mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity

update the parser patches

Browse Source
This commit is contained in:
John Johansen
2007-02-05 22:24:58 +00:00
parent e3b3715bbd
commit 49c4f94e5c
6 changed files with 253 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
parser-patches/dfa.patch
View File

@@ -19,7 +19,7 @@ Index: parser/parser_main.c
extern int current_lineno; extern int current_lineno;
struct option long_options[] = { struct option long_options[] = {
@@ -387,7 +390,7 @@ static void get_match_string(void) { @@ -344,7 +347,7 @@ static void get_match_string(void) {
/* has process_args() already assigned a match string? */ /* has process_args() already assigned a match string? */
if (match_string) if (match_string)
@@ -28,7 +28,7 @@ Index: parser/parser_main.c
FILE *ms = fopen(MATCH_STRING, "r"); FILE *ms = fopen(MATCH_STRING, "r");
if (!ms) if (!ms)
@@ -404,22 +407,28 @@ static void get_match_string(void) { @@ -361,22 +364,28 @@ static void get_match_string(void) {
} }
out: out:
@@ -63,7 +63,7 @@ Index: parser/parser_main.c
return 1; return 1;
return 0; return 0;
@@ -437,6 +446,9 @@ int process_profile(int option, char *pr @@ -394,6 +403,9 @@ int process_profile(int option, char *pr
if (retval != 0) if (retval != 0)
goto out; goto out;
@@ -73,9 +73,9 @@ Index: parser/parser_main.c
retval = post_process_policy(); retval = post_process_policy();
if (retval != 0) { if (retval != 0) {
PERROR(_("%s: Errors found in file. Aborting.\n"), progname); PERROR(_("%s: Errors found in file. Aborting.\n"), progname);
@@ -470,7 +482,7 @@ int process_profile(int option, char *pr @@ -424,7 +436,7 @@ int process_profile(int option, char *pr
if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT)) goto out;
find_subdomainfs_mountpoint(); }
- if (!pcre_support()) { - if (!pcre_support()) {
+ if (!regex_support()) { + if (!regex_support()) {
@@ -138,20 +138,24 @@ Index: parser/parser_regex.c
while (error == e_no_error && *sptr) { while (error == e_no_error && *sptr) {
switch (*sptr) { switch (*sptr) {
@@ -342,10 +339,10 @@ static int process_regex_entry(struct co @@ -342,12 +339,12 @@ static int process_regex_entry(struct co
} }
/* anchor end and terminate pattern string */ /* anchor end and terminate pattern string */
+ if (error == e_no_error && anchor) - if (error == e_no_error) {
+ STORE("$" , dptr, 1);
if (error == e_no_error) {
- char buf[2] = { '$', 0 }; - char buf[2] = { '$', 0 };
- -
- STORE(buf, dptr, 2); - STORE(buf, dptr, 2);
+ if ((error == e_no_error) && anchor) {
+ STORE("$" , dptr, 1);
+ }
+ if (error != e_no_error) {
+ STORE("", dptr, 1); + STORE("", dptr, 1);
} }
-
/* check error again, as above STORE may have set it */ /* check error again, as above STORE may have set it */
if (error != e_no_error) {
if (error == e_buffer_overflow) {
@@ -356,12 +353,31 @@ static int process_regex_entry(struct co @@ -356,12 +353,31 @@ static int process_regex_entry(struct co
} }
@@ -185,7 +189,7 @@ Index: parser/parser_regex.c
entry->pattern_type = ptype; entry->pattern_type = ptype;
/* /*
@@ -422,33 +438,89 @@ static int process_regex_entry(struct co @@ -422,33 +438,83 @@ static int process_regex_entry(struct co
