refactor: mount gen_policy_re

Do a minimal code refactoring (ie. no functional changes, just moving code,adding boiler plate and glue) in preparation to fix bug https://bugs.launchpad.net/apparmor/+bug/1597017 Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to bba1a023bf - fixed compiler warnings: <built-in>: In member function ‘int mnt_rule::gen_policy_new_mount(Profile&, int&, unsigned int, unsigned int)’: <built-in>: note: by argument 1 of type ‘const char*’ to ‘long unsigned int __builtin_strlen(const char*)’ declared here mount.cc:880:14: note: ‘class_mount_hdr’ declared here 880 | char class_mount_hdr[64]; Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-23 02:27:12 +00:00 · 2016-07-02 00:49:24 -07:00 · 2016-07-02 00:49:24 -07:00 · f17e43392b
commit f17e43392b
parent bba1a023bf
2 changed files with 290 additions and 173 deletions
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -583,7 +583,8 @@ void mnt_rule::warn_once(const char *name)
 	rule_t::warn_once(name, "mount rules not enforce");
 }
-int mnt_rule::gen_policy_re(Profile &prof)
+
 int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 {
 	std::string mntbuf;
 	std::string devbuf;
@ -592,23 +593,11 @@ int mnt_rule::gen_policy_re(Profile &prof)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	int count = 0;
 	unsigned int tmpflags, tmpinv_flags;
-
+	int tmpallow;
 	if (!features_supports_mount) {
 		warn_once(prof.name);
 		return RULE_NOT_SUPPORTED;
 	}
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 	/* a single mount rule may result in multiple matching rules being
 	 * created in the backend to cover all the possible choices
 	 */
 	if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
 	    && !device && !dev_type) {
 		int tmpallow;
 	/* remount can't be conditional on device and type */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
@ -635,6 +624,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		tmpflags &= MS_REMOUNT_FLAGS;
 	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (opts)
@ -661,9 +651,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		count++;
 	}
 	return RULE_OK;
 fail:
 	return RULE_ERROR;
 }
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
+
-	    && !dev_type && !opts) {
+int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
 {
 	std::string mntbuf;
 	std::string devbuf;
 	std::string typebuf;
 	char flagsbuf[PATH_MAX + 3];
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	unsigned int tmpflags, tmpinv_flags;
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 	/* bind mount rules can't be conditional on dev_type or data */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
@ -689,10 +696,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
 	return RULE_OK;
 fail:
 	return RULE_ERROR;
 }
-	if ((allow & AA_MAY_MOUNT) &&
+
-	    (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
+int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
-	    && !device && !dev_type && !opts) {
+{
 	std::string mntbuf;
 	std::string devbuf;
 	std::string typebuf;
 	char flagsbuf[PATH_MAX + 3];
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	unsigned int tmpflags, tmpinv_flags;
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 	/* change type base rules can not be conditional on device,
 	 * device type or data
 	 */
@ -718,9 +741,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
 	return RULE_OK;
 fail:
 	return RULE_ERROR;
 }
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
+
-	    && !dev_type && !opts) {
+int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
 {
 	std::string mntbuf;
 	std::string devbuf;
 	std::string typebuf;
 	char flagsbuf[PATH_MAX + 3];
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	unsigned int tmpflags, tmpinv_flags;
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 	/* mount move rules can not be conditional on dev_type,
 	 * or data
 	 */
@ -748,13 +788,27 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
 	return RULE_OK;
 fail:
 	return RULE_ERROR;
 }
-	if ((allow & AA_MAY_MOUNT) &&
+
-	    (flags | inv_flags) & ~MS_CMDS) {
+int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
 {
 	std::string mntbuf;
 	std::string devbuf;
 	std::string typebuf;
 	char flagsbuf[PATH_MAX + 3];
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;
-		/* generic mount if flags are set that are not covered by
+
-		 * above commands
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
-		 */
+
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
 	if (!convert_entry(mntbuf, mnt_point))
@ -802,6 +856,64 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		count++;
 	}
 	return RULE_OK;
 fail:
 	return RULE_ERROR;
 }
 int mnt_rule::gen_policy_re(Profile &prof)
 {
 	std::string mntbuf;
 	std::string devbuf;
 	std::string typebuf;
 	char flagsbuf[PATH_MAX + 3];
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
 	int count = 0;
 	unsigned int tmpflags, tmpinv_flags;
 	if (!features_supports_mount) {
 		warn_once(prof.name);
 		return RULE_NOT_SUPPORTED;
 	}
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 	/* a single mount rule may result in multiple matching rules being
 	 * created in the backend to cover all the possible choices
 	 */
 	if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
 	    && !device && !dev_type) {
 		if (gen_policy_remount(prof, count) == RULE_ERROR)
 			goto fail;
 	}
 	if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
 	    && !dev_type && !opts) {
 		if (gen_policy_bind_mount(prof, count) == RULE_ERROR)
 			goto fail;
 	}
 	if ((allow & AA_MAY_MOUNT) &&
 	    (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
 	    && !device && !dev_type && !opts) {
 		if (gen_policy_change_mount_type(prof, count) == RULE_ERROR)
 			goto fail;
 	}
 	if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
 	    && !dev_type && !opts) {
 		if (gen_policy_move_mount(prof, count) == RULE_ERROR)
 			goto fail;
 	}
 	if ((allow & AA_MAY_MOUNT) &&
 	    (flags | inv_flags) & ~MS_CMDS) {
 		/* generic mount if flags are set that are not covered by
 		 * above commands
 		 */
 		if (gen_policy_new_mount(prof, count) == RULE_ERROR)
 			goto fail;
 	}
 	if (allow & AA_MAY_UMOUNT) {
 		/* rule class single byte header */
--- a/parser/mount.h
+++ b/parser/mount.h
@ -121,6 +121,11 @@
 class mnt_rule: public rule_t {
 	int gen_policy_remount(Profile &prof, int &count);
 	int gen_policy_bind_mount(Profile &prof, int &count);
 	int gen_policy_change_mount_type(Profile &prof, int &count);
 	int gen_policy_move_mount(Profile &prof, int &count);
 	int gen_policy_new_mount(Profile &prof, int &count);
 public:
 	char *mnt_point;
 	char *device;