mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 07:15:18 +00:00
Code Issues Releases Wiki Activity

Allow the parser to load opensuse 11.0 style hats and newer 2.3 style hats

Browse Source
This commit is contained in:
John Johansen
2008-09-10 08:42:49 +00:00
parent f2dec0e337
commit ac88f71c63
3 changed files with 109 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
parser/parser.h
View File

@@ -166,6 +166,11 @@ struct var_string {
#define AARE_PCRE 1 #define AARE_PCRE 1
#define AARE_DFA 2 #define AARE_DFA 2
#define FLAG_CHANGEHAT_1_4 2
#define FLAG_CHANGEHAT_1_5 3
extern int flag_changehat_version;
#ifdef DEBUG #ifdef DEBUG
#define PDEBUG(fmt, args...) printf("parser: " fmt, ## args) #define PDEBUG(fmt, args...) printf("parser: " fmt, ## args)
#else #else

36
parser/parser_main.c
View File

@@ -46,6 +46,7 @@
#define PROC_MODULES "/proc/modules" #define PROC_MODULES "/proc/modules"
#define DEFAULT_APPARMORFS "/sys/kernel/security/" MODULE_NAME #define DEFAULT_APPARMORFS "/sys/kernel/security/" MODULE_NAME
#define MATCH_STRING "/sys/kernel/security/" MODULE_NAME "/matching" #define MATCH_STRING "/sys/kernel/security/" MODULE_NAME "/matching"
#define FLAGS_FILE "/sys/kernel/security/" MODULE_NAME "/features"
#define MOUNTED_FS "/proc/mounts" #define MOUNTED_FS "/proc/mounts"
#define PCRE "pattern=pcre" #define PCRE "pattern=pcre"
#define AADFA "pattern=aadfa" #define AADFA "pattern=aadfa"
@@ -67,8 +68,11 @@ int conf_quiet = 0;
char *subdomainbase = NULL; char *subdomainbase = NULL;
char *profilename; char *profilename;
char *match_string = NULL; char *match_string = NULL;
char *flags_string = NULL;
int regex_type = AARE_DFA; int regex_type = AARE_DFA;
char *profile_namespace = NULL; char *profile_namespace = NULL;
int flag_changehat_version = FLAG_CHANGEHAT_1_5;
extern int current_lineno; extern int current_lineno;
@@ -388,6 +392,37 @@ out:
return; return;
} }
static void get_flags_string(void) {
char *pos;
FILE *f = fopen(FLAGS_FILE, "r");
if (!f)
return;
flags_string = malloc(1024);
if (!flags_string)
goto fail;
if (!fgets(flags_string, 1024, f))
goto fail;
fclose(f);
pos = strstr(flags_string, "change_hat=");
if (pos) {
if (strncmp(pos, "change_hat=1.4", 14) == 0)
flag_changehat_version = FLAG_CHANGEHAT_1_4;
//fprintf(stderr, "flags string: %s\n", flags_string);
//fprintf(stderr, "changehat %d\n", flag_changehat_version);
}
return;
fail:
free(flags_string);
flags_string = NULL;
if (f)
fclose(f);
return;
}
/* return 1 --> PCRE should work fine /* return 1 --> PCRE should work fine
return 0 --> no PCRE support */ return 0 --> no PCRE support */
static int regex_support(void) { static int regex_support(void) {
@@ -467,6 +502,7 @@ int process_profile(int option, char *profilename)
/* Get the match string to determine type of regex support needed */ /* Get the match string to determine type of regex support needed */
get_match_string(); get_match_string();
get_flags_string();
retval = post_process_policy(); retval = post_process_policy();
if (retval != 0) { if (retval != 0) {

68
parser/parser_policy.c
View File

@@ -362,6 +362,28 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
if ((*t)->local) if ((*t)->local)
return; return;
/* add rule to grant permission to change_hat
* An opensuse 11.0, AA 2.3 requirement,
* rules are added to the parent of the hat
*/
if ((flag_changehat_version == FLAG_CHANGEHAT_1_4) &&
(*t)->parent) {
char *buffer = malloc(strlen((*t)->name) + 1);
if (!buffer) {
PERROR("Memory allocation error\n");
exit(1);
}
strcpy(buffer, (*t)->name);
entry = new_entry(NULL, buffer, AA_CHANGE_HAT, NULL);
if (!entry) {
PERROR("Memory allocation error\n");
exit(1);
}
add_entry_to_policy((*t)->parent, entry);
}
entry = new_entry(NULL, strdup(CHANGEHAT_PATH), AA_MAY_WRITE, NULL); entry = new_entry(NULL, strdup(CHANGEHAT_PATH), AA_MAY_WRITE, NULL);
if (!entry) { if (!entry) {
PERROR(_("ERROR adding hat access rule for profile %s\n"), PERROR(_("ERROR adding hat access rule for profile %s\n"),
@@ -373,10 +395,56 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
twalk((*t)->hat_table, __add_hat_rules_parent); twalk((*t)->hat_table, __add_hat_rules_parent);
} }
/* Deprecated: used to support changehat rules of AppArmor 2.3
* add the same hat rules to the hats as the parent so that hats can
* change to sibling hats
*/
static void __add_hat_rules_hats(const void *nodep, const VISIT value,
const int __unused depth)
{
struct codomain **t = (struct codomain **) nodep;
if (value == preorder || value == endorder)
return;
/* don't add hat rules if a parent profile with no hats */
if (!(*t)->hat_table && !(*t)->parent)
return;
/* don't add hat rules for local_profiles */
if ((*t)->local)
return;
/* hat */
if ((*t)->parent) {
struct cod_entry *entry, *new_ent;
list_for_each((*t)->parent->entries, entry) {
if (entry->mode & AA_CHANGE_HAT) {
char *buffer = strdup(entry->name);
if (!buffer) {
PERROR("Memory allocation error\n");
exit(1);
}
new_ent = new_entry(NULL, buffer,
AA_CHANGE_HAT, NULL);
if (!entry) {
PERROR("Memory allocation error\n");
exit(1);
}
add_entry_to_policy((*t), new_ent);
}
}
}
twalk((*t)->hat_table, __add_hat_rules_hats);
}
static int add_hat_rules(void) static int add_hat_rules(void)
{ {
twalk(policy_list, __add_hat_rules_parent); twalk(policy_list, __add_hat_rules_parent);
/* support hat rules of AppArmor 2.3 in opensuse 11.0 */
if (flag_changehat_version == FLAG_CHANGEHAT_1_4)
twalk(policy_list, __add_hat_rules_hats);
return 0; return 0;
} }