mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

parser: convert the stored audit from a bit mask to a bool

Browse Source 
This delays the convertion of the audit flag until passing to the
backend. This is a step towards fix the parser front end so that it
doesn't use encoded permission mappings.

Note: the patch embedds the bool conversion into a struct to ensure
the compiler will fail to build unless every use is fixed. The
struct is removed in the following patch.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2021-06-11 03:07:54 -07:00
parent 4fd1f97102
commit 44f3be091a
21 changed files with 102 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
parser/af_unix.cc
View File

@@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
yyerror("socket rule: invalid socket type '%d'", type_p);
}
perms = AA_VALID_NET_PERMS;
audit = audit_p ? AA_VALID_NET_PERMS : 0;
audit.audit = audit_p;
deny = denied;
}
@@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
mask = 1 << sock_type_n;
if (!deny) {
prof.net.allow[AF_UNIX] |= mask;
if (audit)
if (audit.audit)
prof.net.audit[AF_UNIX] |= mask;
} else {
/* deny rules have to be dropped because the downgrade makes
@@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_CREATE),
map_perms(audit & AA_NET_CREATE),
map_perms(audit.audit ? AA_NET_CREATE : 0),
dfaflags))
goto fail;
mask &= ~AA_NET_CREATE;
@@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_BIND),
map_perms(audit & AA_NET_BIND),
map_perms(audit.audit ? AA_NET_BIND : 0),
dfaflags))
goto fail;
/* clear if auto, else generic need to generate addr below */
@@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & local_mask),
map_perms(audit & local_mask),
map_perms(audit.audit ? mask & local_mask : 0),
dfaflags))
goto fail;
}
@@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_LISTEN),
map_perms(audit & AA_NET_LISTEN),
map_perms(audit.audit ? AA_NET_LISTEN : 0),
dfaflags))
goto fail;
}
@@ -412,8 +412,8 @@ int unix_rule::gen_policy_re(Profile &prof)
tmp << "..";
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & AA_NET_OPT),
map_perms(audit & AA_NET_OPT),
map_perms(AA_NET_OPT),
map_perms(audit.audit ? AA_NET_OPT : 0),
dfaflags))
goto fail;
}
@@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
goto fail;
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit), dfaflags))
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
goto fail;
}