refactor: mount gen_policy_re

Do a minimal code refactoring (ie. no functional changes, just moving code,adding boiler plate and glue) in preparation to fix bug https://bugs.launchpad.net/apparmor/+bug/1597017 Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to bba1a023bf - fixed compiler warnings: <built-in>: In member function ‘int mnt_rule::gen_policy_new_mount(Profile&, int&, unsigned int, unsigned int)’: <built-in>: note: by argument 1 of type ‘const char*’ to ‘long unsigned int __builtin_strlen(const char*)’ declared here mount.cc:880:14: note: ‘class_mount_hdr’ declared here 880 | char class_mount_hdr[64]; Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-22 18:17:09 +00:00 · 2016-07-02 00:49:24 -07:00 · 2016-07-02 00:49:24 -07:00 · f17e43392b
commit f17e43392b
parent bba1a023bf
2 changed files with 290 additions and 173 deletions
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -583,7 +583,8 @@ void mnt_rule::warn_once(const char *name)
 	rule_t::warn_once(name, "mount rules not enforce");
 }

-int mnt_rule::gen_policy_re(Profile &prof)
+
+int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 {
 	std::string mntbuf;
 	std::string devbuf;
@ -592,23 +593,11 @@ int mnt_rule::gen_policy_re(Profile &prof)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	int count = 0;
 	unsigned int tmpflags, tmpinv_flags;
-
-	if (!features_supports_mount) {
-		warn_once(prof.name);
-		return RULE_NOT_SUPPORTED;
-	}
+	int tmpallow;

 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);

-	/* a single mount rule may result in multiple matching rules being
-	 * created in the backend to cover all the possible choices
-	 */
-
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
-	    && !device && !dev_type) {
-		int tmpallow;
 	/* remount can't be conditional on device and type */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
@ -635,6 +624,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		tmpflags &= MS_REMOUNT_FLAGS;
 	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
 		goto fail;
+
 	vec[3] = flagsbuf;

 	if (opts)
@ -661,9 +651,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		count++;
 	}
-	}
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
-	    && !dev_type && !opts) {
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	unsigned int tmpflags, tmpinv_flags;
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
 	/* bind mount rules can't be conditional on dev_type or data */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
@ -689,10 +696,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
-	}
-	if ((allow & AA_MAY_MOUNT) &&
-	    (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
-	    && !device && !dev_type && !opts) {
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	unsigned int tmpflags, tmpinv_flags;
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
 	/* change type base rules can not be conditional on device,
 	 * device type or data
 	 */
@ -718,9 +741,26 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
-	}
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
-	    && !dev_type && !opts) {
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	unsigned int tmpflags, tmpinv_flags;
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
 	/* mount move rules can not be conditional on dev_type,
 	 * or data
 	 */
@ -748,13 +788,27 @@ int mnt_rule::gen_policy_re(Profile &prof)
 					     dfaflags, false))
 		goto fail;
 	count++;
-	}
-	if ((allow & AA_MAY_MOUNT) &&
-	    (flags | inv_flags) & ~MS_CMDS) {
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;
-		/* generic mount if flags are set that are not covered by
-		 * above commands
-		 */
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
 	if (!convert_entry(mntbuf, mnt_point))
@ -802,6 +856,64 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		count++;
 	}
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_re(Profile &prof)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	int count = 0;
+	unsigned int tmpflags, tmpinv_flags;
+
+	if (!features_supports_mount) {
+		warn_once(prof.name);
+		return RULE_NOT_SUPPORTED;
+	}
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* a single mount rule may result in multiple matching rules being
+	 * created in the backend to cover all the possible choices
+	 */
+
+	if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
+	    && !device && !dev_type) {
+		if (gen_policy_remount(prof, count) == RULE_ERROR)
+			goto fail;
+	}
+	if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
+	    && !dev_type && !opts) {
+		if (gen_policy_bind_mount(prof, count) == RULE_ERROR)
+			goto fail;
+	}
+	if ((allow & AA_MAY_MOUNT) &&
+	    (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
+	    && !device && !dev_type && !opts) {
+		if (gen_policy_change_mount_type(prof, count) == RULE_ERROR)
+			goto fail;
+	}
+	if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
+	    && !dev_type && !opts) {
+		if (gen_policy_move_mount(prof, count) == RULE_ERROR)
+			goto fail;
+	}
+	if ((allow & AA_MAY_MOUNT) &&
+	    (flags | inv_flags) & ~MS_CMDS) {
+		/* generic mount if flags are set that are not covered by
+		 * above commands
+		 */
+		if (gen_policy_new_mount(prof, count) == RULE_ERROR)
+			goto fail;
 	}
 	if (allow & AA_MAY_UMOUNT) {
 		/* rule class single byte header */
--- a/parser/mount.h
+++ b/parser/mount.h
@ -121,6 +121,11 @@


 class mnt_rule: public rule_t {
+	int gen_policy_remount(Profile &prof, int &count);
+	int gen_policy_bind_mount(Profile &prof, int &count);
+	int gen_policy_change_mount_type(Profile &prof, int &count);
+	int gen_policy_move_mount(Profile &prof, int &count);
+	int gen_policy_new_mount(Profile &prof, int &count);
 public:
 	char *mnt_point;
 	char *device;