mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

parser: don't set xbits when using permstable32_v1

Browse Source 
The use of xbits can not pass verification so we need to leave them
off this makes the profile a leaf profile.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-04-23 21:14:18 -07:00
parent 5bd2271189
commit 89673d0c5e
6 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
parser/libapparmor_re/policy_compat.cc
View File

@ -32,6 +32,8 @@
#include "policy_compat.h" #include "policy_compat.h"
#include "../perms.h" #include "../perms.h"
#include "../rule.h"
extern int prompt_compat_mode;
/* remap old accept table embedded permissions to separate permission table */ /* remap old accept table embedded permissions to separate permission table */
@ -131,9 +133,11 @@ struct aa_perms compute_fperms_user(uint32_t accept1, uint32_t accept2,
perms.prompt = map_old_perms(dfa_user_allow(accept3)); perms.prompt = map_old_perms(dfa_user_allow(accept3));
perms.audit = map_old_perms(dfa_user_audit(accept1, accept2)); perms.audit = map_old_perms(dfa_user_audit(accept1, accept2));
perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2)); perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2));
if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
perms.xindex = dfa_user_xindex(accept1); perms.xindex = dfa_user_xindex(accept1);
compute_fperms_allow(&perms, accept1); compute_fperms_allow(&perms, accept1);
perms.prompt &= ~(perms.allow | perms.deny);
return perms; return perms;
} }
@ -146,9 +150,11 @@ struct aa_perms compute_fperms_other(uint32_t accept1, uint32_t accept2,
perms.prompt = map_old_perms(dfa_other_allow(accept3)); perms.prompt = map_old_perms(dfa_other_allow(accept3));
perms.audit = map_old_perms(dfa_other_audit(accept1, accept2)); perms.audit = map_old_perms(dfa_other_audit(accept1, accept2));
perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2)); perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2));
if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
perms.xindex = dfa_other_xindex(accept1); perms.xindex = dfa_other_xindex(accept1);
compute_fperms_allow(&perms, accept1); compute_fperms_allow(&perms, accept1);
perms.prompt &= ~(perms.allow | perms.deny);
return perms; return perms;
} }

14
parser/parser_common.c
View File

@ -90,7 +90,7 @@ int kernel_supports_oob = 0; /* out of band transitions */
int kernel_supports_promptdev = 0; /* prompt via audit perms */ int kernel_supports_promptdev = 0; /* prompt via audit perms */
int kernel_supports_permstable32 = 0; /* extended permissions */ int kernel_supports_permstable32 = 0; /* extended permissions */
int kernel_supports_permstable32_v1 = 0; /* extended permissions */ int kernel_supports_permstable32_v1 = 0; /* extended permissions */
int prompt_compat_mode = 0; int prompt_compat_mode = PROMPT_COMPAT_UNKNOWN;
int conf_verbose = 0; int conf_verbose = 0;
int conf_quiet = 0; int conf_quiet = 0;
int names_only = 0; int names_only = 0;
@ -176,12 +176,19 @@ bool prompt_compat_mode_supported(int mode)
if (mode == PROMPT_COMPAT_PERMSV2 && if (mode == PROMPT_COMPAT_PERMSV2 &&
(kernel_supports_permstable32 && !kernel_supports_permstable32_v1)) (kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
return true; return true;
/*
else if (mode == PROMPT_COMPAT_DEV && else if (mode == PROMPT_COMPAT_DEV &&
kernel_supports_promptdev) kernel_supports_promptdev)
return true; return true;
*/
else if (mode == PROMPT_COMPAT_FLAG &&
kernel_supports_permstable32)
return true;
/*
else if (mode == PROMPT_COMPAT_PERMSV1 && else if (mode == PROMPT_COMPAT_PERMSV1 &&
(kernel_supports_permstable32_v1)) (kernel_supports_permstable32_v1))
return true; return true;
*/
else if (mode == PROMPT_COMPAT_IGNORE) else if (mode == PROMPT_COMPAT_IGNORE)
return true; return true;
@ -194,6 +201,8 @@ int default_prompt_compat_mode()
return PROMPT_COMPAT_PERMSV2; return PROMPT_COMPAT_PERMSV2;
if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV)) if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
return PROMPT_COMPAT_DEV; return PROMPT_COMPAT_DEV;
if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG))
return PROMPT_COMPAT_FLAG;
if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1)) if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
return PROMPT_COMPAT_PERMSV1; return PROMPT_COMPAT_PERMSV1;
if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE)) if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
@ -207,6 +216,9 @@ void print_prompt_compat_mode(FILE *f)
case PROMPT_COMPAT_IGNORE: case PROMPT_COMPAT_IGNORE:
fprintf(f, "ignore"); fprintf(f, "ignore");
break; break;
case PROMPT_COMPAT_FLAG:
fprintf(f, "flag");
break;
case PROMPT_COMPAT_PERMSV2: case PROMPT_COMPAT_PERMSV2:
fprintf(f, "permsv2"); fprintf(f, "permsv2");
break; break;

