mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 14:25:52 +00:00
Remove hat rules. In large policies the number of hat rules becomes
problematic, hat rules can be replaced with simple hat flag on a profile.
This commit is contained in:
John Johansen
@@ -344,9 +344,6 @@ int post_process_alias(void)
|
||||
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
|
||||
|
||||
/* add file rules to access /proc files to call change_hat()
|
||||
* add file rules to be able to change_hat, this restriction keeps
|
||||
* change_hat from being able to access local profiles that are not
|
||||
* meant to be used as hats
|
||||
*/
|
||||
static void __add_hat_rules_parent(const void *nodep, const VISIT value,
|
||||
const int __unused depth)
|
||||
@@ -365,26 +362,6 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
|
||||
if ((*t)->local)
|
||||
return;
|
||||
|
||||
/* add rule to grant permission to change_hat - AA 2.3 requirement,
|
||||
* rules are added to the parent of the hat
|
||||
*/
|
||||
if ((*t)->parent) {
|
||||
char *buffer = malloc(strlen((*t)->name) + 1);
|
||||
if (!buffer) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
strcpy(buffer, (*t)->name);
|
||||
|
||||
entry = new_entry(NULL, buffer, AA_CHANGE_HAT, NULL);
|
||||
if (!entry) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
add_entry_to_policy((*t)->parent, entry);
|
||||
}
|
||||
|
||||
/* later
|
||||
entry = new_entry(strdup(CHANGEHAT_PATH), AA_MAY_WRITE);
|
||||
if (!entry) {
|
||||
@@ -397,55 +374,10 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
|
||||
twalk((*t)->hat_table, __add_hat_rules_parent);
|
||||
}
|
||||
|
||||
/* add the same hat rules to the hats as the parent so that hats can
|
||||
* change to sibling hats
|
||||
*/
|
||||
static void __add_hat_rules_hats(const void *nodep, const VISIT value,
|
||||
const int __unused depth)
|
||||
{
|
||||
struct codomain **t = (struct codomain **) nodep;
|
||||
|
||||
if (value == preorder || value == endorder)
|
||||
return;
|
||||
|
||||
/* don't add hat rules if a parent profile with no hats */
|
||||
if (!(*t)->hat_table && !(*t)->parent)
|
||||
return;
|
||||
|
||||
/* don't add hat rules for local_profiles */
|
||||
if ((*t)->local)
|
||||
return;
|
||||
|
||||
/* hat */
|
||||
if ((*t)->parent) {
|
||||
struct cod_entry *entry, *new_ent;
|
||||
list_for_each((*t)->parent->entries, entry) {
|
||||
if (entry->mode & AA_CHANGE_HAT) {
|
||||
char *buffer = strdup(entry->name);
|
||||
if (!buffer) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
new_ent = new_entry(NULL, buffer,
|
||||
AA_CHANGE_HAT, NULL);
|
||||
if (!entry) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
add_entry_to_policy((*t), new_ent);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
twalk((*t)->hat_table, __add_hat_rules_hats);
|
||||
}
|
||||
|
||||
static int add_hat_rules(void)
|
||||
{
|
||||
twalk(policy_list, __add_hat_rules_parent);
|
||||
|
||||
twalk(policy_list, __add_hat_rules_hats);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user