parser: don't apply exec mapping computations to the policydb

v8 network permissions extend into the range used by exec mapping so it is important to not blindly do execmapping on both the file dfa and policydb dfa any more. Track what type of dfa and its permissions we are building so we can properly apply exec mapping only when building the file dfa. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2020-07-07 09:42:41 -07:00
parent e92478a9c5
commit c9d01a325d
5 changed files with 37 additions and 28 deletions
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@@ -105,7 +105,8 @@ class aare_rules {
 	bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
 			  const char **rulev, dfaflags_t flags, bool oob);
 	bool append_rule(const char *rule, bool oob, bool with_perm, dfaflags_t flags);
-	void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags);
+	void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags,
+			 bool filedfa);
 };

 #endif				/* __LIBAA_RE_RULES_H */