From 49c4f94e5c343ac1ddf871a8a88fb461dc437ee3 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 5 Feb 2007 22:24:58 +0000 Subject: [PATCH] update the parser patches --- parser-patches/dfa.patch | 51 +++++---- parser-patches/dfa_single_module.patch | 67 ++++++++++++ parser-patches/fix_missing_break.patch | 12 --- parser-patches/parser_loadinterface.patch | 121 ++++++++++++++++++++++ parser-patches/rcapparmor_builtin.patch | 36 +++++++ parser-patches/series | 6 +- 6 files changed, 253 insertions(+), 40 deletions(-) create mode 100644 parser-patches/dfa_single_module.patch delete mode 100644 parser-patches/fix_missing_break.patch create mode 100644 parser-patches/parser_loadinterface.patch create mode 100644 parser-patches/rcapparmor_builtin.patch diff --git a/parser-patches/dfa.patch b/parser-patches/dfa.patch index f094f3e1b..6967c9792 100644 --- a/parser-patches/dfa.patch +++ b/parser-patches/dfa.patch @@ -19,7 +19,7 @@ Index: parser/parser_main.c extern int current_lineno; struct option long_options[] = { -@@ -387,7 +390,7 @@ static void get_match_string(void) { +@@ -344,7 +347,7 @@ static void get_match_string(void) { /* has process_args() already assigned a match string? */ if (match_string) @@ -28,7 +28,7 @@ Index: parser/parser_main.c FILE *ms = fopen(MATCH_STRING, "r"); if (!ms) -@@ -404,22 +407,28 @@ static void get_match_string(void) { +@@ -361,22 +364,28 @@ static void get_match_string(void) { } out: @@ -63,7 +63,7 @@ Index: parser/parser_main.c return 1; return 0; -@@ -437,6 +446,9 @@ int process_profile(int option, char *pr +@@ -394,6 +403,9 @@ int process_profile(int option, char *pr if (retval != 0) goto out; @@ -73,9 +73,9 @@ Index: parser/parser_main.c retval = post_process_policy(); if (retval != 0) { PERROR(_("%s: Errors found in file. Aborting.\n"), progname); -@@ -470,7 +482,7 @@ int process_profile(int option, char *pr - if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT)) - find_subdomainfs_mountpoint(); +@@ -424,7 +436,7 @@ int process_profile(int option, char *pr + goto out; + } - if (!pcre_support()) { + if (!regex_support()) { @@ -138,20 +138,24 @@ Index: parser/parser_regex.c while (error == e_no_error && *sptr) { switch (*sptr) { -@@ -342,10 +339,10 @@ static int process_regex_entry(struct co +@@ -342,12 +339,12 @@ static int process_regex_entry(struct co } /* anchor end and terminate pattern string */ -+ if (error == e_no_error && anchor) -+ STORE("$" , dptr, 1); - if (error == e_no_error) { +- if (error == e_no_error) { - char buf[2] = { '$', 0 }; - - STORE(buf, dptr, 2); ++ if ((error == e_no_error) && anchor) { ++ STORE("$" , dptr, 1); ++ } ++ if (error != e_no_error) { + STORE("", dptr, 1); } - +- /* check error again, as above STORE may have set it */ + if (error != e_no_error) { + if (error == e_buffer_overflow) { @@ -356,12 +353,31 @@ static int process_regex_entry(struct co } @@ -185,7 +189,7 @@ Index: parser/parser_regex.c entry->pattern_type = ptype; /* -@@ -422,33 +438,89 @@ static int process_regex_entry(struct co +@@ -422,33 +438,83 @@ static int process_regex_entry(struct co filter_escapes(entry->name); } /* ptype == ePatternRegex */ @@ -239,7 +243,7 @@ Index: parser/parser_regex.c + count++; } -+ code->dfarule_count = count; ++ cod->dfarule_count = count; return ret; } @@ -256,18 +260,12 @@ Index: parser/parser_regex.c + goto out; } + if (!post_process_entries(cod)) -+{ -+fprintf(stderr, "Failed post_process_entries\n"); + goto out; -+} + if (regex_type == AARE_DFA && cod->dfarule_count > 0) { + cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size); + if (!cod->dfa) -+{ -+fprintf(stderr, "Failed create dfa\n"); + goto out; -+} +/* + if (cod->dfa_size == 0) { + PERROR(_("profile %s: has merged rules (%s) with " @@ -282,7 +280,7 @@ Index: parser/parser_regex.c /* * Post process subdomain(s): * -@@ -464,8 +536,11 @@ int process_regex(struct codomain *cod) +@@ -464,8 +530,11 @@ int process_regex(struct codomain *cod) * } */ if (process_hat_regex(cod) != 0) @@ -2307,27 +2305,28 @@ Index: parser/Makefile =================================================================== --- parser.orig/Makefile +++ parser/Makefile -@@ -77,6 +77,8 @@ OBJECTS = parser_lex.o parser_yacc.o par +@@ -77,6 +77,9 @@ OBJECTS = parser_lex.o parser_yacc.o par parser_include.o parser_merge.o parser_symtab.o parser_misc.o \ parser_regex.o parser_variable.o parser_policy.o -+AARE = libapparmor_re/libapparmor_re.a ++AAREDIR= libapparmor_re ++AAREOBJECTS = ${AAREDIR}/libapparmor_re.a + PCREDIR= pcre PCREOBJECTS = ${PCREDIR}/pcre.o -@@ -110,8 +112,8 @@ all: $(LEX_C_FILES) $(YACC_C_FILES) $(T +@@ -110,8 +113,8 @@ all: $(LEX_C_FILES) $(YACC_C_FILES) $(T $(Q)make -C po all $(Q)make -s tests -apparmor_parser: $(OBJECTS) $(PCREOBJECTS) - $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -+apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AARE) -+ $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AARE) -lstdc++ ++apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS) ++ $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AAREOBJECTS) -lstdc++ parser_yacc.c parser_yacc.h: parser_yacc.y parser.h $(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y -@@ -196,7 +198,7 @@ install-suse: +@@ -196,7 +199,7 @@ install-suse: ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd diff --git a/parser-patches/dfa_single_module.patch b/parser-patches/dfa_single_module.patch new file mode 100644 index 000000000..daebf10f1 --- /dev/null +++ b/parser-patches/dfa_single_module.patch @@ -0,0 +1,67 @@ +Index: parser/parser_interface.c +=================================================================== +--- parser.orig/parser_interface.c ++++ parser/parser_interface.c +@@ -56,6 +56,7 @@ + #define SD_STR_LEN (sizeof(u16)) + + #define SUBDOMAIN_INTERFACE_VERSION 2 ++#define SUBDOMAIN_INTERFACE_DFA_VERSION 3 + + int sd_serialize_codomain(int option, struct codomain *cod); + +@@ -473,24 +474,7 @@ int sd_serialize_file_entry(sd_serialize + + int sd_serialize_dfa(sd_serialize *p, void *dfa, size_t size) + { +- /* fake up a file entry in regex entry list */ +- PDEBUG("Writing file entry. name '%s'\n", file_entry->name); +- if (!sd_write_list(p, "pgent")) +- return 0; +- if (!sd_write_struct(p, "fe")) +- return 0; +- if (!sd_write_string(p, "dfa", NULL)) +- return 0; +- /* list entry has having all perms but no exec modifiers */ +- if (!sd_write32(p, 0x7fffffff & ~AA_EXEC_MODIFIERS)) +- return 0; +- if (!sd_write32(p, ePatternRegex)) +- return 0; +- if (!sd_write_blob(p, dfa, size, "aadfa")) +- return 0; +- if (!sd_write_structend(p)) +- return 0; +- if (!sd_write_listend(p)) ++ if (dfa && !sd_write_blob(p, dfa, size, "aadfa")) + return 0; + + return 1; +@@ -556,7 +540,7 @@ int sd_serialize_profile(sd_serialize *p + return 0; + + /* either have a single dfa or lists of different entry types */ +- if (profile->dfa) { ++ if (regex_type == AARE_DFA) { + if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size)) + return 0; + } else { +@@ -635,9 +619,18 @@ int sd_serialize_profile(sd_serialize *p + + int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile) + { ++ int version; ++ ++ if (regex_type == AARE_DFA) ++ version = SUBDOMAIN_INTERFACE_DFA_VERSION; ++ else ++ version = SUBDOMAIN_INTERFACE_VERSION; ++ ++ + if (!sd_write_name(p, "version")) + return 0; +- if (!sd_write32(p, SUBDOMAIN_INTERFACE_VERSION)) ++ ++ if (!sd_write32(p, version)) + return 0; + return sd_serialize_profile(p, profile); + } diff --git a/parser-patches/fix_missing_break.patch b/parser-patches/fix_missing_break.patch deleted file mode 100644 index 33c479495..000000000 --- a/parser-patches/fix_missing_break.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: parser/parser_regex.c -=================================================================== ---- parser.orig/parser_regex.c -+++ parser/parser_regex.c -@@ -170,6 +170,7 @@ static int process_regex_entry(struct co - ++sptr; - continue; /*skip turning bEscape off */ - } /* bEscape */ -+ break; - case '*': - if (bEscape) { - /* '*' is a PCRE special character */ diff --git a/parser-patches/parser_loadinterface.patch b/parser-patches/parser_loadinterface.patch new file mode 100644 index 000000000..7306af4d5 --- /dev/null +++ b/parser-patches/parser_loadinterface.patch @@ -0,0 +1,121 @@ +Index: parser/parser_main.c +=================================================================== +--- parser.orig/parser_main.c ++++ parser/parser_main.c +@@ -264,18 +264,14 @@ static inline char *try_subdomainfs_moun + return retval; + } + +-void find_subdomainfs_mountpoint(void) ++int find_subdomainfs_mountpoint(void) + { + FILE *mntfile; + struct mntent *mntpt; + + if (!