2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00

parser: add support for kernel 4.17 v8 networking

Make it so the parser can properly support network socket mediation
in the upstream kernel,

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2018-07-24 04:40:25 -07:00
parent 82cfc9ccc5
commit e92478a9c5
8 changed files with 104 additions and 13 deletions

View File

@@ -196,17 +196,11 @@ void unix_rule::downgrade_rule(Profile &prof) {
}
}
static uint32_t map_perms(uint32_t mask)
{
return (mask & 0x7f) |
((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
}
void unix_rule::write_to_prot(std::ostringstream &buffer)
{
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NET;
int c = features_supports_networkv8 ? AA_CLASS_NETV8 : AA_CLASS_NET;
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << c;
writeu16(buffer, AF_UNIX);
if (sock_type)
writeu16(buffer, sock_type_n);
@@ -306,7 +300,7 @@ int unix_rule::gen_policy_re(Profile &prof)
*/
downgrade_rule(prof);
if (!features_supports_unix) {
if (features_supports_network) {
if (features_supports_network || features_supports_networkv8) {
/* only warn if we are building against a kernel
* that requires downgrading */
if (warnflags & WARN_RULE_DOWNGRADED)