update the parser patches

2025-08-30 22:05:27 +00:00 · 2007-02-05 22:24:58 +00:00
parent e3b3715bbd
commit 49c4f94e5c
6 changed files with 253 additions and 40 deletions
--- a/parser-patches/dfa.patch
+++ b/parser-patches/dfa.patch
@@ -19,7 +19,7 @@ Index: parser/parser_main.c
 extern int current_lineno;
 
 struct option long_options[] = {
-@@ -387,7 +390,7 @@ static void get_match_string(void) {
+@@ -344,7 +347,7 @@ static void get_match_string(void) {
 
 	/* has process_args() already assigned a match string? */
 	if (match_string)
@@ -28,7 +28,7 @@ Index: parser/parser_main.c
 
 	FILE *ms = fopen(MATCH_STRING, "r");
 	if (!ms)
-@@ -404,22 +407,28 @@ static void get_match_string(void) {
+@@ -361,22 +364,28 @@ static void get_match_string(void) {
 	}
 
 out:
@@ -63,7 +63,7 @@ Index: parser/parser_main.c
 		return 1;
 
 	return 0;
-@@ -437,6 +446,9 @@ int process_profile(int option, char *pr
+@@ -394,6 +403,9 @@ int process_profile(int option, char *pr
 	if (retval != 0)
 		goto out;
 
@@ -73,9 +73,9 @@ Index: parser/parser_main.c
 	retval = post_process_policy();
   	if (retval != 0) {
   		PERROR(_("%s: Errors found in file. Aborting.\n"), progname);
-@@ -470,7 +482,7 @@ int process_profile(int option, char *pr
- 	if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT))
- 			find_subdomainfs_mountpoint();
+@@ -424,7 +436,7 @@ int process_profile(int option, char *pr
+ 		goto out;
+ 	}
 
 -	if (!pcre_support()) {
 +	if (!regex_support()) {
@@ -138,20 +138,24 @@ Index: parser/parser_regex.c
 
 	while (error == e_no_error && *sptr) {
 		switch (*sptr) {
-@@ -342,10 +339,10 @@ static int process_regex_entry(struct co
+@@ -342,12 +339,12 @@ static int process_regex_entry(struct co
 	}
 
 	/* anchor end and terminate pattern string */
-+	if (error == e_no_error && anchor)
-+		STORE("$" , dptr, 1);
- 	if (error == e_no_error) {
+-	if (error == e_no_error) {
 -		char buf[2] = { '$', 0 };
 -
 -		STORE(buf, dptr, 2);
+	if ((error == e_no_error) && anchor) {
+		STORE("$" , dptr, 1);
+	}
+	if (error != e_no_error) {
 +		STORE("", dptr, 1);
 	}
- 
+-
 	/* check error  again, as above STORE may have set it */
+ 	if (error != e_no_error) {
+ 		if (error == e_buffer_overflow) {
@@ -356,12 +353,31 @@ static int process_regex_entry(struct co
 		}
 
@@ -185,7 +189,7 @@ Index: parser/parser_regex.c
 	entry->pattern_type = ptype;
 
 	/*
-@@ -422,33 +438,89 @@ static int process_regex_entry(struct co
+@@ -422,33 +438,83 @@ static int process_regex_entry(struct co
 		filter_escapes(entry->name);
 	}		/* ptype == ePatternRegex */
 
@@ -239,7 +243,7 @@ Index: parser/parser_regex.c
 +		count++;
 	}
 
-+	code->dfarule_count = count;
+	cod->dfarule_count = count;
 	return ret;
 }
 
@@ -256,18 +260,12 @@ Index: parser/parser_regex.c
 +			goto out;
 	}
 +	if (!post_process_entries(cod))
-+{
-+fprintf(stderr, "Failed post_process_entries\n");
 +		goto out;
-+}
 