filter_escapes(entry->name); filter_escapes(entry->name);
} /* ptype == ePatternRegex */ } /* ptype == ePatternRegex */
@@ -239,7 +243,7 @@ Index: parser/parser_regex.c
+ count++; + count++;
} }
+ code->dfarule_count = count; + cod->dfarule_count = count;
return ret; return ret;
} }
@@ -256,18 +260,12 @@ Index: parser/parser_regex.c
+ goto out; + goto out;
} }
+ if (!post_process_entries(cod)) + if (!post_process_entries(cod))
+{
+fprintf(stderr, "Failed post_process_entries\n");
+ goto out; + goto out;
+}
+ if (regex_type == AARE_DFA && cod->dfarule_count > 0) { + if (regex_type == AARE_DFA && cod->dfarule_count > 0) {
+ cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size); + cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size);
+ if (!cod->dfa) + if (!cod->dfa)
+{
+fprintf(stderr, "Failed create dfa\n");
+ goto out; + goto out;
+}
+/* +/*
+ if (cod->dfa_size == 0) { + if (cod->dfa_size == 0) {
+ PERROR(_("profile %s: has merged rules (%s) with " + PERROR(_("profile %s: has merged rules (%s) with "
@@ -282,7 +280,7 @@ Index: parser/parser_regex.c
/* /*
* Post process subdomain(s): * Post process subdomain(s):
* *
@@ -464,8 +536,11 @@ int process_regex(struct codomain *cod) @@ -464,8 +530,11 @@ int process_regex(struct codomain *cod)
* } * }
*/ */
if (process_hat_regex(cod) != 0) if (process_hat_regex(cod) != 0)
@@ -2307,27 +2305,28 @@ Index: parser/Makefile
=================================================================== ===================================================================
--- parser.orig/Makefile --- parser.orig/Makefile
+++ parser/Makefile +++ parser/Makefile
@@ -77,6 +77,8 @@ OBJECTS = parser_lex.o parser_yacc.o par @@ -77,6 +77,9 @@ OBJECTS = parser_lex.o parser_yacc.o par
parser_include.o parser_merge.o parser_symtab.o parser_misc.o \ parser_include.o parser_merge.o parser_symtab.o parser_misc.o \
parser_regex.o parser_variable.o parser_policy.o parser_regex.o parser_variable.o parser_policy.o
+AARE = libapparmor_re/libapparmor_re.a +AAREDIR= libapparmor_re
+AAREOBJECTS = ${AAREDIR}/libapparmor_re.a
+ +
PCREDIR= pcre PCREDIR= pcre
PCREOBJECTS = ${PCREDIR}/pcre.o PCREOBJECTS = ${PCREDIR}/pcre.o
@@ -110,8 +112,8 @@ all: $(LEX_C_FILES) $(YACC_C_FILES) $(T @@ -110,8 +113,8 @@ all: $(LEX_C_FILES) $(YACC_C_FILES) $(T
$(Q)make -C po all $(Q)make -C po all
$(Q)make -s tests $(Q)make -s tests
-apparmor_parser: $(OBJECTS) $(PCREOBJECTS) -apparmor_parser: $(OBJECTS) $(PCREOBJECTS)
- $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} - $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB}
+apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AARE) +apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
+ $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AARE) -lstdc++ + $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AAREOBJECTS) -lstdc++
parser_yacc.c parser_yacc.h: parser_yacc.y parser.h parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
$(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y $(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y
@@ -196,7 +198,7 @@ install-suse: @@ -196,7 +199,7 @@ install-suse:
ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd

