From 5bd2271189c33e2fcd8551f37f364fb963a2256e Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 23 Apr 2023 20:27:51 -0700 Subject: [PATCH] pass prompt info down into the backend for mapping mapping for PROMPT_DEV needs to know that we should prompt --- parser/libapparmor_re/aare_rules.cc | 21 +++++++++++---------- parser/libapparmor_re/aare_rules.h | 6 +++--- parser/libapparmor_re/chfa.cc | 23 +++++++++++++++++------ parser/libapparmor_re/chfa.h | 5 ++--- parser/libapparmor_re/hfa.cc | 13 +++++++------ parser/libapparmor_re/hfa.h | 14 +++++++++++--- parser/parser.h | 4 ---- parser/parser_regex.c | 11 +++++++---- parser/rule.h | 6 ++++++ 9 files changed, 64 insertions(+), 39 deletions(-) diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc index 08e8e6fb9..4dcbc4cc9 100644 --- a/parser/libapparmor_re/aare_rules.cc +++ b/parser/libapparmor_re/aare_rules.cc @@ -199,8 +199,8 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm, */ CHFA *aare_rules::create_chfa(int *min_match_len, vector &perms_table, - optflags const &opts, - bool filedfa, bool extended_perms) + optflags const &opts, bool filedfa, + bool extended_perms, bool prompt) { /* finish constructing the expr tree from the different permission * set nodes */ @@ -310,9 +310,9 @@ CHFA *aare_rules::create_chfa(int *min_match_len, //cerr << "Checking extended perms " << extended_perms << "\n"; if (extended_perms) { //cerr << "creating permstable\n"; - dfa.compute_perms_table(perms_table); + dfa.compute_perms_table(perms_table, prompt); } - chfa = new CHFA(dfa, eq, opts, extended_perms); + chfa = new CHFA(dfa, eq, opts, extended_perms, prompt); if (opts.dump & DUMP_DFA_TRANS_TABLE) chfa->dump(cerr); } @@ -331,14 +331,15 @@ CHFA *aare_rules::create_chfa(int *min_match_len, void *aare_rules::create_dfablob(size_t *size, int *min_match_len, vector &perms_table, optflags const &opts, bool filedfa, - bool extended_perms) + bool extended_perms, bool prompt) { char *buffer = NULL; stringstream stream; try { CHFA *chfa = create_chfa(min_match_len, perms_table, - opts, filedfa, extended_perms); + opts, filedfa, extended_perms, + prompt); if (!chfa) { *size = 0; return NULL; @@ -375,7 +376,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules, size_t *new_start, vector &perms_table, optflags const &opts, - bool extended_perms) + bool extended_perms, bool prompt) { int file_min_len; vector file_perms; @@ -383,7 +384,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules, try { file_chfa = file_rules->create_chfa(&file_min_len, file_perms, opts, - true, extended_perms); + true, extended_perms, prompt); if (!file_chfa) { *size = 0; return NULL; @@ -398,7 +399,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules, try { policy_chfa = create_chfa(min_match_len, perms_table, opts, - false, extended_perms); + false, extended_perms, prompt); if (!policy_chfa) { delete file_chfa; *size = 0; @@ -414,7 +415,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules, stringstream stream; try { policy_chfa->weld_file_to_policy(*file_chfa, *new_start, - extended_perms, + extended_perms, prompt, perms_table, file_perms); policy_chfa->flex_table(stream); } diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h index ca24c7eb2..7cc163380 100644 --- a/parser/libapparmor_re/aare_rules.h +++ b/parser/libapparmor_re/aare_rules.h @@ -118,17 +118,17 @@ class aare_rules { CHFA *create_chfa(int *min_match_len, vector &perms_table, optflags const &opts, bool filedfa, - bool extended_perms); + bool extended_perms, bool prompt); void *create_dfablob(size_t *size, int *min_match_len, vector &perms_table, optflags const &opts, - bool filedfa, bool extended_perms); + bool filedfa, bool extended_perms, bool prompt); void *create_welded_dfablob(aare_rules *file_rules, size_t *size, int *min_match_len, size_t *new_start, vector &perms_table, optflags const &opts, - bool extended_perms); + bool extended_perms, bool prompt); }; #endif /* __LIBAA_RE_RULES_H */ diff --git