mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-21 17:47:10 +00:00
Code Issues Releases Wiki Activity

parser: fix xtable generation

Browse Source 
The xtable on perms32 capable systems is being padded to the size of
the accept state tables. This was a hack to get around issue in a buggy
perms32 v1. We do not support any system using perms 32 v1 so we can
drop the hack.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2025-07-30 13:27:35 -07:00
parent e8cd6e704a
commit 392849e518
1 changed files with 9 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
parser/parser_interface.c
View File

@ -384,13 +384,11 @@ void sd_serialize_rlimits(std::ostringstream &buf, struct aa_rlimits *limits)
sd_write_structend(buf);
}
void sd_serialize_xtable(std::ostringstream &buf, char **table,
size_t min_size)
void sd_serialize_xtable(std::ostringstream &buf, char **table)
{
size_t count;
size_t size;
if (!table[4] && min_size == 0)
if (!table[4])
return;
sd_write_struct(buf, "xtable");
count = 0;
@ -399,9 +397,7 @@ void sd_serialize_xtable(std::ostringstream &buf, char **table,
count++;
}
size = max(min_size, count);
sd_write_array(buf, NULL, size);
sd_write_array(buf, NULL, count);
for (size_t i = 4; i < count + 4; i++) {
size_t len = strlen(table[i]) + 1;
@ -414,13 +410,6 @@ void sd_serialize_xtable(std::ostringstream &buf, char **table,
}
sd_write_strn(buf, table[i], len, NULL);
}
if (min_size > count) {
//fprintf(stderr, "Adding padding to xtable count %lu, min %lu\n", count, min_size);
for (; count < min_size; count++) {
/* fill with null strings */
sd_write_strn(buf, "\000", 1, NULL);
}
}
sd_write_arrayend(buf);
sd_write_structend(buf);
@ -554,38 +543,17 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
sd_serialize_dfa(buf, profile->policy.dfa, profile->policy.size,
profile->policy.perms_table);
if (kernel_supports_permstable32) {
sd_serialize_xtable(buf, profile->exec_table,
profile->uses_prompt_rules &&
prompt_compat_mode == PROMPT_COMPAT_PERMSV1 ?
profile->policy.perms_table.size() : 0);
sd_serialize_xtable(buf, profile->exec_table);
}
sd_write_structend(buf);
}
/* either have a single dfa or lists of different entry types */
if (profile->uses_prompt_rules && prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
/* special compat mode to work around verification problem */
sd_serialize_dfa(buf, profile->policy.dfa, profile->policy.size,
profile->policy.perms_table);
sd_write_name(buf, "dfa_start");
sd_write_uint32(buf, profile->policy.file_start);
if (profile->policy.dfa) {
// fprintf(stderr, "profile %s: policy xtable\n", profile->name);
// TODO: this is dummy exec make dependent on V1
sd_serialize_xtable(buf, profile->exec_table,
//permstable32_v1 workaround
profile->policy.perms_table.size());
}
} else {
sd_serialize_dfa(buf, profile->dfa.dfa, profile->dfa.size,
profile->dfa.perms_table);
if (profile->dfa.dfa) {
// fprintf(stderr, "profile %s: dfa xtable\n", profile->name);
sd_serialize_xtable(buf, profile->exec_table,
//??? work around
profile->dfa.perms_table.size());
}
sd_serialize_dfa(buf, profile->dfa.dfa, profile->dfa.size,
profile->dfa.perms_table);
if (profile->dfa.dfa) {
// fprintf(stderr, "profile %s: dfa xtable\n", profile->name);
sd_serialize_xtable(buf, profile->exec_table);
}
sd_write_structend(buf);
}