67
parser-patches/dfa_single_module.patch Normal file
View File

@@ -0,0 +1,67 @@
Index: parser/parser_interface.c
===================================================================
--- parser.orig/parser_interface.c
+++ parser/parser_interface.c
@@ -56,6 +56,7 @@
#define SD_STR_LEN (sizeof(u16))
#define SUBDOMAIN_INTERFACE_VERSION 2
+#define SUBDOMAIN_INTERFACE_DFA_VERSION 3
int sd_serialize_codomain(int option, struct codomain *cod);
@@ -473,24 +474,7 @@ int sd_serialize_file_entry(sd_serialize
int sd_serialize_dfa(sd_serialize *p, void *dfa, size_t size)
{
- /* fake up a file entry in regex entry list */
- PDEBUG("Writing file entry. name '%s'\n", file_entry->name);
- if (!sd_write_list(p, "pgent"))
- return 0;
- if (!sd_write_struct(p, "fe"))
- return 0;
- if (!sd_write_string(p, "dfa", NULL))
- return 0;
- /* list entry has having all perms but no exec modifiers */
- if (!sd_write32(p, 0x7fffffff & ~AA_EXEC_MODIFIERS))
- return 0;
- if (!sd_write32(p, ePatternRegex))
- return 0;
- if (!sd_write_blob(p, dfa, size, "aadfa"))
- return 0;
- if (!sd_write_structend(p))
- return 0;
- if (!sd_write_listend(p))
+ if (dfa && !sd_write_blob(p, dfa, size, "aadfa"))
return 0;
return 1;
@@ -556,7 +540,7 @@ int sd_serialize_profile(sd_serialize *p
return 0;
/* either have a single dfa or lists of different entry types */
- if (profile->dfa) {
+ if (regex_type == AARE_DFA) {
if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
return 0;
} else {
@@ -635,9 +619,18 @@ int sd_serialize_profile(sd_serialize *p
int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
{
+ int version;
+
+ if (regex_type == AARE_DFA)
+ version = SUBDOMAIN_INTERFACE_DFA_VERSION;
+ else
+ version = SUBDOMAIN_INTERFACE_VERSION;
+
+
if (!sd_write_name(p, "version"))
return 0;
- if (!sd_write32(p, SUBDOMAIN_INTERFACE_VERSION))
+
+ if (!sd_write32(p, version))
return 0;
return sd_serialize_profile(p, profile);
}

12
parser-patches/fix_missing_break.patch
View File

@@ -1,12 +0,0 @@
Index: parser/parser_regex.c
===================================================================
--- parser.orig/parser_regex.c
+++ parser/parser_regex.c
@@ -170,6 +170,7 @@ static int process_regex_entry(struct co
++sptr;
continue; /*skip turning bEscape off */
} /* bEscape */
+ break;
case '*':
if (bEscape) {
/* '*' is a PCRE special character */

