From 15a02e0948adafd2b07148b6d4a54ef130844bbc Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Tue, 5 Nov 2024 18:40:37 -0700
Subject: [PATCH] parser: fix mapping of AA_CONT_MATCH for policydb compat
 entries

The mapping of AA_CONT_MATCH was being dropped resulting in the
tcp tests failing because they would only match up to the first conditional
match check in the layout.

Bug: https://gitlab.com/apparmor/apparmor/-/issues/462
Fixes: e29f5ce5f ("parser: if extended perms are supported by the kernel build a permstable")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/policy_compat.cc | 2 ++
 parser/network.cc                      | 2 +-
 parser/perms.h                         | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/parser/libapparmor_re/policy_compat.cc b/parser/libapparmor_re/policy_compat.cc
index 58e11bad3..5e0e0ae83 100644
--- a/parser/libapparmor_re/policy_compat.cc
+++ b/parser/libapparmor_re/policy_compat.cc
@@ -182,6 +182,8 @@ struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2,
 	perms.prompt = dfa_user_allow(accept3);
 	perms.audit = dfa_user_audit(accept1, accept2);
 	perms.quiet = dfa_user_quiet(accept1, accept2);
+	if (accept1 & AA_COMPAT_CONT_MATCH)
+		perms.allow |= AA_CONT_MATCH;
 
 	/*
 	 * This mapping is convulated due to history.
diff --git a/parser/network.cc b/parser/network.cc
index f5ea79947..b53e24d1a 100644
--- a/parser/network.cc
+++ b/parser/network.cc
@@ -721,7 +721,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 
 	cond_perms = map_perms(perms);
 	if (!is_cmd && (label || is_peer))
-		cond_perms = (AA_CONT_MATCH << 1);
+		cond_perms = AA_COMPAT_CONT_MATCH;
 
 	for (auto &oss : streams) {
 		oss << "\\x00"; /* null transition */
diff --git a/parser/perms.h b/parser/perms.h
index ab92632eb..0d194d9a1 100644
--- a/parser/perms.h
+++ b/parser/perms.h
@@ -65,6 +65,9 @@
 #define AA_MAY_DELEGATE
 #define AA_CONT_MATCH		0x08000000
 
+// TODO: move into a reworked immunix.h that is dependent on perms.h
+#define AA_COMPAT_CONT_MATCH	(AA_CONT_MATCH << 1)
+
 #define AA_MAY_STACK		0x10000000
 #define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
 #define AA_MAY_CHANGE_PROFILE	0x40000000