parser: don't apply exec mapping computations to the policydb

v8 network permissions extend into the range used by exec mapping so it is important to not blindly do execmapping on both the file dfa and policydb dfa any more. Track what type of dfa and its permissions we are building so we can properly apply exec mapping only when building the file dfa. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2020-07-07 09:42:41 -07:00
parent e92478a9c5
commit c9d01a325d
5 changed files with 37 additions and 28 deletions
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -195,7 +195,8 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
 *          else NULL on failure, @min_match_len set to the shortest string
 *          that can match the dfa for determining xmatch priority.
 */
-void *aare_rules::create_dfa(size_t *size, int *min_match_len, dfaflags_t flags)
+void *aare_rules::create_dfa(size_t *size, int *min_match_len, dfaflags_t flags,
+			     bool filedfa)
 {
 	char *buffer = NULL;

@@ -249,7 +250,7 @@ void *aare_rules::create_dfa(size_t *size, int *min_match_len, dfaflags_t flags)

 	stringstream stream;
 	try {
-		DFA dfa(root, flags);
+		DFA dfa(root, flags, filedfa);
 		if (flags & DFA_DUMP_UNIQ_PERMS)
 			dfa.dump_uniq_perms("dfa");