mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-02 15:25:27 +00:00
update change_hats rules to generate rules for all hats
This commit is contained in:
John Johansen
@@ -81,7 +81,6 @@
|
|||||||
#define AA_EXEC_INHERIT (AA_EXEC_MOD_1)
|
#define AA_EXEC_INHERIT (AA_EXEC_MOD_1)
|
||||||
#define AA_EXEC_PROFILE (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
#define AA_EXEC_PROFILE (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||||
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_2)
|
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_2)
|
||||||
#define AA_EXEC_LOCAL (AA_EXEC_MOD_2 | AA_EXEC_MOD_0)
|
|
||||||
|
|
||||||
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE)
|
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE)
|
||||||
|
|
||||||
|
|||||||
@@ -1154,7 +1154,9 @@ TransitionTable::TransitionTable(DFA& dfa, map<uchar, uchar>& eq)
|
|||||||
for (States::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
|
for (States::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
|
||||||
uint32_t audit_ctl;
|
uint32_t audit_ctl;
|
||||||
accept[num[*i]] = accept_perms(*i, &audit_ctl);
|
accept[num[*i]] = accept_perms(*i, &audit_ctl);
|
||||||
accept2[num[*i]] = audit_ctl;
|
//if (accept[num[*i]] & AA_CHANGE_HAT)
|
||||||
|
// fprintf(stderr, "change_hat state %d - 0x%x\n", num[*i], accept[num[*i]]);
|
||||||
|
// accept2[num[*i]] = audit_ctl;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1584,6 +1586,10 @@ uint32_t accept_perms(State *state, uint32_t *audit_ctl)
|
|||||||
if (perms & ~AA_VALID_PERMS)
|
if (perms & ~AA_VALID_PERMS)
|
||||||
yyerror(_("Internal error accumulated invalid perm 0x%llx\n"), perms);
|
yyerror(_("Internal error accumulated invalid perm 0x%llx\n"), perms);
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
//if (perms & AA_CHANGE_HAT)
|
||||||
|
// fprintf(stderr, "change_hat 0x%x\n", perms);
|
||||||
|
|
||||||
return perms;
|
return perms;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1650,6 +1656,9 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
|
|||||||
//if (audit)
|
//if (audit)
|
||||||
//fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
|
//fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
|
||||||
|
|
||||||
|
//if (perms & AA_CHANGE_HAT)
|
||||||
|
// fprintf(stderr, "adding change_hat rule %s\n", rulev[0]);
|
||||||
|
|
||||||
/* the permissions set is assumed to be non-empty if any audit
|
/* the permissions set is assumed to be non-empty if any audit
|
||||||
* bits are specified */
|
* bits are specified */
|
||||||
accept = NULL;
|
accept = NULL;
|
||||||
|
|||||||
@@ -232,9 +232,13 @@ int process_hat_variables(struct codomain *cod)
|
|||||||
|
|
||||||
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
|
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
|
||||||
|
|
||||||
/* add file rules to access /proc files to call change_hat() */
|
/* add file rules to access /proc files to call change_hat()
|
||||||
static void __add_hat_rules(const void *nodep, const VISIT value,
|
* add file rules to be able to change_hat, this restriction keeps
|
||||||
const int __unused depth)
|
* change_hat from being able to access local profiles that are not
|
||||||
|
* meant to be used as hats
|
||||||
|
*/
|
||||||
|
static void __add_hat_rules_parent(const void *nodep, const VISIT value,
|
||||||
|
