add ability to use out of band transitions

Currently the NULL character is used as an out of band transition for string/path elements. This works for them as the NULL character is not valid for this data. However this does not work for binary data that can contain a NULL character. So far we have only dealt with fixed length fields of binary data making the NULL separator either unnecessary. However binary data like in the xattr match and mount data field are variable length and can contain NULL characters. To deal with this add the ability to specify out of band transitions, that can only be triggered by code not input data. The out of band transition can be used to separate variable length data fields just as the NULL transition has been used to separate variable length strings. In the compressed hfa out of band transitions are expressed as a negative offset from the states base. This leaves us room to expand the character match range in the future if desired and on average makes the range between the out of band transition and the input transitions smaller than would be had if the out of band transition had been stored after the valid input transitions. Out of band transitions in the dfa will not break old kernels that don't know about them, but they won't be able to trigger the out of band transition match. So they should not be used unless the kernel indicates that it supports them. It should be noted that this patch only adds support for a single out of band transition. If multiple out of band transitions are required. It is trivial to extend. - Add a tag indicating support in the kernel - add a oob max range field to the dfa header so the kernel knows what the max range that needs verifying is. - extend oob generation fns to generate oob based on value instead of a fixed -1. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 14:25:52 +00:00 · 2019-08-11 06:18:27 -07:00
parent 6062262ccd
commit 16b67ddbd6
11 changed files with 186 additions and 74 deletions
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -643,7 +643,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		/* rule for match without required data || data MATCH_CONT */
 		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
 					      audit | AA_AUDIT_MNT_DATA, 4,
-					      vec, dfaflags))
+					      vec, dfaflags, false))
 			goto fail;
 		count++;

@@ -655,7 +655,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			vec[4] = optsbuf.c_str();
 			if (!prof.policy.rules->add_rule_vec(deny, allow,
 						      audit | AA_AUDIT_MNT_DATA,
-						      5, vec, dfaflags))
+						      5, vec, dfaflags, false))
 				goto fail;
 			count++;
 		}
@@ -684,7 +684,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
+						     dfaflags, false))
 			goto fail;
 		count++;
 	}
@@ -713,7 +713,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
+						     dfaflags, false))
 			goto fail;
 		count++;
 	}
@@ -743,7 +743,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
+						     dfaflags, false))
 			goto fail;
 		count++;
 	}
@@ -784,7 +784,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		/* rule for match without required data || data MATCH_CONT */
 		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
 					      audit | AA_AUDIT_MNT_DATA, 4,
-					      vec, dfaflags))
+					      vec, dfaflags, false))
 			goto fail;
 		count++;

@@ -796,7 +796,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			vec[4] = optsbuf.c_str();
 			if (!prof.policy.rules->add_rule_vec(deny, allow,
 						      audit | AA_AUDIT_MNT_DATA,
-						      5, vec, dfaflags))
+						      5, vec, dfaflags, false))
 				goto fail;
 			count++;
 		}
@@ -808,7 +808,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[0] = mntbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 1, vec,
-						    dfaflags))
+						     dfaflags, false))
 			goto fail;
 		count++;
 	}
@@ -822,7 +822,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[1] = devbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 2, vec,
-						    dfaflags))
+						     dfaflags, false))
 			goto fail;
 		count++;
 	}