mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-29 13:28:19 +00:00
flatten hats for individual profile load
This commit is contained in:
John Johansen
parent
84bfd57edf
commit
5655affcda
@ -62,6 +62,8 @@ struct codomain {
|
|||||||
char *sub_name; /* subdomain name or NULL */
|
char *sub_name; /* subdomain name or NULL */
|
||||||
int default_deny; /* TRUE or FALSE */
|
int default_deny; /* TRUE or FALSE */
|
||||||
|
|
||||||
|
struct codomain *parent;
|
||||||
|
|
||||||
struct flagval flags;
|
struct flagval flags;
|
||||||
|
|
||||||
unsigned int capabilities;
|
unsigned int capabilities;
|
||||||
@ -212,7 +214,8 @@ extern int codomain_merge_rules(struct codomain *cod);
|
|||||||
/* parser_interface.c */
|
/* parser_interface.c */
|
||||||
typedef struct __sdserialize sd_serialize;
|
typedef struct __sdserialize sd_serialize;
|
||||||
extern int load_codomain(int option, struct codomain *cod);
|
extern int load_codomain(int option, struct codomain *cod);
|
||||||
extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod);
|
extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
|
||||||
|
int flatten);
|
||||||
|
|
||||||
/* parser_policy.c */
|
/* parser_policy.c */
|
||||||
extern void add_to_list(struct codomain *codomain);
|
extern void add_to_list(struct codomain *codomain);
|
||||||
@ -227,6 +230,7 @@ extern int merge_hat_rules(struct codomain *cod);
|
|||||||
extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
|
extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
|
||||||
extern int load_policy(int option);
|
extern int load_policy(int option);
|
||||||
extern int load_hats(sd_serialize *p, struct codomain *cod);
|
extern int load_hats(sd_serialize *p, struct codomain *cod);
|
||||||
|
extern int load_flattened_hats(struct codomain *cod);
|
||||||
extern void free_policy(struct codomain *cod);
|
extern void free_policy(struct codomain *cod);
|
||||||
extern void dump_policy(void);
|
extern void dump_policy(void);
|
||||||
extern void dump_policy_hats(struct codomain *cod);
|
extern void dump_policy_hats(struct codomain *cod);
|
||||||
|
|||||||
@ -18,6 +18,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#define _GNU_SOURCE /* for asprintf */
|
#define _GNU_SOURCE /* for asprintf */
|
||||||
|
#include <assert.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@ -538,15 +539,31 @@ int count_pcre_ents(struct cod_entry *list)
|
|||||||
return count;
|
return count;
|
||||||
}
|
}
|
||||||
|
|
||||||
int sd_serialize_profile(sd_serialize *p, struct codomain *profile)
|
int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
||||||
|
int flattened)
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
struct cod_net_entry *net_entry;
|
struct cod_net_entry *net_entry;
|
||||||
|
|
||||||
if (!sd_write_struct(p, "profile"))
|
if (!sd_write_struct(p, "profile"))
|
||||||
return 0;
|
return 0;
|
||||||
if (!sd_write_string(p, profile->name, NULL))
|
if (flattened) {
|
||||||
return 0;
|
assert(profile->parent);
|
||||||
|
int res;
|
||||||
|
|
||||||
|
char *name = malloc(3 + strlen(profile->name) +
|
||||||
|
strlen(profile->parent->name));
|
||||||
|
if (!name)
|
||||||
|
return 0;
|
||||||
|
sprintf(name, "%s//%s", profile->parent->name, profile->name);
|
||||||
|
res = sd_write_string(p, name, NULL);
|
||||||
|
free(name);
|
||||||
|
if (!res)
|
||||||
|
return 0;
|
||||||
|
} else {
|
||||||
|
if (!sd_write_string(p, profile->name, NULL))
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
if (!sd_write_struct(p, "flags"))
|
if (!sd_write_struct(p, "flags"))
|
||||||
return 0;
|
return 0;
|
||||||
/* used to be flags.debug, but that's no longer supported */
|
/* used to be flags.debug, but that's no longer supported */
|
||||||
@ -621,7 +638,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile)
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (profile->hat_table) {