14
parser/parser_main.c
View File

@ -795,13 +795,17 @@ static int process_arg(int c, char *optarg)
break; break;
case ARG_PROMPT_COMPAT: case ARG_PROMPT_COMPAT:
if (strcmp(optarg, "permsv2") == 0) { if (strcmp(optarg, "permsv2") == 0) {
prompt_compat_mode = PROMPT_COMPAT_PERMSV1; prompt_compat_mode = PROMPT_COMPAT_PERMSV2;
} else if (strcmp(optarg, "permsv1") == 0) { } else if (strcmp(optarg, "permsv1") == 0) {
prompt_compat_mode = PROMPT_COMPAT_PERMSV1; prompt_compat_mode = PROMPT_COMPAT_PERMSV1;
} else if (strcmp(optarg, "default") == 0) { } else if (strcmp(optarg, "default") == 0) {
prompt_compat_mode = default_prompt_compat_mode(); prompt_compat_mode = default_prompt_compat_mode();
} else if (strcmp(optarg, "dev") == 0) {
prompt_compat_mode = PROMPT_COMPAT_DEV;
} else if (strcmp(optarg, "ignore") == 0) { } else if (strcmp(optarg, "ignore") == 0) {
prompt_compat_mode = PROMPT_COMPAT_IGNORE; prompt_compat_mode = PROMPT_COMPAT_IGNORE;
} else if (strcmp(optarg, "flag") == 0) {
prompt_compat_mode = PROMPT_COMPAT_FLAG;
} else { } else {
PERROR("%s: Invalid --prompt-compat option '%s'\n", PERROR("%s: Invalid --prompt-compat option '%s'\n",
progname, optarg); progname, optarg);
@ -1571,15 +1575,17 @@ static bool get_kernel_features(struct aa_features **features)
kernel_supports_promptdev = aa_features_supports(*features, "policy/perms_compatprompt"); kernel_supports_promptdev = aa_features_supports(*features, "policy/perms_compatprompt");
kernel_supports_permstable32 = aa_features_supports(*features, "policy/permstable32"); kernel_supports_permstable32 = aa_features_supports(*features, "policy/permstable32");
if (kernel_supports_permstable32) { if (kernel_supports_permstable32) {
fprintf(stderr, "kernel supports prompt\n"); //fprintf(stderr, "kernel supports prompt\n");
} }
kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32/1"); kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001");
if (kernel_supports_permstable32_v1) { if (kernel_supports_permstable32_v1) {
fprintf(stderr, "kernel supports prompt\n"); //fprintf(stderr, "kernel supports prompt_v1\n");
} }
/* set default prompt_compat_mode to the best that is supported */ /* set default prompt_compat_mode to the best that is supported */
if (prompt_compat_mode == PROMPT_COMPAT_UNKNOWN) {
prompt_compat_mode = default_prompt_compat_mode(); prompt_compat_mode = default_prompt_compat_mode();
}
if (!kernel_supports_diff_encode) if (!kernel_supports_diff_encode)
/* clear diff_encode because it is not supported */ /* clear diff_encode because it is not supported */
parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE; parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE;

3
parser/parser_policy.c
View File

@ -244,6 +244,9 @@ int post_process_profile(Profile *profile, int debug_only)
if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules) if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules)
profile->flags.flags |= FLAG_PROMPT_COMPAT; profile->flags.flags |= FLAG_PROMPT_COMPAT;
else if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
profile->flags.mode = MODE_PROMPT;
return error; return error;
} }

4
parser/parser_regex.c
View File

@ -785,7 +785,7 @@ int process_profile_regex(Profile *prof)
prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size, prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
&xmatch_len, prof->dfa.perms_table, &xmatch_len, prof->dfa.perms_table,
parseopts, true, parseopts, true,
prof->uses_prompt_rules && kernel_supports_permstable32, prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
prof->uses_prompt_rules); prof->uses_prompt_rules);
delete prof->dfa.rules; delete prof->dfa.rules;
prof->dfa.rules = NULL; prof->dfa.rules = NULL;
@ -1167,7 +1167,7 @@ int process_profile_policydb(Profile *prof)
&xmatch_len, &xmatch_len,
prof->policy.perms_table, prof->policy.perms_table,
parseopts, false, parseopts, false,
prof->uses_prompt_rules && kernel_supports_permstable32, prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
prof->uses_prompt_rules); prof->uses_prompt_rules);
delete prof->policy.rules; delete prof->policy.rules;

10
parser/rule.h
View File

@ -27,10 +27,12 @@
using namespace std; using namespace std;
#define PROMPT_COMPAT_IGNORE 0 #define PROMPT_COMPAT_UNKNOWN 0
#define PROMPT_COMPAT_PERMSV2 1 #define PROMPT_COMPAT_IGNORE 1
#define PROMPT_COMPAT_DEV 2 #define PROMPT_COMPAT_PERMSV2 2
#define PROMPT_COMPAT_PERMSV1 3 #define PROMPT_COMPAT_DEV 3
#define PROMPT_COMPAT_FLAG 4
#define PROMPT_COMPAT_PERMSV1 5
class Profile; class Profile;