Convert aare_rules into a class

This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-28 21:07:56 +00:00 · 2014-04-23 10:57:16 -07:00 · 2014-04-23 10:57:16 -07:00 · f7e12a9bc5
commit f7e12a9bc5
parent 873ae31d29
7 changed files with 114 additions and 160 deletions
--- a/parser/dbus.c
+++ b/parser/dbus.c
@ -301,28 +301,26 @@ int dbus_rule::gen_policy_re(Profile &prof)
 	}
 	if (mode & AA_DBUS_BIND) {
-		if (!aare_add_rule_vec(prof.policy.rules, deny,
+		if (!prof.policy.rules->add_rule_vec(deny, mode & AA_DBUS_BIND,
 				       mode & AA_DBUS_BIND,
 						    audit & AA_DBUS_BIND,
 						    2, vec, dfaflags))
 			goto fail;
 	}
 	if (mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
-		if (!aare_add_rule_vec(prof.policy.rules, deny,
+		if (!prof.policy.rules->add_rule_vec(deny,
 				       mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
 				       audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
 				       6, vec, dfaflags))
 			goto fail;
 	}
 	if (mode & AA_DBUS_EAVESDROP) {
-		if (!aare_add_rule_vec(prof.policy.rules, deny,
+		if (!prof.policy.rules->add_rule_vec(deny,
 						    mode & AA_DBUS_EAVESDROP,
 						    audit & AA_DBUS_EAVESDROP,
 						    1, vec, dfaflags))
 			goto fail;
 	}
 	prof.policy.count++;
 	return RULE_OK;
 fail:
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@ -34,38 +34,20 @@
 #include "chfa.h"
 #include "../immunix.h"
 struct aare_ruleset {
 	int reverse;
 	Node *root;
 };
-aare_ruleset_t *aare_new_ruleset(int reverse)
+
 aare_rules::~aare_rules(void)
 {
-	aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
+	if (root)
-	if (!container)
+		root->release();
 		return NULL;
 	container->root = NULL;
 	container->reverse = reverse;
 	return container;
 }
 void aare_delete_ruleset(aare_ruleset_t *rules)
 {
 	if (rules) {
 		if (rules->root)
 			rules->root->release();
 		free(rules);
 	}
 	aare_reset_matchflags();
 }
-int aare_add_rule(aare_ruleset_t *rules, const char *rule, int deny,
+bool aare_rules::add_rule(const char *rule, int deny, uint32_t perms,
-			     uint32_t perms, uint32_t audit, dfaflags_t flags)
+			  uint32_t audit, dfaflags_t flags)
 {
-	return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
+	return add_rule_vec(deny, perms, audit, 1, &rule, flags);
 }
 #define FLAGS_WIDTH 2
@ -94,8 +76,7 @@ void aare_reset_matchflags(void)
 #undef RESET_FLAGS
 }
-int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
+bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
 				 uint32_t perms, uint32_t audit,
 			      int count, const char **rulev, dfaflags_t flags)
 {
 	Node *tree = NULL, *accept;
@ -105,15 +86,15 @@ int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 	assert(perms != 0);
 	if (regex_parse(&tree, rulev[0]))
-		return 0;
+		return false;
 	for (int i = 1; i < count; i++) {
 		Node *subtree = NULL;
 		Node *node = new CharNode(0);
 		if (!node)
-			return 0;
+			return false;
 		tree = new CatNode(tree, node);
 		if (regex_parse(&subtree, rulev[i]))
-			return 0;
+			return false;
 		tree = new CatNode(tree, subtree);
 	}
@ -132,25 +113,14 @@ int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 			exact_match = 0;
 	}
-	if (rules->reverse)
+	if (reverse)
 		flip_tree(tree);
 /* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
 #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
 //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 //      fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
-//if (perms & ALL_EXEC_TYPE)
+	/* the permissions set is assumed to be non-empty if any audit
 //    fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
 //if (audit)
 //fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
 //if (perms & AA_CHANGE_HAT)
 //    fprintf(stderr, "adding change_hat rule %s\n", rulev[0]);
 /* the permissions set is assumed to be non-empty if any audit
 	 * bits are specified */
 	accept = NULL;
 	for (unsigned int n = 0; perms && n < (sizeof(perms) * 8); n++) {
@ -230,44 +200,44 @@ int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 		cerr << "\n\n";
 	}
-	if (rules->root)
+	if (root)
-		rules->root = new AltNode(rules->root, new CatNode(tree, accept));
+		root = new AltNode(root, new CatNode(tree, accept));
 	else
-		rules->root = new CatNode(tree, accept);
+		root = new CatNode(tree, accept);
-	return 1;
+	rule_count++;
 	return true;
 }
 /* create a dfa from the ruleset
 * returns: buffer contain dfa tables, @size set to the size of the tables
 *          else NULL on failure
 */
-void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
 				 dfaflags_t flags)
 {
 	char *buffer = NULL;
-	label_nodes(rules->root);
+	label_nodes(root);
 	if (flags & DFA_DUMP_TREE) {
 		cerr << "\nDFA: Expression Tree\n";
-		rules->root->dump(cerr);
+		root->dump(cerr);
 		cerr << "\n\n";
 	}
 	if (flags & DFA_CONTROL_TREE_SIMPLE) {
-		rules->root = simplify_tree(rules->root, flags);
+		root = simplify_tree(root, flags);
 		if (flags & DFA_DUMP_SIMPLE_TREE) {
 			cerr << "\nDFA: Simplified Expression Tree\n";
-			rules->root->dump(cerr);
+			root->dump(cerr);
 			cerr << "\n\n";
 		}
 	}
 	stringstream stream;
 	try {
-		DFA dfa(rules->root, flags);