121
parser-patches/parser_loadinterface.patch Normal file
View File

@@ -0,0 +1,121 @@
Index: parser/parser_main.c
===================================================================
--- parser.orig/parser_main.c
+++ parser/parser_main.c
@@ -264,18 +264,14 @@ static inline char *try_subdomainfs_moun
return retval;
}
-void find_subdomainfs_mountpoint(void)
+int find_subdomainfs_mountpoint(void)
{
FILE *mntfile;
struct mntent *mntpt;
if (!(mntfile = setmntent(MOUNTED_FS, "r"))) {
/* Ugh, what's the right default if you can't open /proc/mounts? */
- PERROR(_("Warning: unable to open %s, attempting to use %s\n"
- "as the subdomainfs location. Use --subdomainfs to override.\n"),
- MOUNTED_FS, DEFAULT_APPARMORFS);
- subdomainbase = DEFAULT_APPARMORFS;
- return;
+ goto test_default;
}
while ((mntpt = getmntent(mntfile))) {
@@ -301,62 +297,23 @@ void find_subdomainfs_mountpoint(void)
}
}
+ test_default:
if (!subdomainbase) {
- PERROR(_("Warning: unable to find a suitable fs in %s, is it mounted?\n"
- "Attempting to use %s as the subdomainfs location.\n"
- "Use --subdomainfs to override.\n"),
- MOUNTED_FS, DEFAULT_APPARMORFS);
- subdomainbase = DEFAULT_APPARMORFS;
- }
- endmntent(mntfile);
-}
-
-int is_module_loaded(void)
-{
- char *query_failed = NULL;
- int module_loaded = 0;
- int mlen = strlen(MODULE_NAME);
- int oldmlen = strlen(OLD_MODULE_NAME);
- FILE *fp;
-
- fp = fopen(PROC_MODULES, "r");
- if (fp) {
- while (!feof(fp)) {
- const int buflen = 256;
- char buf[buflen];
-
- if (fgets(buf, buflen, fp)) {
- buf[buflen - 1] = 0;
-
- if (strncmp(buf, MODULE_NAME, mlen) == 0 &&
- buf[mlen] == ' ') {
- module_loaded = 1;
- }
- if (strncmp(buf, OLD_MODULE_NAME, oldmlen) == 0 &&
- buf[oldmlen] == ' ') {
- module_loaded = 1;
- }
- }
+ struct stat buf;
+ if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
+ PERROR(_("Warning: unable to find a suitable fs in %s, is it "
+ "mounted?\nUse --subdomainfs to override.\n"),
+ MOUNTED_FS);
+ } else {
+ subdomainbase = DEFAULT_APPARMORFS;
}
- (void)fclose(fp);
- } else {
- query_failed = "unable to open " PROC_MODULES;
- }
-
- if (query_failed) {
- PERROR(_("%s: Unable to query modules - '%s'\n"
- "Either modules are disabled or your kernel is"
- " too old.\n"), progname, query_failed);
- return 1;
- } else if (!module_loaded) {
- PERROR(_("%s: Unable to find " MODULE_NAME "!\n"
- "Ensure that it has been loaded.\n"), progname);
- return 1;
}
+ endmntent(mntfile);
- return 0;
+ return (subdomainbase == NULL);
}
+
int have_enough_privilege(void)
{
uid_t uid, euid;
@@ -467,9 +424,6 @@ int process_profile(int option, char *pr
goto out;
}
- if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT))
- find_subdomainfs_mountpoint();
-
if (!pcre_support()) {
die_if_any_regex();
}
@@ -502,8 +456,9 @@ int main(int argc, char *argv[])
return retval;
}
- /* Check to make sure modules are enabled */
- if (!(UNPRIVILEGED_OPS) && ((retval = is_module_loaded()))) {
+ /* Check to make sure there is an interface to load policy */
+ if (!(UNPRIVILEGED_OPS) && (subdomainbase == NULL) &&
+ (retval = find_subdomainfs_mountpoint())) {
return retval;
}

36
parser-patches/rcapparmor_builtin.patch Normal file
View File

@@ -0,0 +1,36 @@
Index: apparmor/rc.apparmor.functions
===================================================================
--- apparmor.orig/rc.apparmor.functions
+++ apparmor/rc.apparmor.functions
@@ -322,14 +322,25 @@ function load_module() {
MODULE=subdomain
fi
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
- sd_action "Loading AppArmor module" /sbin/modprobe $MODULE $1
+ /sbin/modprobe $MODULE $1
rc=$?
- if [ $rc -ne 0 ] ; then
- # we couldn't find the module
- module_panic
+ if [ $rc -eq 0 ] ; then
+ sd_action "Loading AppArmor module" true
+ else
+ # we couldn't find the module, see if apparmor is
+ # builtin.
+ local builtin=`cat /proc/self/attr/current`
rc=$?
- if [ $rc -ne 0 ] ; then
- exit $rc
+ if [ $rc -eq 0 -a $builtin == "unconstrained" ]
+ then
+ sd_action "AppArmor is built in to kernel" true
+ else
+ sd_action "Loading AppArmor module" false
+ module_panic
+ rc=$?
+ if [ $rc -ne 0 ] ; then
+ exit $rc
+ fi
fi
fi
fi

6
parser-patches/series
View File

@@ -1,3 +1,5 @@
fix_missing_break.patch rcapparmor_builtin.patch
parser_loadinterface.patch
parser_cache.patch
dfa.patch dfa.patch
libapparmor_re dfa_single_module.patch