Update permission mapping for changes made to the upstream kernel patch.

The changes are around how user data is handled. 1. permissions are mapped before data is matched 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions which allows data matching to continue. 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set This allows better control over matching and auditing of data which can be binary and should not be matched or audited Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2025-09-01 23:05:11 +00:00 · 2012-03-15 12:54:34 -07:00
parent a11efe838a
commit c50858a877
2 changed files with 52 additions and 10 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)

 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
 	    && !entry->device && !entry->dev_type) {
+		int allow;
 		/* remount can't be conditional on device and type */
 		p = mntbuf;
 		/* rule class single byte header */
@@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		vec[3] = flagsbuf;
 		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
 			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
 	    && !entry->dev_type && !entry->opts) {
@@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	}
 	if ((entry->allow & AA_MAY_MOUNT) &&
 	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
+		int allow;
 		/* generic mount if flags are set that are not covered by
 		 * above commands
 		 */
@@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
-			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if (entry->allow & AA_MAY_UMOUNT) {
 		p = mntbuf;