 +	if (regex_type == AARE_DFA && cod->dfarule_count > 0) {
 +		cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size);
 +		if (!cod->dfa)
-+{
-+fprintf(stderr, "Failed create dfa\n");
 +			goto out;
-+}
 +/*
 +		if (cod->dfa_size == 0) {
 +			PERROR(_("profile %s: has merged rules (%s) with "
@@ -282,7 +280,7 @@ Index: parser/parser_regex.c
 	/*
 	 * Post process subdomain(s):
 	 *
-@@ -464,8 +536,11 @@ int process_regex(struct codomain *cod)
+@@ -464,8 +530,11 @@ int process_regex(struct codomain *cod)
 	 * }
 	 */
 	if (process_hat_regex(cod) != 0)
@@ -2307,27 +2305,28 @@ Index: parser/Makefile
 ===================================================================
 --- parser.orig/Makefile
 +++ parser/Makefile
-@@ -77,6 +77,8 @@ OBJECTS = parser_lex.o parser_yacc.o par
+@@ -77,6 +77,9 @@ OBJECTS = parser_lex.o parser_yacc.o par
 	  parser_include.o parser_merge.o parser_symtab.o parser_misc.o \
 	  parser_regex.o parser_variable.o parser_policy.o
 
-+AARE = libapparmor_re/libapparmor_re.a
+AAREDIR= libapparmor_re
+AAREOBJECTS = ${AAREDIR}/libapparmor_re.a
 +
 PCREDIR= pcre
 PCREOBJECTS = ${PCREDIR}/pcre.o
 
-@@ -110,8 +112,8 @@ all: 	$(LEX_C_FILES) $(YACC_C_FILES) $(T
+@@ -110,8 +113,8 @@ all: 	$(LEX_C_FILES) $(YACC_C_FILES) $(T
 	$(Q)make -C po all
 	$(Q)make -s tests
 
 -apparmor_parser: $(OBJECTS) $(PCREOBJECTS)
 -	$(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB}
-+apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AARE)
-+	$(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AARE) -lstdc++
+apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
+	$(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AAREOBJECTS) -lstdc++
 
 parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
 	$(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y 
-@@ -196,7 +198,7 @@ install-suse:
+@@ -196,7 +199,7 @@ install-suse:
 	ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
 	ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
 	ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd
--- a/parser-patches/dfa_single_module.patch
+++ b/parser-patches/dfa_single_module.patch
@@ -0,0 +1,67 @@
+Index: parser/parser_interface.c
+===================================================================
+--- parser.orig/parser_interface.c
+++ parser/parser_interface.c
+@@ -56,6 +56,7 @@
+ #define SD_STR_LEN (sizeof(u16))
+ 
+ #define SUBDOMAIN_INTERFACE_VERSION 2
+#define SUBDOMAIN_INTERFACE_DFA_VERSION 3
+ 
+ int sd_serialize_codomain(int option, struct codomain *cod);
+ 
+@@ -473,24 +474,7 @@ int sd_serialize_file_entry(sd_serialize
+ 
+ int sd_serialize_dfa(sd_serialize *p, void *dfa, size_t size)
+ {
+-	/* fake up a file entry in regex entry list */
+-	PDEBUG("Writing file entry. name '%s'\n", file_entry->name);
+-	if (!sd_write_list(p, "pgent"))
+-		return 0;
+-	if (!sd_write_struct(p, "fe"))
+-		return 0;
+-	if (!sd_write_string(p, "dfa", NULL))
+-		return 0;
+-	/* list entry has having all perms but no exec modifiers */
+-	if (!sd_write32(p, 0x7fffffff & ~AA_EXEC_MODIFIERS))
+-		return 0;
+-	if (!sd_write32(p, ePatternRegex))
+-		return 0;
+-	if (!sd_write_blob(p, dfa, size, "aadfa"))
+-		return 0;
+-	if (!sd_write_structend(p))
+-		return 0;
+-	if (!sd_write_listend(p))
+	if (dfa && !sd_write_blob(p, dfa, size, "aadfa"))
+ 		return 0;
+ 
+ 	return 1;
+@@ -556,7 +540,7 @@ int sd_serialize_profile(sd_serialize *p
+ 		return 0;
+ 
+ 	/* either have a single dfa or lists of different entry types */
+-	if (profile->dfa) {
+	if (regex_type == AARE_DFA) {
+ 		if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
+ 			return 0;
+ 	} else {
+@@ -635,9 +619,18 @@ int sd_serialize_profile(sd_serialize *p
+ 
+ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
+ {
+	int version;
+
+	if (regex_type == AARE_DFA)
+		version = SUBDOMAIN_INTERFACE_DFA_VERSION;
+	else
+		version = SUBDOMAIN_INTERFACE_VERSION;
+
+
+ 	if (!sd_write_name(p, "version"))
+ 		return 0;
+-	if (!sd_write32(p, SUBDOMAIN_INTERFACE_VERSION))
+
+	if (!sd_write32(p, version))
+ 		return 0;
+ 	return sd_serialize_profile(p, profile);
+ }
--- a/parser-patches/fix_missing_break.patch
+++ b/parser-patches/fix_missing_break.patch
@@ -1,12 +0,0 @@
-Index: parser/parser_regex.c
-===================================================================
--- parser.orig/parser_regex.c
-+++ parser/parser_regex.c
-@@ -170,6 +170,7 @@ static int process_regex_entry(struct co
- 				++sptr;
- 				continue;	/*skip turning bEscape off */
- 			}	/* bEscape */
-+			break;
- 		case '*':
- 			if (bEscape) {
- 				/* '*' is a PCRE special character */
--- a/parser-patches/parser_loadinterface.patch
+++ b/parser-patches/parser_loadinterface.patch
@@ -0,0 +1,121 @@
+Index: parser/parser_main.c
+===================================================================
+--- parser.orig/parser_main.c
+++ parser/parser_main.c
+@@ -264,18 +264,14 @@ static inline char *try_subdomainfs_moun
+ 	return retval;
+ }
+ 
+-void find_subdomainfs_mountpoint(void)
+int find_subdomainfs_mountpoint(void)
+ {
+ 	FILE *mntfile;
+ 	struct mntent *mntpt;
+ 
+ 	if (!(mntfile = setmntent(MOUNTED_FS, "r"))) {
+ 		/* Ugh, what's the right default if you can't open /proc/mounts? */
+-		PERROR(_("Warning: unable to open %s, attempting to use %s\n"
+-			 "as the subdomainfs location. Use --subdomainfs to override.\n"),
+-		       MOUNTED_FS, DEFAULT_APPARMORFS);
+-		subdomainbase = DEFAULT_APPARMORFS;
+-		return;
+		goto test_default;
+ 	}
+ 
+ 	while ((mntpt = getmntent(mntfile))) {
+@@ -301,62 +297,23 @@ void find_subdomainfs_mountpoint(void)