const int __unused depth)
|
||||||
{
|
{
|
||||||
struct codomain **t = (struct codomain **) nodep;
|
struct codomain **t = (struct codomain **) nodep;
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
@@ -275,12 +279,54 @@ static void __add_hat_rules(const void *nodep, const VISIT value,
|
|||||||
}
|
}
|
||||||
add_entry_to_policy(*t, entry);
|
add_entry_to_policy(*t, entry);
|
||||||
*/
|
*/
|
||||||
twalk((*t)->hat_table, __add_hat_rules);
|
twalk((*t)->hat_table, __add_hat_rules_parent);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* add the same hat rules to the hats as the parent so that hats can
|
||||||
|
* change to sibling hats
|
||||||
|
*/
|
||||||
|
static void __add_hat_rules_hats(const void *nodep, const VISIT value,
|
||||||
|
const int __unused depth)
|
||||||
|
{
|
||||||
|
struct codomain **t = (struct codomain **) nodep;
|
||||||
|
|
||||||
|
if (value == preorder || value == endorder)
|
||||||
|
return;
|
||||||
|
|
||||||
|
/* don't add hat rules if a parent profile with no hats */
|
||||||
|
if (!(*t)->hat_table && !(*t)->parent)
|
||||||
|
return;
|
||||||
|
|
||||||
|
/* hat */
|
||||||
|
if ((*t)->parent) {
|
||||||
|
struct cod_entry *entry, *new_ent;
|
||||||
|
list_for_each((*t)->parent->entries, entry) {
|
||||||
|
if (entry->mode & AA_CHANGE_HAT) {
|
||||||
|
char *buffer = strdup(entry->name);
|
||||||
|
if (!buffer) {
|
||||||
|
PERROR("Memory allocation error\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
new_ent = new_entry(NULL, buffer,
|
||||||
|
AA_CHANGE_HAT, NULL);
|
||||||
|
if (!entry) {
|
||||||
|
PERROR("Memory allocation error\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
add_entry_to_policy((*t), new_ent);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
twalk((*t)->hat_table, __add_hat_rules_hats);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int add_hat_rules(void)
|
static int add_hat_rules(void)
|
||||||
{
|
{
|
||||||
twalk(policy_list, __add_hat_rules);
|
twalk(policy_list, __add_hat_rules_parent);
|
||||||
|
|
||||||
|
twalk(policy_list, __add_hat_rules_hats);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -178,10 +178,8 @@ profile: TOK_ID flags TOK_OPEN rules TOK_CLOSE
|
|||||||
yyerror(_("Memory allocation error."));
|
yyerror(_("Memory allocation error."));
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
if ($1[0] != '/')
|
if ($1[0] != '/')
|
||||||
yyerror(_("Profile names must begin with a '/'."));
|
yyerror(_("Profile names must begin with a '/'."));
|
||||||
*/
|
|
||||||
|
|
||||||
cod->name = $1;
|
cod->name = $1;
|
||||||
cod->flags = $2;
|
cod->flags = $2;
|
||||||
@@ -196,22 +194,25 @@ profile: TOK_ID flags TOK_OPEN rules TOK_CLOSE
|
|||||||
$$ = cod;
|
$$ = cod;
|
||||||
};
|
};
|
||||||
|
|
||||||
profile: TOK_COLON TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules TOK_CLOSE
|
profile: TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules TOK_CLOSE
|
||||||
{
|
{
|
||||||
struct codomain *cod = $7;
|
struct codomain *cod = $6;
|
||||||
PDEBUG("Matched: id (%s:%s) open rules close\n", $2, $4);
|
PDEBUG("Matched: id (%s:%s) open rules close\n", $1, $3);
|
||||||
if (!cod) {
|
if (!cod) {
|
||||||
yyerror(_("Memory allocation error."));
|
yyerror(_("Memory allocation error."));
|
||||||
}
|
}
|
||||||
|
|
||||||
cod->namespace = $2;
|
if ($3[0] != '/')
|
||||||
cod->name = $4;
|
