mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

parser: don't apply exec mapping computations to the policydb

Browse Source 
v8 network permissions extend into the range used by exec mapping
so it is important to not blindly do execmapping on both the
file dfa and policydb dfa any more.

Track what type of dfa and its permissions we are building so
we can properly apply exec mapping only when building the
file dfa.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2020-07-07 09:42:41 -07:00
parent e92478a9c5
commit c9d01a325d
5 changed files with 37 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
parser/parser_regex.c
View File

@@ -557,7 +557,7 @@ static int process_profile_name_xmatch(Profile *prof)
}
}
build:
prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags);
prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags, true);
delete rules;
if (!prof->xmatch)
return FALSE;
@@ -755,7 +755,7 @@ int process_profile_regex(Profile *prof)
if (prof->dfa.rules->rule_count > 0) {
int xmatch_len = 0;
prof->dfa.dfa = prof->dfa.rules->create_dfa(&prof->dfa.size,
&xmatch_len, dfaflags);
&xmatch_len, dfaflags, true);
delete prof->dfa.rules;
prof->dfa.rules = NULL;
if (!prof->dfa.dfa)
@@ -973,7 +973,7 @@ int process_profile_policydb(Profile *prof)
if (prof->policy.rules->rule_count > 0) {
int xmatch_len = 0;
prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size,
&xmatch_len, dfaflags);
&xmatch_len, dfaflags, false);
delete prof->policy.rules;
prof->policy.rules = NULL;