mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

fix

Browse Source 
- rc.apparmor.functions were not correctly removing profiles on replace and
  reload, also convert to using the module interface directly bypassing the
  parser.
- fix cx ->  named transitions
- fix apparmor_parser -N so that it emits hats as profiles under new kernel
  modules.  This is the correct behavior as hats are promoted to profiles.
This commit is contained in:
John Johansen
2008-06-04 07:24:38 +00:00
parent 3897c52414
commit be495f2125
4 changed files with 32 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
parser/parser.h
View File

@@ -271,6 +271,7 @@ extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
extern void add_to_list(struct codomain *codomain); extern void add_to_list(struct codomain *codomain);
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat); extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry); extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
extern void post_process_nt_entries(struct codomain *cod);
extern int post_process_policy(void); extern int post_process_policy(void);
extern int process_hat_regex(struct codomain *cod); extern int process_hat_regex(struct codomain *cod);
extern int process_hat_variables(struct codomain *cod); extern int process_hat_variables(struct codomain *cod);

44
parser/parser_policy.c
View File

@@ -102,8 +102,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
if (!entry->namespace) { if (!entry->namespace) {
char *sub = strstr(entry->nt_name, "//"); char *sub = strstr(entry->nt_name, "//");
/* does the subprofile name match the rule */ /* does the subprofile name match the rule */
#if 0
/* disable cix checking as cod->name is not available. Need to rework */
if (sub && strncmp(cod->name, sub, sub - entry->nt_name) && if (sub && strncmp(cod->name, sub, sub - entry->nt_name) &&
strcmp(sub + 2, entry->name) == 0) { strcmp(sub + 2, entry->name) == 0) {
free(entry->nt_name); free(entry->nt_name);
@@ -129,7 +128,6 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
free(entry->nt_name); free(entry->nt_name);
entry->nt_name = name; entry->nt_name = name;
} }
#endif
} }
if (entry->namespace) { if (entry->namespace) {
name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3); name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
@@ -162,26 +160,34 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry) void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
{ {
if (entry->nt_name) {
int mode = 0;
int n = add_named_transition(cod, entry);
if (!n) {
PERROR("Profile %s has to many specified profile transitions.\n", cod->name);
exit(1);
}
if (entry->mode & AA_USER_EXEC)
mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
if (entry->mode & AA_OTHER_EXEC)
mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
(mode & AA_ALL_EXEC_MODIFIERS));
entry->namespace = NULL;
entry->nt_name = NULL;
}
entry->next = cod->entries; entry->next = cod->entries;
cod->entries = entry; cod->entries = entry;
} }
void post_process_nt_entries(struct codomain *cod)
{
struct cod_entry *entry;
list_for_each(cod->entries, entry) {
if (entry->nt_name) {
int mode = 0;
int n = add_named_transition(cod, entry);
if (!n) {
PERROR("Profile %s has to many specified profile transitions.\n", cod->name);
exit(1);
}
if (entry->mode & AA_USER_EXEC)
mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
if (entry->mode & AA_OTHER_EXEC)
mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
(mode & AA_ALL_EXEC_MODIFIERS));
entry->namespace = NULL;
entry->nt_name = NULL;
}
}
}
static void __merge_rules(const void *nodep, const VISIT value, static void __merge_rules(const void *nodep, const VISIT value,
const int __unused depth) const int __unused depth)
{ {

6
parser/parser_yacc.y
View File

@@ -224,6 +224,7 @@ profile: opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
if (force_complain) if (force_complain)
cod->flags = force_complain_flags; cod->flags = force_complain_flags;
post_process_nt_entries(cod);
PDEBUG("%s: flags='%s%s'\n", PDEBUG("%s: flags='%s%s'\n",
$2, $2,
cod->flags.complain ? "complain, " : "", cod->flags.complain ? "complain, " : "",
@@ -245,7 +246,7 @@ profile: opt_profile_flag TOK_COLON TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules
cod->flags = $6; cod->flags = $6;
if (force_complain) if (force_complain)
cod->flags = force_complain_flags; cod->flags = force_complain_flags;
post_process_nt_entries(cod);
PDEBUG("%s: flags='%s%s'\n", PDEBUG("%s: flags='%s%s'\n",
$3, $3,
cod->flags.complain ? "complain, " : "", cod->flags.complain ? "complain, " : "",
@@ -1122,6 +1123,9 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
return entry; return entry;
} }
/* Note: NOT currently in use, used for
* /foo x -> { /bah, } style transitions
*/
void add_local_entry(struct codomain *cod) void add_local_entry(struct codomain *cod)
{ {
/* ugh this has to be called after the hat is attached to its parent */ /* ugh this has to be called after the hat is attached to its parent */

2
parser/rc.apparmor.functions
View File

@@ -426,7 +426,7 @@ __apparmor_restart() {
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX) MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST" sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
echo "\"$profile\" {}" | $PARSER -R >/dev/null echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
done done
rm "$MODULE_PLIST" rm "$MODULE_PLIST"
rm "$PNAMES_LIST" rm "$PNAMES_LIST"