yyerror(_("Profile names must begin with a '/'."));
|
||||||
cod->flags = $5;
|
|
||||||
|
cod->namespace = $1;
|
||||||
|
cod->name = $3;
|
||||||
|
cod->flags = $4;
|
||||||
if (force_complain)
|
if (force_complain)
|
||||||
cod->flags = force_complain_flags;
|
cod->flags = force_complain_flags;
|
||||||
|
|
||||||
PDEBUG("%s: flags='%s%s'\n",
|
PDEBUG("%s: flags='%s%s'\n",
|
||||||
$2,
|
$1,
|
||||||
cod->flags.complain ? "complain, " : "",
|
cod->flags.complain ? "complain, " : "",
|
||||||
cod->flags.audit ? "audit" : "");
|
cod->flags.audit ? "audit" : "");
|
||||||
|
|
||||||
@@ -813,11 +814,11 @@ change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_END_OF_RULE
|
|||||||
$$ = entry;
|
$$ = entry;
|
||||||
};
|
};
|
||||||
|
|
||||||
change_profile: TOK_CHANGE_PROFILE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
|
change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $3, $5);
|
PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $2, $4);
|
||||||
entry = new_entry($3, $5, AA_CHANGE_PROFILE, NULL);
|
entry = new_entry($2, $4, AA_CHANGE_PROFILE, NULL);
|
||||||
if (!entry)
|
if (!entry)
|
||||||
yyerror(_("Memory allocation error."));
|
yyerror(_("Memory allocation error."));
|
||||||
PDEBUG("change_profile.entry: (%s)\n", entry->name);
|
PDEBUG("change_profile.entry: (%s)\n", entry->name);
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
# vim:syntax=subdomain
|
# vim:syntax=subdomain
|
||||||
# Last Modified: Sun Apr 17 19:44:44 2005
|
# Last Modified: Sun Apr 17 19:44:44 2005
|
||||||
#
|
#
|
||||||
:foo:/exists {
|
foo:/does/not/exist {
|
||||||
#include <includes/base>
|
#include <includes/base>
|
||||||
|
|
||||||
/usr/X11R6/lib/lib*so* rrr,
|
/usr/X11R6/lib/lib*so* rrr,
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
/bin/echo uxuxuxuxux,
|
/bin/echo uxuxuxuxux,
|
||||||
}
|
}
|
||||||
|
|
||||||
:foo:/exists {
|
foo:/does/not/exist {
|
||||||
#include <includes/base>
|
#include <includes/base>
|
||||||
|
|
||||||
/usr/X11R6/lib/lib*so* rrr,
|
/usr/X11R6/lib/lib*so* rrr,
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
# vim:syntax=subdomain
|
# vim:syntax=subdomain
|
||||||
# Last Modified: Sun Apr 17 19:44:44 2005
|
# Last Modified: Sun Apr 17 19:44:44 2005
|
||||||
#
|
#
|
||||||
:foo:/does/not/exist {
|
foo:/does/not/exist {
|
||||||
#include <includes/base>
|
#include <includes/base>
|
||||||
|
|
||||||
/usr/X11R6/lib/lib*so* rrr,
|
/usr/X11R6/lib/lib*so* rrr,
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
/bin/ls ixixixix,
|
/bin/ls ixixixix,
|
||||||
}
|
}
|
||||||
|
|
||||||
:foo:/does/not/exist {
|
foo:/does/not/exist {
|
||||||
/usr/X11R6/lib/lib*so* rrr,
|
/usr/X11R6/lib/lib*so* rrr,
|
||||||
/does/not/exist r,
|
/does/not/exist r,
|
||||||
/var/log/messages www,
|
/var/log/messages www,
|
||||||
@@ -23,7 +23,7 @@
|
|||||||
/bin/ls ixixixix,
|
/bin/ls ixixixix,
|
||||||
}
|
}
|
||||||
|
|
||||||
:bar:/does/not/exist {
|
bar:/does/not/exist {
|
||||||
/usr/X11R6/lib/lib*so* rrr,
|
/usr/X11R6/lib/lib*so* rrr,
|
||||||
/does/not/exist r,
|
/does/not/exist r,
|
||||||
/var/log/messages www,
|
/var/log/messages www,
|
||||||
|
|||||||
@@ -3,5 +3,5 @@
|
|||||||
#=EXRESULT PASS
|
#=EXRESULT PASS
|
||||||
#
|
#
|
||||||
/usr/bin/foo {
|
/usr/bin/foo {
|
||||||
change_profile :foo:/bin/foo,
|
change_profile foo:/bin/foo,
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user