(mntfile = setmntent(MOUNTED_FS, "r"))) { + /* Ugh, what's the right default if you can't open /proc/mounts? */ +- PERROR(_("Warning: unable to open %s, attempting to use %s\n" +- "as the subdomainfs location. Use --subdomainfs to override.\n"), +- MOUNTED_FS, DEFAULT_APPARMORFS); +- subdomainbase = DEFAULT_APPARMORFS; +- return; ++ goto test_default; + } + + while ((mntpt = getmntent(mntfile))) { +@@ -301,62 +297,23 @@ void find_subdomainfs_mountpoint(void) + } + } + ++ test_default: + if (!subdomainbase) { +- PERROR(_("Warning: unable to find a suitable fs in %s, is it mounted?\n" +- "Attempting to use %s as the subdomainfs location.\n" +- "Use --subdomainfs to override.\n"), +- MOUNTED_FS, DEFAULT_APPARMORFS); +- subdomainbase = DEFAULT_APPARMORFS; +- } +- endmntent(mntfile); +-} +- +-int is_module_loaded(void) +-{ +- char *query_failed = NULL; +- int module_loaded = 0; +- int mlen = strlen(MODULE_NAME); +- int oldmlen = strlen(OLD_MODULE_NAME); +- FILE *fp; +- +- fp = fopen(PROC_MODULES, "r"); +- if (fp) { +- while (!feof(fp)) { +- const int buflen = 256; +- char buf[buflen]; +- +- if (fgets(buf, buflen, fp)) { +- buf[buflen - 1] = 0; +- +- if (strncmp(buf, MODULE_NAME, mlen) == 0 && +- buf[mlen] == ' ') { +- module_loaded = 1; +- } +- if (strncmp(buf, OLD_MODULE_NAME, oldmlen) == 0 && +- buf[oldmlen] == ' ') { +- module_loaded = 1; +- } +- } ++ struct stat buf; ++ if (stat(DEFAULT_APPARMORFS, &buf) == -1) { ++ PERROR(_("Warning: unable to find a suitable fs in %s, is it " ++ "mounted?\nUse --subdomainfs to override.\n"), ++ MOUNTED_FS); ++ } else { ++ subdomainbase = DEFAULT_APPARMORFS; + } +- (void)fclose(fp); +- } else { +- query_failed = "unable to open " PROC_MODULES; +- } +- +- if (query_failed) { +- PERROR(_("%s: Unable to query modules - '%s'\n" +- "Either modules are disabled or your kernel is" +- " too old.\n"), progname, query_failed); +- return 1; +- } else if (!module_loaded) { +- PERROR(_("%s: Unable to find " MODULE_NAME "!\n" +- "Ensure that it has been loaded.\n"), progname); +- return 1; + } ++ endmntent(mntfile); + +- return 0; ++ return (subdomainbase == NULL); + } + ++ + int have_enough_privilege(void) + { + uid_t uid, euid; +@@ -467,9 +424,6 @@ int process_profile(int option, char *pr + goto out; + } + +- if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT)) +- find_subdomainfs_mountpoint(); +- + if (!pcre_support()) { + die_if_any_regex(); + } +@@ -502,8 +456,9 @@ int main(int argc, char *argv[]) + return retval; + } + +- /* Check to make sure modules are enabled */ +- if (!(UNPRIVILEGED_OPS) && ((retval = is_module_loaded()))) { ++ /* Check to make sure there is an interface to load policy */ ++ if (!(UNPRIVILEGED_OPS) && (subdomainbase == NULL) && ++ (retval = find_subdomainfs_mountpoint())) { + return retval; + } + diff --git a/parser-patches/rcapparmor_builtin.patch b/parser-patches/rcapparmor_builtin.patch new file mode 100644 index 000000000..edcc4f1a3 --- /dev/null +++ b/parser-patches/rcapparmor_builtin.patch @@ -0,0 +1,36 @@ +Index: apparmor/rc.apparmor.functions +=================================================================== +--- apparmor.orig/rc.apparmor.functions ++++ apparmor/rc.apparmor.functions +@@ -322,14 +322,25 @@ function load_module() { + MODULE=subdomain + fi + if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then +- sd_action "Loading AppArmor module" /sbin/modprobe $MODULE $1 ++ /sbin/modprobe $MODULE $1 + rc=$? +- if [ $rc -ne 0 ] ; then +- # we couldn't find the module +- module_panic ++ if [ $rc -eq 0 ] ; then ++ sd_action "Loading AppArmor module" true ++ else ++ # we couldn't find the module, see if apparmor is ++ # builtin. ++ local builtin=`cat /proc/self/attr/current` + rc=$? +- if [ $rc -ne 0 ] ; then +- exit $rc ++ if [ $rc -eq 0 -a $builtin == "unconstrained" ] ++ then ++ sd_action "AppArmor is built in to kernel" true ++ else ++ sd_action "Loading AppArmor module" false ++ module_panic ++ rc=$? ++ if [ $rc -ne 0 ] ; then ++ exit $rc ++ fi + fi + fi + fi diff --git a/parser-patches/series b/parser-patches/series index 568c3a200..8b754f927 100644 --- a/parser-patches/series +++ b/parser-patches/series @@ -1,3 +1,5 @@ -fix_missing_break.patch +rcapparmor_builtin.patch +parser_loadinterface.patch +parser_cache.patch dfa.patch -libapparmor_re +dfa_single_module.patch