mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

parser: Add prompt dev compat support

Browse Source 
Support mapping rule prompt via the audit bits in pre permtable32
kernels.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2023-04-23 16:04:23 -07:00
parent 1d0d1fd0c2
commit b4384d53e1
5 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
parser/parser.h
View File

@@ -326,7 +326,8 @@ do { \
#define PROMPT_COMPAT_IGNORE 0 #define PROMPT_COMPAT_IGNORE 0
#define PROMPT_COMPAT_PERMSV2 1 #define PROMPT_COMPAT_PERMSV2 1
#define PROMPT_COMPAT_PERMSV1 2 #define PROMPT_COMPAT_DEV 2
#define PROMPT_COMPAT_PERMSV1 3
/* from parser_common.c */ /* from parser_common.c */
extern uint32_t policy_version; extern uint32_t policy_version;
@@ -363,6 +364,7 @@ extern int features_supports_flag_interruptible;
extern int features_supports_flag_signal; extern int features_supports_flag_signal;
extern int features_supports_flag_error; extern int features_supports_flag_error;
extern int kernel_supports_oob; extern int kernel_supports_oob;
extern int kernel_supports_promptdev;
extern int kernel_supports_permstable32; extern int kernel_supports_permstable32;
extern int kernel_supports_permstable32_v1; extern int kernel_supports_permstable32_v1;
extern int prompt_compat_mode; extern int prompt_compat_mode;

9
parser/parser_common.c
View File

@@ -87,6 +87,7 @@ int features_supports_flag_interruptible = 0;
int features_supports_flag_signal = 0; int features_supports_flag_signal = 0;
int features_supports_flag_error = 0; int features_supports_flag_error = 0;
int kernel_supports_oob = 0; /* out of band transitions */ int kernel_supports_oob = 0; /* out of band transitions */
int kernel_supports_promptdev = 0; /* prompt via audit perms */
int kernel_supports_permstable32 = 0; /* extended permissions */ int kernel_supports_permstable32 = 0; /* extended permissions */
int kernel_supports_permstable32_v1 = 0; /* extended permissions */ int kernel_supports_permstable32_v1 = 0; /* extended permissions */
int prompt_compat_mode = 0; int prompt_compat_mode = 0;
@@ -175,6 +176,9 @@ bool prompt_compat_mode_supported(int mode)
if (mode == PROMPT_COMPAT_PERMSV2 && if (mode == PROMPT_COMPAT_PERMSV2 &&
(kernel_supports_permstable32 && !kernel_supports_permstable32_v1)) (kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
return true; return true;
else if (mode == PROMPT_COMPAT_DEV &&
kernel_supports_promptdev)
return true;
else if (mode == PROMPT_COMPAT_PERMSV1 && else if (mode == PROMPT_COMPAT_PERMSV1 &&
(kernel_supports_permstable32_v1)) (kernel_supports_permstable32_v1))
return true; return true;
@@ -188,6 +192,8 @@ int default_prompt_compat_mode()
{ {
if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV2)) if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV2))
return PROMPT_COMPAT_PERMSV2; return PROMPT_COMPAT_PERMSV2;
if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
return PROMPT_COMPAT_DEV;
if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1)) if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
return PROMPT_COMPAT_PERMSV1; return PROMPT_COMPAT_PERMSV1;
if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE)) if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
@@ -207,6 +213,9 @@ void print_prompt_compat_mode(FILE *f)
case PROMPT_COMPAT_PERMSV1: case PROMPT_COMPAT_PERMSV1:
fprintf(f, "permsv1"); fprintf(f, "permsv1");
break; break;
case PROMPT_COMPAT_DEV:
fprintf(stderr, "dev");
break;
default: default:
fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode); fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode);
} }

1
parser/parser_main.c
View File

@@ -1568,6 +1568,7 @@ static bool get_kernel_features(struct aa_features **features)
else if (aa_features_supports(*features, "policy/versions/v6")) else if (aa_features_supports(*features, "policy/versions/v6"))
kernel_abi_version = 6; kernel_abi_version = 6;
kernel_supports_promptdev = aa_features_supports(*features, "policy/perms_compatprompt");
kernel_supports_permstable32 = aa_features_supports(*features, "policy/permstable32"); kernel_supports_permstable32 = aa_features_supports(*features, "policy/permstable32");
if (kernel_supports_permstable32) { if (kernel_supports_permstable32) {
fprintf(stderr, "kernel supports prompt\n"); fprintf(stderr, "kernel supports prompt\n");

4
parser/parser_policy.c
View File

@@ -240,6 +240,10 @@ int post_process_profile(Profile *profile, int debug_only)
} }
error = post_process_policy_list(profile->hat_table, debug_only); error = post_process_policy_list(profile->hat_table, debug_only);
if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules)
profile->flags.flags |= FLAG_PROMPT_COMPAT;
return error; return error;
} }

5
parser/profile.h
View File

@@ -149,6 +149,7 @@ static const char *find_error_name_mapping(int code)
#define FLAG_DEBUG1 2 #define FLAG_DEBUG1 2
#define FLAG_DEBUG2 4 #define FLAG_DEBUG2 4
#define FLAG_INTERRUPTIBLE 8 #define FLAG_INTERRUPTIBLE 8
#define FLAG_PROMPT_COMPAT 0x10
/* sigh, used in parse union so needs trivial constructors. */ /* sigh, used in parse union so needs trivial constructors. */
class flagvals { class flagvals {
@@ -236,6 +237,10 @@ public:
os << ", kill.signal=" << signal; os << ", kill.signal=" << signal;
if (error) if (error)
os << ", error=" << find_error_name_mapping(error); os << ", error=" << find_error_name_mapping(error);
if (flags & FLAG_PROMPT_COMPAT)
os << ", prompt_dev";
os << "\n"; os << "\n";
return os; return os;