diff --git a/parser/parser.h b/parser/parser.h index 6c1cc4fd5..1da5b875d 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -136,6 +136,11 @@ struct codomain { int dfarule_count; void *dfa; size_t dfa_size; + + aare_ruleset_t *policy_rules; + int policy_rule_count; + void *policy_dfa; + size_t policy_dfa_size; }; struct sd_hat { @@ -275,6 +280,8 @@ extern int process_regex(struct codomain *cod); extern int post_process_entry(struct cod_entry *entry); extern void reset_regex(void); +extern int process_policydb(struct codomain *cod); + /* parser_variable.c */ extern int process_variables(struct codomain *cod); extern struct var_string *split_out_var(char *string); @@ -348,6 +355,7 @@ extern void post_process_nt_entries(struct codomain *cod); extern int post_process_policy(int debug_only); extern int process_hat_regex(struct codomain *cod); extern int process_hat_variables(struct codomain *cod); +extern int process_hat_policydb(struct codomain *cod); extern int post_merge_rules(void); extern int merge_hat_rules(struct codomain *cod); extern struct codomain *merge_policy(struct codomain *a, struct codomain *b); diff --git a/parser/parser_interface.c b/parser/parser_interface.c index 6b6d57d0b..fdd610df1 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -59,6 +59,7 @@ #define SUBDOMAIN_INTERFACE_VERSION 2 #define SUBDOMAIN_INTERFACE_DFA_VERSION 5 +#define SUBDOMAIN_INTERFACE_POLICY_DB 16 int sd_serialize_codomain(int option, struct codomain *cod); @@ -654,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile, } else if (profile->network_allowed) pwarn(_("profile %s network rules not enforced\n"), profile->name); + if (profile->policy_dfa && regex_type == AARE_DFA) { + if (!sd_write_struct(p, "policydb")) + return 0; + if (!sd_serialize_dfa(p, profile->policy_dfa, profile->policy_dfa_size)) + return 0; + if (!sd_write_structend(p)) + return 0; + } + /* either have a single dfa or lists of different entry types */ if (regex_type == AARE_DFA) { if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size)) @@ -685,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile) { int version; - if (regex_type == AARE_DFA) - version = SUBDOMAIN_INTERFACE_DFA_VERSION; - else + if (regex_type == AARE_DFA) { + /* Not yet + if (profile->policy_dfa) + version = SUBDOMAIN_INTERFACE_POLICYDB; + else */ + version = SUBDOMAIN_INTERFACE_DFA_VERSION; + } else version = SUBDOMAIN_INTERFACE_VERSION; diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 1d459d968..0e4a85328 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -294,6 +294,33 @@ int process_hat_regex(struct codomain *cod) return 0; } +static void __process_policydb(const void *nodep, const VISIT value, + const int __unused depth) +{ + struct codomain **t = (struct codomain **) nodep; + + if (value == preorder || value == endorder) + return; + + if (process_policydb(*t) != 0) { + PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"), + (*t)->name); + exit(1); + } +} + +int post_process_policydb(void) +{ + twalk(policy_list, __process_policydb); + return 0; +} + +int process_hat_policydb(struct codomain *cod) +{ + twalk(cod->hat_table, __process_policydb); + return 0; +} + static void __process_variables(const void *nodep, const VISIT value, const int __unused depth) { @@ -706,6 +733,15 @@ int post_process_policy(int debug_only) } } + if (!debug_only) { + retval = post_process_policydb(); + if (retval != 0) { + PERROR(_("%s: Errors found during policydb postprocess. Aborting.\n"), + progname); + return retval; + } + } + return retval; } @@ -731,6 +767,10 @@ void free_policy(struct codomain *cod) aare_delete_ruleset(cod->dfarules); if (cod->dfa) free(cod->dfa); + if (cod->policy_rules) + aare_delete_ruleset(cod->policy_rules); + if (cod->policy_dfa) + free(cod->policy_dfa); if (cod->name) free(cod->name); if (cod->attachment) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index f5de63a48..50a58363a 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -611,6 +611,48 @@ out: return error; } +int post_process_policydb_ents(struct codomain *cod) +{ + int ret = TRUE; + int count = 0; + + /* Add fns for rules that should be added to policydb here */ + + cod->policy_rule_count = count; + return ret; +} + +int process_policydb(struct codomain *cod) +{ + int error = -1; + + if (regex_type == AARE_DFA) { + cod->policy_rules = aare_new_ruleset(0); + if (!cod->policy_rules) + goto out; + } + if (!post_process_policydb_ents(cod)) + goto out; + + if (regex_type == AARE_DFA && cod->policy_rule_count > 0) { + cod->policy_dfa = aare_create_dfa(cod->policy_rules, + &cod->policy_dfa_size, + dfaflags); + aare_delete_ruleset(cod->policy_rules); + cod->policy_rules = NULL; + if (!cod->policy_dfa) + goto out; + } + + if (process_hat_policydb(cod) != 0) + goto out; + + error = 0; + +out: + return error; +} + void reset_regex(void) { aare_reset_matchflags(); diff --git a/parser/policydb.h b/parser/policydb.h new file mode 100644 index 000000000..2d021a8d3 --- /dev/null +++ b/parser/policydb.h @@ -0,0 +1,38 @@ +/* + * Copyright 2012 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + */ + +#ifndef __AA_POLICYDB_H +#define __AA_POLICYDB_H + +/* + * Class of mediation types in the AppArmor policy db + */ +#define AA_CLASS_COND 0 +#define AA_CLASS_UNKNOWN 1 +#define AA_CLASS_FILE 2 +#define AA_CLASS_CAP 3 +#define AA_CLASS_NET 4 +#define AA_CLASS_RLIMITS 5 +#define AA_CLASS_DOMAIN 6 +#define AA_CLASS_MOUNT 7 +#define AA_CLASS_NS_DOMAIN 8 +#define AA_CLASS_PTRACE 9 + +#define AA_CLASS_ENV 16 + +#define AA_CLASS_DBUS 32 +#define AA_CLASS_X 33 + +#endif /* __AA_POLICYDB_H */