEC_MODIFIERS) ==
SHIFT_MODE(AA_EXEC_LOCAL, AA_USER_SHIFT)) ||
((entry->mode & AA_OTHER_EXEC_MODIFIERS) ==
SHIFT_MODE(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) {
if (strcmp(entry->nt_name, entry->name) == 0) {
free(entry->nt_name);
entry->nt_name = NULL;
return AA_EXEC_LOCAL >> 10;
}
/* specified as cix so profile name is implicit */
name = malloc(strlen(cod->name) + strlen(entry->nt_name)
+ 3);
if (!name) {
PERROR("Memory allocation error\n");
exit(1);
}
sprintf(name, "%s//%s", cod->name, entry->nt_name);
free(entry->nt_name);
entry->nt_name = name;
} }
} }
if (namespace) { if (entry->namespace) {
name = malloc(strlen(namespace) + strlen(trans) + 3); name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
if (!name) { if (!name) {
PERROR("Memory allocation error\n"); PERROR("Memory allocation error\n");
exit(1); exit(1);
} }
sprintf(name, ":%s:%s", namespace, trans); sprintf(name, ":%s:%s", entry->namespace, entry->nt_name);
free(namespace); free(entry->namespace);
free(trans); free(entry->nt_name);
entry->namespace = NULL;
entry->nt_name = NULL;
} else { } else {
name = trans; name = entry->nt_name;
} }
for (i = (AA_EXEC_LOCAL + 1) >> 10; i < AA_EXEC_COUNT; i++) { for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
if (!cod->exec_table[i]) { if (!cod->exec_table[i]) {
cod->exec_table[i] = name; cod->exec_table[i] = name;
return i; return i;
@@ -136,10 +161,11 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
{ {
if (entry->nt_name) { if (entry->nt_name) {
int mode = 0; int mode = 0;
int n = add_named_transition(cod, entry->namespace, entry->nt_name); int n = add_named_transition(cod, entry);
if (!n) if (!n) {
PERROR("Profile %s has to many specified profile transitions.\n", cod->name); PERROR("Profile %s has to many specified profile transitions.\n", cod->name);
exit(1); exit(1);
}
if (entry->mode & AA_USER_EXEC) if (entry->mode & AA_USER_EXEC)
mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT); mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
if (entry->mode & AA_OTHER_EXEC) if (entry->mode & AA_OTHER_EXEC)

4
parser/parser_yacc.y
View File

@@ -631,7 +631,6 @@ rules: rules hat
$$ = $1; $$ = $1;
}; };
/*
rules: rules local_profile rules: rules local_profile
{ {
PDEBUG("Matched: hat rule\n"); PDEBUG("Matched: hat rule\n");
@@ -641,7 +640,6 @@ rules: rules local_profile
add_local_entry($2); add_local_entry($2);
$$ = $1; $$ = $1;
}; };
*/
rules: rules cond_rule rules: rules cond_rule
{ {
@@ -924,6 +922,7 @@ hat: hat_start TOK_ID flags TOK_OPEN rules TOK_CLOSE
$$ = cod; $$ = cod;
}; };
/*
local_profile: opt_audit_flag opt_owner_flag TOK_ID file_mode TOK_ARROW TOK_OPEN rules TOK_CLOSE local_profile: opt_audit_flag opt_owner_flag TOK_ID file_mode TOK_ARROW TOK_OPEN rules TOK_CLOSE
{ {
int audit = 0, mode = $4; int audit = 0, mode = $4;
@@ -964,6 +963,7 @@ local_profile: opt_audit_flag opt_owner_flag TOK_UNSAFE file_mode TOK_ID TOK_A
$$ = do_local_profile($8, $5, mode, audit); $$ = do_local_profile($8, $5, mode, audit);
}; };
*/
local_profile: TOK_PROFILE TOK_ID flags TOK_OPEN rules TOK_CLOSE local_profile: TOK_PROFILE TOK_ID flags TOK_OPEN rules TOK_CLOSE
{ {