a/parser/libapparmor_re/chfa.cc b/parser/libapparmor_re/chfa.cc index 64bfdbc8a..7a94b9f43 100644 --- a/parser/libapparmor_re/chfa.cc +++ b/parser/libapparmor_re/chfa.cc @@ -55,7 +55,7 @@ void CHFA::init_free_list(vector > &free_list, * permtable index flag */ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, - bool permindex): eq(eq) + bool permindex, bool prompt): eq(eq) { if (opts.dump & DUMP_DFA_TRANS_PROGRESS) fprintf(stderr, "Compressing HFA:\r"); @@ -110,11 +110,16 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, accept[0] = dfa.nonmatching->idx; accept[1] = dfa.start->idx; } else { + uint32_t accept3; accept2.resize(max(dfa.states.size(), (size_t) 2)); dfa.nonmatching->map_perms_to_accept(accept[0], - accept2[0]); + accept2[0], + accept3, + prompt); dfa.start->map_perms_to_accept(accept[1], - accept2[1]); + accept2[1], + accept3, + prompt); } next_check.resize(max(optimal, (size_t) dfa.max_range)); free_list.resize(next_check.size()); @@ -131,12 +136,15 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, if (!(opts.control & CONTROL_DFA_TRANS_HIGH)) { for (Partition::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) { if (*i != dfa.nonmatching && *i != dfa.start) { + uint32_t accept3; insert_state(free_list, *i, dfa); if (permindex) accept[num.size()] = (*i)->idx; else (*i)->map_perms_to_accept(accept[num.size()], - accept2[num.size()]); + accept2[num.size()], + accept3, + prompt); num.insert(make_pair(*i, num.size())); } if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) { @@ -151,12 +159,15 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, i != order.end(); i++) { if (i->second != dfa.nonmatching && i->second != dfa.start) { + uint32_t accept3; insert_state(free_list, i->second, dfa); if (permindex) accept[num.size()] = i->second->idx; else i->second->map_perms_to_accept(accept[num.size()], - accept2[num.size()]); + accept2[num.size()], + accept3, + prompt); num.insert(make_pair(i->second, num.size())); } if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) { @@ -484,7 +495,7 @@ void CHFA::flex_table(ostream &os) */ void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start, - bool accept_idx, + bool accept_idx, bool prompt, vector &policy_perms, vector &file_perms) { diff --git a/parser/libapparmor_re/chfa.h b/parser/libapparmor_re/chfa.h index a8aaa585a..4fd7933ca 100644 --- a/parser/libapparmor_re/chfa.h +++ b/parser/libapparmor_re/chfa.h @@ -40,8 +40,7 @@ class CHFA { public: CHFA(void); CHFA(DFA &dfa, map &eq, optflags const &opts, - bool permindex); - + bool permindex, bool prompt); void dump(ostream & os); void flex_table(ostream &os); void init_free_list(vector > &free_list, @@ -51,7 +50,7 @@ class CHFA { void insert_state(vector > &free_list, State *state, DFA &dfa); void weld_file_to_policy(CHFA &file_chfa, size_t &new_start, - bool accept_idx, + bool accept_idx, bool prompt, vector &policy_perms, vector &file_perms); diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc index 7e05d67ab..f9cee068d 100644 --- a/parser/libapparmor_re/hfa.cc +++ b/parser/libapparmor_re/hfa.cc @@ -1308,12 +1308,13 @@ void DFA::apply_equivalence_classes(map &eq) } void DFA::compute_perms_table_ent(State *state, size_t pos, - vector &perms_table) + vector &perms_table, + bool prompt) { uint32_t accept1, accept2, accept3; // until front end doesn't map the way it does - state->map_perms_to_accept(accept1, accept2, accept3); + state->map_perms_to_accept(accept1, accept2, accept3, prompt); if (filedfa) { state->idx = pos * 2; perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3); @@ -1324,7 +1325,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos, } } -void DFA::compute_perms_table(vector &perms_table) +void DFA::compute_perms_table(vector &perms_table, bool prompt) { size_t mult = filedfa ? 