mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 21:07:56 +00:00
Code Issues Releases Wiki Activity

parser: add ability to specify anonymous ip

Browse Source 
If anonymous ip is specified, then the port will match anything.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-03-14 18:23:12 -03:00
parent a0a0c88d9e
commit b01b9895e7
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
parser/network.cc
View File

@ -360,6 +360,10 @@ bool network_rule::parse_port(ip_conds &entry)
bool network_rule::parse_address(ip_conds &entry) bool network_rule::parse_address(ip_conds &entry)
{ {
if (strcmp(entry.sip, "anon") == 0) {
entry.is_anonymous = true;
return true;
}
entry.is_ip = true; entry.is_ip = true;
return parse_ip(entry.sip, &entry.ip); return parse_ip(entry.sip, &entry.ip);
} }
@ -616,14 +620,14 @@ std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &s
return streams_copy; return streams_copy;
} }
bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds entry, bool is_peer, bool is_cmd) bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
{ {
std::string buf; std::string buf;
perms_t cond_perms; perms_t cond_perms;
std::list<std::ostringstream> ip_streams; std::list<std::ostringstream> ip_streams;
for (auto &oss : streams) { for (auto &oss : streams) {
if (entry.is_port) { if (entry.is_port && !(entry.is_ip && entry.is_anonymous)) {
/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */ /* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED) if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
oss << "\\x01"; oss << "\\x01";
@ -646,6 +650,9 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
if (entry.is_ip) { if (entry.is_ip) {
oss << gen_ip_cond(entry.ip); oss << gen_ip_cond(entry.ip);
streams.push_back(std::move(oss)); streams.push_back(std::move(oss));
} else if (entry.is_anonymous) {
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ANON_SIZE;
streams.push_back(std::move(oss));
} else { } else {
streams.splice(streams.end(), gen_all_ip_options(oss)); streams.splice(streams.end(), gen_all_ip_options(oss));
} }
@ -665,9 +672,9 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
parseopts)) parseopts))
return false; return false;
if (label) { if (label || is_peer) {
if (is_peer) if (!is_peer)
cond_perms = (AA_CONT_MATCH << 1); cond_perms = map_perms(perms);
oss << default_match_pattern; /* label - not used for now */ oss << default_match_pattern; /* label - not used for now */
oss << "\\x00"; /* null transition */ oss << "\\x00"; /* null transition */

4
parser/network.h
View File

@ -132,6 +132,8 @@ public:
uint16_t port; uint16_t port;
struct ip_address ip; struct ip_address ip;
bool is_anonymous = false;
void free_conds() { void free_conds() {
if (sip) if (sip)
free(sip); free(sip);
@ -184,7 +186,7 @@ public:
} }
}; };
bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds entry, bool is_peer, bool is_cmd); bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol); bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
void set_netperm(unsigned int family, unsigned int type, unsigned int protocol); void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
void update_compat_net(void); void update_compat_net(void);