parser: Check kernel stacking support when handling stacked transitions

Check if the current kernel supports stacking. If not, ensure that named transitions (exec, change_profile, etc.) do not attempt to stack their targets. Also, set up the change_profile vector according to whether or not the kernel supports stacking. Earlier kernels expect the policy namespace to be in its own NUL-terminated vector element rather than passing the entire label (namespace and profile name) as a single string to the kernel. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-09-05 16:55:32 +00:00 · 2016-03-18 17:28:51 -05:00
parent 00fb4e94ab
commit 1a7663e89a
6 changed files with 59 additions and 10 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -566,6 +566,8 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	if (entry->mode & AA_CHANGE_PROFILE) {
 		const char *vec[3];
 		std::string lbuf, xbuf;
+		autofree char *ns = NULL;
+		autofree char *name = NULL;
 		int index = 1;

 		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
@@ -585,7 +587,27 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			/* allow change_profile for all execs */
 			vec[0] = "/[^/\\x00][^\\x00]*";

-		vec[index++] = tbuf.c_str();
+		if (!kernel_supports_stacking) {
+			bool stack;
+
+			if (!parse_label(&stack, &ns, &name,
+					 tbuf.c_str(), false)) {
+				return FALSE;
+			}
+
+			if (stack) {
+				fprintf(stderr,
+					_("The current kernel does not support stacking of named transitions: %s\n"),
+					tbuf.c_str());
+				return FALSE;
+			}
+
+			if (ns)
+				vec[index++] = ns;
+			vec[index++] = name;
+		} else {
+			vec[index++] = tbuf.c_str();
+		}

 		/* regular change_profile rule */
 		if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))