|
if (profile->hat_table && regex_type != AARE_DFA) {
|
||||||
if (!sd_write_list(p, "hats"))
|
if (!sd_write_list(p, "hats"))
|
||||||
return 0;
|
return 0;
|
||||||
if (load_hats(p, profile) != 0)
|
if (load_hats(p, profile) != 0)
|
||||||
@ -651,7 +668,7 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
|
|||||||
|
|
||||||
if (!sd_write32(p, version))
|
if (!sd_write32(p, version))
|
||||||
return 0;
|
return 0;
|
||||||
return sd_serialize_profile(p, profile);
|
return sd_serialize_profile(p, profile, profile->parent ? 1 : 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int sd_serialize_codomain(int option, struct codomain *cod)
|
int sd_serialize_codomain(int option, struct codomain *cod)
|
||||||
@ -695,11 +712,25 @@ int sd_serialize_codomain(int option, struct codomain *cod)
|
|||||||
free(filename);
|
free(filename);
|
||||||
|
|
||||||
if (option == OPTION_REMOVE) {
|
if (option == OPTION_REMOVE) {
|
||||||
size = strlen(cod->name) + 1;
|
char *name;
|
||||||
wsize = write(fd, cod->name, size);
|
if (cod->parent) {
|
||||||
|
name = malloc(strlen(cod->name) + 3 +
|
||||||
|
strlen(cod->parent->name));
|
||||||
|
if (!name) {
|
||||||
|
PERROR(_("Unable to remove ^%s\n"), cod->name);
|
||||||
|
error = -errno;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
sprintf(name, "%s//%s", cod->parent->name, cod->name);
|
||||||
|
} else {
|
||||||
|
name = cod->name;
|
||||||
|
}
|
||||||
|
size = strlen(name) + 1;
|
||||||
|
wsize = write(fd, name, size);
|
||||||
if (wsize < 0)
|
if (wsize < 0)
|
||||||
error = -errno;
|
error = -errno;
|
||||||
|
if (cod->parent)
|
||||||
|
free(name);
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
work_area = alloc_sd_serial();
|
work_area = alloc_sd_serial();
|
||||||
@ -731,6 +762,12 @@ int sd_serialize_codomain(int option, struct codomain *cod)
|
|||||||
|
|
||||||
close(fd);
|
close(fd);
|
||||||
|
|
||||||
|
if (cod->hat_table && regex_type == AARE_DFA) {
|
||||||
|
if (load_flattened_hats(cod) != 0)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -66,6 +66,8 @@ void add_hat_to_policy(struct codomain *cod, struct codomain *hat)
|
|||||||
{
|
{
|
||||||
struct codomain **result;
|
struct codomain **result;
|
||||||
|
|
||||||
|
hat->parent = cod;
|
||||||
|
|
||||||
result = (struct codomain **) tsearch(hat, &(cod->hat_table), codomain_compare);
|
result = (struct codomain **) tsearch(hat, &(cod->hat_table), codomain_compare);
|
||||||
if (!result) {
|
if (!result) {
|
||||||
PERROR("Memory allocation error\n");
|
PERROR("Memory allocation error\n");
|
||||||
@ -256,13 +258,32 @@ static void __load_hat(const void *nodep, const VISIT value,
|
|||||||
if (value == preorder || value == endorder)
|
if (value == preorder || value == endorder)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (!sd_serialize_profile(__p, *t)) {
|
if (!sd_serialize_profile(__p, *t, 0)) {
|
||||||
PERROR(_("ERROR in profile %s, failed to load\n"),
|
PERROR(_("ERROR in profile %s, failed to load\n"),
|
||||||
(*t)->name);
|
(*t)->name);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void __load_flattened_hat(const void *nodep, const VISIT value,
|
||||||
|
const int __unused depth)
|
||||||
|
{
|
||||||
|
struct codomain **t = (struct codomain **) nodep;
|
||||||
|
|
||||||
|
if (value == preorder || value == endorder)
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (load_codomain(__load_option, *t) != 0) {
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int load_flattened_hats(struct codomain *cod)
|
||||||
|
{
|
||||||
|
twalk(cod->hat_table, __load_flattened_hat);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int load_hats(sd_serialize *p, struct codomain *cod)
|
int load_hats(sd_serialize *p, struct codomain *cod)
|
||||||
{
|
{
|
||||||
__p = p;
|
__p = p;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user