+ 		}
+ 	}
+ 
+ test_default:
+ 	if (!subdomainbase) {
+-		PERROR(_("Warning: unable to find a suitable fs in %s, is it mounted?\n"
+-			 "Attempting to use %s as the subdomainfs location.\n"
+-			 "Use --subdomainfs to override.\n"),
+-		       MOUNTED_FS, DEFAULT_APPARMORFS);
+-		subdomainbase = DEFAULT_APPARMORFS;
+-	}
+-	endmntent(mntfile);
+-}
+-
+-int is_module_loaded(void)
+-{
+-	char *query_failed = NULL;
+-	int module_loaded = 0;
+-	int mlen = strlen(MODULE_NAME);
+-	int oldmlen = strlen(OLD_MODULE_NAME);
+-	FILE *fp;
+-
+-	fp = fopen(PROC_MODULES, "r");
+-	if (fp) {
+-		while (!feof(fp)) {
+-			const int buflen = 256;
+-			char buf[buflen];
+-
+-			if (fgets(buf, buflen, fp)) {
+-				buf[buflen - 1] = 0;
+-
+-				if (strncmp(buf, MODULE_NAME, mlen) == 0 &&
+-				    buf[mlen] == ' ') {
+-					module_loaded = 1;
+-				}
+-				if (strncmp(buf, OLD_MODULE_NAME, oldmlen) == 0 &&
+-				    buf[oldmlen] == ' ') {
+-					module_loaded = 1;
+-				}
+-			}
+		struct stat buf;
+		if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
+		PERROR(_("Warning: unable to find a suitable fs in %s, is it "
+			 "mounted?\nUse --subdomainfs to override.\n"),
+		       MOUNTED_FS);
+		} else {
+			subdomainbase = DEFAULT_APPARMORFS;
+ 		}
+-		(void)fclose(fp);
+-	} else {
+-		query_failed = "unable to open " PROC_MODULES;
+-	}
+-
+-	if (query_failed) {
+-		PERROR(_("%s: Unable to query modules - '%s'\n"
+-			 "Either modules are disabled or your kernel is"
+-			 " too old.\n"), progname, query_failed);
+-		return 1;
+-	} else if (!module_loaded) {
+-		PERROR(_("%s: Unable to find " MODULE_NAME "!\n"
+-			 "Ensure that it has been loaded.\n"), progname);
+-		return 1;
+ 	}
+	endmntent(mntfile);
+ 
+-	return 0;
+	return (subdomainbase == NULL);
+ }
+ 
+
+ int have_enough_privilege(void)
+ {
+ 	uid_t uid, euid;
+@@ -467,9 +424,6 @@ int process_profile(int option, char *pr
+ 		goto out;
+ 	}
+ 
+-	if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT))
+-			find_subdomainfs_mountpoint();
+-
+ 	if (!pcre_support()) {
+ 		die_if_any_regex();
+ 	}
+@@ -502,8 +456,9 @@ int main(int argc, char *argv[])
+ 		return retval;
+ 	}
+ 
+-	/* Check to make sure modules are enabled */
+-	if (!(UNPRIVILEGED_OPS) && ((retval = is_module_loaded()))) {
+	/* Check to make sure there is an interface to load policy */
+	if (!(UNPRIVILEGED_OPS) && (subdomainbase == NULL) &&
+	    (retval = find_subdomainfs_mountpoint())) {
+ 		return retval;
+ 	}
+ 
--- a/parser-patches/rcapparmor_builtin.patch
+++ b/parser-patches/rcapparmor_builtin.patch
@@ -0,0 +1,36 @@
+Index: apparmor/rc.apparmor.functions
+===================================================================
+--- apparmor.orig/rc.apparmor.functions
+++ apparmor/rc.apparmor.functions
+@@ -322,14 +322,25 @@ function load_module() {
+ 		MODULE=subdomain
+ 	fi
+ 	if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
+-		sd_action "Loading AppArmor module" /sbin/modprobe $MODULE $1
+		/sbin/modprobe $MODULE $1
+ 		rc=$?
+-		if [ $rc -ne 0 ] ; then
+-			# we couldn't find the module
+-			module_panic
+		if [ $rc -eq 0 ] ; then
+			sd_action "Loading AppArmor module" true
+		else
+			# we couldn't find the module, see if apparmor is
+			# builtin.
+			local builtin=`cat /proc/self/attr/current`
+ 			rc=$?
+-			if [ $rc -ne 0 ] ; then
+-				exit $rc
+			if [ $rc -eq 0 -a $builtin == "unconstrained" ]
+			then
+				sd_action "AppArmor is built in to kernel" true
+			else
+				sd_action "Loading AppArmor module" false
+				module_panic
+				rc=$?
+				if [ $rc -ne 0 ] ; then
+					exit $rc
+				fi
+ 			fi
+ 		fi
+ 	fi
--- a/parser-patches/series
+++ b/parser-patches/series
@@ -1,3 +1,5 @@
-fix_missing_break.patch
+rcapparmor_builtin.patch
+parser_loadinterface.patch
+parser_cache.patch
 dfa.patch
-libapparmor_re
+dfa_single_module.patch