2 : 1; size_t pos = 2; @@ -1334,13 +1335,13 @@ void DFA::compute_perms_table(vector &perms_table) // nonmatching and start need to be 0 and 1 so handle outside of loop if (filedfa) - compute_perms_table_ent(nonmatching, 0, perms_table); - compute_perms_table_ent(start, 1, perms_table); + compute_perms_table_ent(nonmatching, 0, perms_table, prompt); + compute_perms_table_ent(start, 1, perms_table, prompt); for (Partition::iterator i = states.begin(); i != states.end(); i++) { if (*i == nonmatching || *i == start) continue; - compute_perms_table_ent(*i, pos, perms_table); + compute_perms_table_ent(*i, pos, perms_table, prompt); pos++; } } diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h index 2c5ab15d6..1b3b69335 100644 --- a/parser/libapparmor_re/hfa.h +++ b/parser/libapparmor_re/hfa.h @@ -34,6 +34,8 @@ #include "expr-tree.h" #include "policy_compat.h" +#include "../rule.h" +extern int prompt_compat_mode; #define DiffEncodeFlag 1 @@ -258,9 +260,13 @@ public: void flatten_relative(State *, int upper_bound); int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); } - void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2, uint32_t &accept3) + void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2, + uint32_t &accept3, bool prompt) { accept1 = perms.allow; + if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV) + accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet & perms.deny); + else accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet & perms.deny); accept3 = perms.prompt; } @@ -358,8 +364,10 @@ public: void apply_equivalence_classes(map &eq); void compute_perms_table_ent(State *state, size_t pos, - vector &perms_table); - void compute_perms_table(vector &perms_table); + vector &perms_table, + bool prompt); + void compute_perms_table(vector &perms_table, + bool prompt); unsigned int diffcount; int oob_range; diff --git a/parser/parser.h b/parser/parser.h index 636ad92ee..30e45c33b 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -324,10 +324,6 @@ do { \ /* The parser fills this variable in automatically */ #define PROFILE_NAME_VARIABLE "profile_name" -#define PROMPT_COMPAT_IGNORE 0 -#define PROMPT_COMPAT_PERMSV2 1 -#define PROMPT_COMPAT_DEV 2 -#define PROMPT_COMPAT_PERMSV1 3 /* from parser_common.c */ extern uint32_t policy_version; diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 968527603..3e0873b8d 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -578,7 +578,7 @@ build: * * we don't need to build xmatch for permstable32, so don't */ - prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, kernel_supports_permstable32 && !kernel_supports_permstable32_v1); + prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false); delete rules; if (!prof->xmatch) return FALSE; @@ -785,7 +785,8 @@ int process_profile_regex(Profile *prof) prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size, &xmatch_len, prof->dfa.perms_table, parseopts, true, - prof->uses_prompt_rules && kernel_supports_permstable32); + prof->uses_prompt_rules && kernel_supports_permstable32, + prof->uses_prompt_rules); delete prof->dfa.rules; prof->dfa.rules = NULL; if (!prof->dfa.dfa) @@ -1149,7 +1150,8 @@ int process_profile_policydb(Profile *prof) &xmatch_len, &prof->policy.file_start, prof->policy.perms_table, parseopts, - kernel_supports_permstable32_v1); + kernel_supports_permstable32_v1, + prof->uses_prompt_rules); delete prof->policy.rules; delete prof->dfa.rules; prof->policy.rules = NULL; @@ -1165,7 +1167,8 @@ int process_profile_policydb(Profile *prof) &xmatch_len, prof->policy.perms_table, parseopts, false, - prof->uses_prompt_rules && kernel_supports_permstable32); + prof->uses_prompt_rules && kernel_supports_permstable32, + prof->uses_prompt_rules); delete prof->policy.rules; prof->policy.rules = NULL; diff --git a/parser/rule.h b/parser/rule.h index 3d2d2946f..27468cdac 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -27,6 +27,12 @@ using namespace std; +#define PROMPT_COMPAT_IGNORE 0 +#define PROMPT_COMPAT_PERMSV2 1 +#define PROMPT_COMPAT_DEV 2 +#define PROMPT_COMPAT_PERMSV1 3 + + class Profile; #define RULE_NOT_SUPPORTED 0