Cleanup mount commands flag masking for policy generation

Simplify flag masking and fix the MS_MAKE_CMDS flag set. This is a step in fixing Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to bba1a023bf - fixed MS_MAKE_CMDS definition to the correct one. We shouldn't add (MS_ALL_FLAGS & ~(MNT_FLAGS)) to this bitmask. Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit ae1950b0044cec4b3b9d91f3bad4666f7a505b8c) Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
2025-08-29 13:28:19 +00:00 · 2016-07-02 02:23:18 -07:00 · 2016-07-02 02:23:18 -07:00 · 14f1641ab9
commit 14f1641ab9
parent e5c71fd1bf
2 changed files with 16 additions and 47 deletions
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -605,7 +605,6 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@ -628,13 +627,8 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;

-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_REMOUNT_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_REMOUNT_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_REMOUNT_FLAGS,
+			     inv_flags & MS_REMOUNT_FLAGS))
 		goto fail;

 	vec[3] = flagsbuf;
@ -679,7 +673,6 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);

@ -695,13 +688,8 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;

-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_BIND_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_BIND_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_BIND_FLAGS,
+			     inv_flags & MS_BIND_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@ -724,7 +712,6 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);

@ -740,13 +727,8 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
 	vec[1] = default_match_pattern;
 	vec[2] = default_match_pattern;

-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_MAKE_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_MAKE_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MAKE_FLAGS,
+			     inv_flags & MS_MAKE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@ -769,7 +751,6 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);

@ -787,13 +768,8 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;

-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_MOVE_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_MOVE_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MOVE_FLAGS,
+			     inv_flags & MS_MOVE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@ -816,7 +792,6 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@ -834,13 +809,8 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
 		goto fail;
 	vec[2] = typebuf.c_str();

-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= ~MS_CMDS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpinv_flags &= ~MS_CMDS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_NEW_FLAGS,
+			     inv_flags & MS_NEW_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;

@ -923,7 +893,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (gen_policy_bind_mount(prof, count) == RULE_ERROR)
 			goto fail;
 	} else if ((allow & AA_MAY_MOUNT) &&
-		   (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
+		   (flags & (MS_MAKE_CMDS))
 		   && !device && !dev_type && !opts) {
 		if (gen_policy_change_mount_type(prof, count) == RULE_ERROR)
 			goto fail;
--- a/parser/mount.h
+++ b/parser/mount.h
@ -94,16 +94,15 @@
 			 MS_KERNMOUNT | MS_STRICTATIME)

 #define MS_BIND_FLAGS (MS_BIND | MS_RBIND)
-#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_RUNBINDABLE | \
+#define MS_MAKE_CMDS (MS_UNBINDABLE | MS_RUNBINDABLE | \
 			MS_PRIVATE | MS_RPRIVATE | \
-			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED) | \
-		       (MS_ALL_FLAGS & ~(MNT_FLAGS)))
+			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_MAKE_FLAGS  (MS_ALL_FLAGS & ~(MNT_FLAGS))
 #define MS_MOVE_FLAGS (MS_MOVE)

-#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | \
-		 MS_UNBINDABLE | MS_RUNBINDABLE | MS_PRIVATE | MS_RPRIVATE | \
-		 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | MS_MAKE_CMDS)
 #define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT & ~MS_BIND & ~MS_RBIND))
+#define MS_NEW_FLAGS (MS_ALL_FLAGS & ~MS_CMDS)

 #define MNT_SRC_OPT 1
 #define MNT_DST_OPT 2