parser: refactor network to use rule class as its base.

There is one significant difference in the encoding of the network rules. Before this change, when the parser was encoding a "network," rule, it would generate an entry for every family and every type/protocol. After this patch the parser should generate an entry for every family, but the type/protocol is changed to .. in the pcre syntax. There should be no difference in behavior. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-30 22:05:27 +00:00 · 2023-06-26 14:39:39 -03:00
parent 11976c42e3
commit 820f1fb5f2
10 changed files with 315 additions and 301 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -857,80 +857,6 @@ int post_process_policydb_ents(Profile *prof)
 	return TRUE;
 }

-
-static bool gen_net_rule(Profile *prof, u16 family, unsigned int type_mask,
-			 bool audit, bool deny) {
-	std::ostringstream buffer;
-	std::string buf;
-
-	buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NETV8;
-	buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((family & 0xff00) >> 8);
-	buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (family & 0xff);
-	if (type_mask > 0xffff) {
-		buffer << "..";
-	} else {
-		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((type_mask & 0xff00) >> 8);
-		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff);
-	}
-	buf = buffer.str();
-	if (!prof->policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_VALID_NET_PERMS),
-					  audit ? map_perms(AA_VALID_NET_PERMS) : 0,
-					  parseopts))
-		return false;
-
-	return true;
-}
-
-static bool gen_af_rules(Profile *prof, u16 family, unsigned int type_mask,
-			  unsigned int audit_mask, bool deny)
-{
-	if (type_mask > 0xffff && audit_mask > 0xffff) {
-		/* instead of generating multiple rules wild card type */
-		return gen_net_rule(prof, family, type_mask, audit_mask, deny);
-	} else {
-		int t;
-		/* generate rules for types that are set */
-		for (t = 0; t < 16; t++) {
-			if (type_mask & (1 << t)) {
-				if (!gen_net_rule(prof, family, t,
-						  audit_mask & (1 << t),
-						  deny))
-					return false;
-			}
-		}
-	}
-
-	return true;
-}
-
-bool post_process_policydb_net(Profile *prof)
-{
-	u16 af;
-
-	/* no network rules defined so we don't have generate them */
-	if (!prof->net.allow)
-		return true;
-
-	/* generate rules if the af has something set */
-	for (af = AF_UNSPEC; af < get_af_max(); af++) {
-		if (prof->net.allow[af] ||
-		    prof->net.deny[af] ||
-		    prof->net.audit[af] ||
-		    prof->net.quiet[af]) {
-			if (!gen_af_rules(prof, af, prof->net.allow[af],
-					  prof->net.audit[af],
-					  false))
-				return false;
-			if (!gen_af_rules(prof, af, prof->net.deny[af],
-					  prof->net.quiet[af],
-					  true))
-				return false;
-		}
-	}
-
-	return true;
-}
-
 #define MAKE_STR(X) #X
 #define CLASS_STR(X) "\\d" MAKE_STR(X)
 #define MAKE_SUB_STR(X) "\\000" MAKE_STR(X)
@@ -959,9 +885,6 @@ int process_profile_policydb(Profile *prof)

 	if (!post_process_policydb_ents(prof))
 		goto out;
-	/* TODO: move to network class */
-	if (features_supports_networkv8 && !post_process_policydb_net(prof))
-		goto out;

 	/* insert entries to show indicate what compiler/policy expects
 	 * to be supported