mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

parser: Make xattr attachment generation conditional on kernel support

Browse Source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2019-08-17 05:02:13 -07:00
parent 9b0a98d00e
commit e5ea3e4a0d
4 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
parser/parser.h
View File

@ -309,6 +309,8 @@ extern int kernel_supports_signal;
extern int kernel_supports_ptrace; extern int kernel_supports_ptrace;
extern int kernel_supports_unix; extern int kernel_supports_unix;
extern int kernel_supports_stacking; extern int kernel_supports_stacking;
extern int kernel_supports_domain_xattr;
extern int kernel_supports_oob;
extern int conf_verbose; extern int conf_verbose;
extern int conf_quiet; extern int conf_quiet;
extern int names_only; extern int names_only;

2
parser/parser_common.c
View File

@ -74,6 +74,8 @@ int kernel_supports_diff_encode = 0; /* kernel supports diff_encode */
int kernel_supports_signal = 0; /* kernel supports signal rules */ int kernel_supports_signal = 0; /* kernel supports signal rules */
int kernel_supports_ptrace = 0; /* kernel supports ptrace rules */ int kernel_supports_ptrace = 0; /* kernel supports ptrace rules */
int kernel_supports_stacking = 0; /* kernel supports stacking */ int kernel_supports_stacking = 0; /* kernel supports stacking */
int kernel_supports_domain_xattr = 0; /* x attachment cond */
int kernel_supports_oob = 0; /* out of band transitions */
int conf_verbose = 0; int conf_verbose = 0;
int conf_quiet = 0; int conf_quiet = 0;
int names_only = 0; int names_only = 0;

4
parser/parser_main.c
View File

@ -788,6 +788,10 @@ static void set_supported_features(aa_features *kernel_features unused)
"policy/diff_encode"); "policy/diff_encode");
kernel_supports_stacking = aa_features_supports(compile_features, kernel_supports_stacking = aa_features_supports(compile_features,
"domain/stack"); "domain/stack");
kernel_supports_domain_xattr = aa_features_supports(compile_features,
"domain/attach_conditions/xattr");
kernel_supports_oob = aa_features_supports(compile_features,
"policy/outofband");
if (aa_features_supports(compile_features, "policy/versions/v7")) if (aa_features_supports(compile_features, "policy/versions/v7"))
kernel_abi_version = 7; kernel_abi_version = 7;

23
parser/parser_regex.c
View File

@ -457,6 +457,22 @@ char *get_xattr_value(struct cond_entry *entry)
return entry->vals->value; return entry->vals->value;
} }
/* do we want to warn once/profile or just once per compile?? */
static void warn_once_xattr(const char *name)
{
static const char *warned_name = NULL;
if ((warnflags & WARN_RULE_DOWNGRADED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
else
cerr << "stdin";
cerr << ") xattr attachment conditional ignored\n";
warned_name = name;
}
}
static int process_profile_name_xmatch(Profile *prof) static int process_profile_name_xmatch(Profile *prof)
{ {
std::string tbuf; std::string tbuf;
@ -508,6 +524,12 @@ static int process_profile_name_xmatch(Profile *prof)
} }
} }
if (prof->xattrs.list) { if (prof->xattrs.list) {
if (!(kernel_supports_domain_xattr && kernel_supports_oob)) {
warn_once_xattr(name);
free_cond_entry_list(prof->xattrs);
goto build;
}
for (entry = prof->xattrs.list; entry; entry = entry->next) { for (entry = prof->xattrs.list; entry; entry = entry->next) {
xattr_value = get_xattr_value(entry); xattr_value = get_xattr_value(entry);
if (!xattr_value) if (!xattr_value)
@ -529,6 +551,7 @@ static int process_profile_name_xmatch(Profile *prof)
} }
} }
} }
build:
prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags); prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags);
delete rules; delete rules;
if (!prof->xmatch) if (!prof->xmatch)