mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

[https://bugzilla.novell.com/show_bug.cgi?id=172061]

Browse Source 
This (updated) patch to trunk adds support for Px and Ux (toggle
bprm_secure on exec) in the parser, As requested, lowercase p and u
corresponds to an unfiltered environmnet on exec, uppercase will filter
the environment.  It applies after the 'm' patch.

As a side effect, I tried to reduce the use of hardcoded characters in
the debugging statements -- there are still a few warnings that have
hard coded letters in them; not sure I can fix them all.

This version issues a warning for every unsafe ux and issues a single
warning for the first 'R', 'W', 'X', 'L', and 'I' it encounters,
except when the "-q" or "--quiet" flag , "--remove" profile flag, or
"-N" report names flags are passed.  Unfortunately, it made the logic
somewhat more convoluted.  Wordsmithing improvements welcome.
This commit is contained in:
John Johansen
2006-08-04 17:14:49 +00:00
parent cafbfe7cd3
commit 3cb147e25c
7 changed files with 132 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
parser/parser_merge.c
View File

@@ -27,6 +27,7 @@
#include "parser.h"
static inline int count_net_entries(struct codomain *cod)
{
struct cod_net_entry *list;
@@ -73,14 +74,23 @@ static int process_file_entries(struct codomain *cod)
qsort(table, count, sizeof(struct cod_entry *), file_comp);
table[count] = NULL;
#define CHECK_CONFLICT_UNSAFE(a, b) \
(((a & KERN_COD_EXEC_UNSAFE) ^ (b & KERN_COD_EXEC_UNSAFE)) && \
(KERN_EXEC_MODIFIERS(a) & ~KERN_COD_EXEC_INHERIT) && \
(KERN_EXEC_MODIFIERS(b) & ~KERN_COD_EXEC_INHERIT))
/* walk the sorted table merging similar entries */
for (cur = table[0], next = table[1], n = 1; next != NULL; n++, next = table[n]) {
if (file_comp(&cur, &next) == 0) {
int conflict = CHECK_CONFLICT_UNSAFE(cur->mode, next->mode);
PDEBUG("%s: cur_mode: %x next_mode: %x conflict %d\n",
__FUNCTION__, cur->mode, next->mode, conflict);
cur->mode |= next->mode;
/* check for merged x consistency */
if ((KERN_COD_MAY_EXEC & cur->mode) &&
(KERN_EXEC_MODIFIERS(cur->mode) &
(KERN_EXEC_MODIFIERS(cur->mode) - 1))) {
if (KERN_COD_MAY_EXEC & cur->mode &&
((KERN_EXEC_MODIFIERS(cur->mode) &
(KERN_EXEC_MODIFIERS(cur->mode) - 1)) ||
conflict)) {
PERROR(_("profile %s: has merged rule %s with multiple x modifiers\n"),
cod->name, cur->name);
return 0;