parser: add permission merging

By changing the compare function from each rule to use class_rule_t, instead of perms_rule_t, we temporarily ignore if permissions are different. If every rule attribute is the same, then the permissions can be merged. This is done at the perms_rule_t's level. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-22 18:17:09 +00:00 · 2023-07-10 17:58:08 -03:00 · 2023-07-10 17:58:08 -03:00 · cdb5e501d6
commit cdb5e501d6
parent 1279f85e4a
9 changed files with 24 additions and 8 deletions
--- a/parser/af_rule.h
+++ b/parser/af_rule.h
@ -80,7 +80,8 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		int res = perms_rule_t::cmp(rhs);
+		/* use class_rule_t instead of perms_rule_t to merge perms */
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		af_rule const &trhs = (rule_cast<af_rule const &>(rhs));
--- a/parser/dbus.h
+++ b/parser/dbus.h
@ -65,7 +65,8 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		int res = perms_rule_t::cmp(rhs);
+		/* use class_rule_t instead of perms_rule_t to merge perms */
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		dbus_rule const &trhs = (rule_cast<dbus_rule const &>(rhs));
--- a/parser/io_uring.h
+++ b/parser/io_uring.h
@ -52,7 +52,8 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		int res = perms_rule_t::cmp(rhs);
+		/* use class_rule_t instead of perms_rule_t to merge perms */
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(label,
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -649,8 +649,8 @@ static int cmp_vec_int(std::vector<unsigned int> const &lhs,
 }
 int mnt_rule::cmp(rule_t const &rhs) const {
-		// for now don't do merging of perms, only exact match
+		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = perms_rule_t::cmp(rhs);
+		int res = class_rule_t::cmp(rhs);
 		if (res != 0)
 			return res;
 		mnt_rule const &rhs_mnt = rule_cast<mnt_rule const &>(rhs);
--- a/parser/mqueue.h
+++ b/parser/mqueue.h
@ -110,7 +110,8 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		int res = perms_rule_t::cmp(rhs);
+		/* use class_rule_t instead of perms_rule_t to merge perms */
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		mqueue_rule const &trhs = rule_cast<mqueue_rule const &>(rhs);
--- a/parser/ptrace.h
+++ b/parser/ptrace.h
@ -55,7 +55,8 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		int res = perms_rule_t::cmp(rhs);
+		/* use class_rule_t instead of perms_rule_t to merge perms */
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(peer_label,
--- a/parser/rule.h
+++ b/parser/rule.h
@ -364,6 +364,15 @@ public:
 		return perms - (rule_cast<perms_rule_t const &>(rhs)).perms;
 	}
 	virtual bool merge(rule_t &rhs)
 	{
 		int res = class_rule_t::merge(rhs);
 		if (!res)
 			return res;
 		perms |= (rule_cast<perms_rule_t const &>(rhs)).perms;
 		return true;
 	};
 	/* defaut perms, override/mask off if none default used */
 	virtual ostream &dump(ostream &os) {
--- a/parser/signal.cc
+++ b/parser/signal.cc
@ -249,7 +249,8 @@ static int cmp_set_int(Signals const &lhs, Signals const &rhs)
 int signal_rule::cmp(rule_t const &rhs) const
 {
-	int res = perms_rule_t::cmp(rhs);
+	/* use class_rule_t instead of perms_rule_t to merge perms */
 	int res = class_rule_t::cmp(rhs);
 	if (res)
 		return res;
 	signal_rule const &trhs = rule_cast<signal_rule const &>(rhs);
--- a/parser/userns.h
+++ b/parser/userns.h
@ -47,6 +47,7 @@ public:
 	{
 		return perms_rule_t::cmp(rhs);
 	};
 	/* merge perms not required atm since there's only one permission */
 protected:
 	virtual void warn_once(const char *name) override;