From c70710d4c717f967bf94e07d5ce159b37a108161 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Fri, 27 Sep 2013 17:27:23 -0700 Subject: [PATCH] parser: Clean up dbus accept state bitmasks AppArmor dbus rules are split into two classes. The first is (send receive) rules and the second in bind rules. When the parser was creating its internal representation of dbus rules, it wasn't separating the overlapping bitmasks for (send receive) perms and bind perms. (send receive) perms are 0x06 and bind perms are 0x40. Here's the old parser output for an audit dbus rule that has accept states for (send receive) and for bind: $ dbus="/t { audit dbus, }" $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d' {1} <== (allow/deny/audit/quiet) {3} (0x 40/0/40/0) {7} (0x 46/0/46/0) The {3} state is the accept state for the bind perms. The {7} state is the accept state for the (send receive) perms. Note that the bind perm mask bled over into the (send receive) accept state's mask. With this patch, the masks for the two accept states do not overlap: $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d' {1} <== (allow/deny/audit/quiet) {3} (0x 40/0/40/0) {7} (0x 6/0/6/0) Additionally, this patch makes the rule creation for (send receive) perms more strict to keep any future perm bits from unintentionally slipping into the (send receive) accept states. Signed-off-by: Tyler Hicks Acked-by: John Johansen --- parser/parser_regex.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index eba01d2b4..414489d63 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -1112,11 +1112,17 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry } if (entry->mode & AA_DBUS_BIND) { - if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode & AA_DBUS_BIND, entry->audit & AA_DBUS_BIND, 2, vec, dfaflags)) + if (!aare_add_rule_vec(dfarules, entry->deny, + entry->mode & AA_DBUS_BIND, + entry->audit & AA_DBUS_BIND, + 2, vec, dfaflags)) goto fail; } - if (entry->mode & ~AA_DBUS_BIND) { - if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode, entry->audit, 6, vec, dfaflags)) + if (entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { + if (!aare_add_rule_vec(dfarules, entry->deny, + entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE), + entry->audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE), + 6, vec, dfaflags)) goto fail; } return TRUE;