+		DFA dfa(root, flags);
 		if (flags & DFA_DUMP_UNIQ_PERMS)
 			dfa.dump_uniq_perms("dfa");
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@ -24,26 +24,24 @@
 #include <stdint.h>
 #include "apparmor_re.h"
 #include "expr-tree.h"
-#ifdef __cplusplus
+class aare_rules {
-extern "C" {
+	Node *root;
-#endif
+public:
 	int reverse;
 	int rule_count;
 	aare_rules(): root(NULL), reverse(0), rule_count(0) { };
 	aare_rules(int reverse): root(NULL), reverse(reverse), rule_count(0) { };
 	~aare_rules();
-struct aare_ruleset;
+	bool add_rule(const char *rule, int deny, uint32_t perms,
 typedef struct aare_ruleset aare_ruleset_t;
 aare_ruleset_t *aare_new_ruleset(int reverse);
 void aare_delete_ruleset(aare_ruleset_t *rules);
 int aare_add_rule(aare_ruleset_t *rules, const char *rule, int deny, uint32_t perms,
 		      uint32_t audit, dfaflags_t flags);
-int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
+	bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
-		      uint32_t audit, int count, const char **rulev,
+			  const char **rulev, dfaflags_t flags);
-		      dfaflags_t flags);
+	void *create_dfa(size_t *size, dfaflags_t flags);
-void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
+};
 void aare_reset_matchflags(void);
 #ifdef __cplusplus
 }
 #endif
 #endif				/* __LIBAA_RE_RULES_H */
--- a/parser/mount.c
+++ b/parser/mount.c
@ -629,7 +629,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			tmpallow = allow;
 		/* rule for match without required data || data MATCH_CONT */
-		if (!aare_add_rule_vec(prof.policy.rules, deny, tmpallow,
+		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
 					      audit | AA_AUDIT_MNT_DATA, 4,
 					      vec, dfaflags))
 			goto fail;
@ -641,8 +641,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			if (!build_mnt_opts(optsbuf, opts))
 				goto fail;
 			vec[4] = optsbuf.c_str();
-			if (!aare_add_rule_vec(prof.policy.rules, deny,
+			if (!prof.policy.rules->add_rule_vec(deny, allow,
 					       allow,
 						      audit | AA_AUDIT_MNT_DATA,
 						      5, vec, dfaflags))
 				goto fail;
@ -672,8 +671,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!aare_add_rule_vec(prof.policy.rules, deny, allow,
+		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-				       audit, 4, vec, dfaflags))
+						    dfaflags))
 			goto fail;
 		count++;
 	}
@ -701,8 +700,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!aare_add_rule_vec(prof.policy.rules, deny, allow,
+		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-				       audit, 4, vec, dfaflags))
+						    dfaflags))
 			goto fail;
 		count++;
 	}
@ -731,8 +730,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!aare_add_rule_vec(prof.policy.rules, deny, allow,
+		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-				       audit, 4, vec, dfaflags))
+						    dfaflags))
 			goto fail;
 		count++;
 	}
@ -771,7 +770,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			tmpallow = allow;
 		/* rule for match without required data || data MATCH_CONT */
-		if (!aare_add_rule_vec(prof.policy.rules, deny, tmpallow,
+		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
 					      audit | AA_AUDIT_MNT_DATA, 4,
 					      vec, dfaflags))
 			goto fail;
@ -783,8 +782,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			if (!build_mnt_opts(optsbuf, opts))
 				goto fail;
 			vec[4] = optsbuf.c_str();
-			if (!aare_add_rule_vec(prof.policy.rules, deny,
+			if (!prof.policy.rules->add_rule_vec(deny, allow,
 					       allow,
 						      audit | AA_AUDIT_MNT_DATA,
 						      5, vec, dfaflags))
 				goto fail;
@ -797,8 +795,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (!convert_entry(mntbuf, mnt_point))
 			goto fail;
 		vec[0] = mntbuf.c_str();
-		if (!aare_add_rule_vec(prof.policy.rules, deny, allow,
+		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 1, vec,
-				       audit, 1, vec, dfaflags))
+						    dfaflags))
 			goto fail;
 		count++;
 	}
@ -811,8 +809,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (!clear_and_convert_entry(devbuf, device))
 			goto fail;
 		vec[1] = devbuf.c_str();
-		if (!aare_add_rule_vec(prof.policy.rules, deny, allow,
+		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 2, vec,
-				       audit, 2, vec, dfaflags))
+						    dfaflags))
 			goto fail;
 		count++;
 	}
@ -821,7 +819,6 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		/* didn't actually encode anything */
 		goto fail;
 	prof.policy.count++;
 	return RULE_OK;
 fail:
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -431,11 +431,11 @@ static int process_profile_name_xmatch(Profile *prof)
 		prof->xmatch_size = 0;
 	} else {
 		/* build a dfa */
-		aare_ruleset_t *rule = aare_new_ruleset(0);
+		aare_rules *rules = new aare_rules();
-		if (!rule)
+		if (!rules)
 			return FALSE;
-		if (!aare_add_rule(rule, tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
+		if (!rules->add_rule(tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
-			aare_delete_ruleset(rule);
+			delete rules;
 			return FALSE;
 		}
 		if (prof->altnames) {
@ -450,15 +450,14 @@ static int process_profile_name_xmatch(Profile *prof)
 					len = strlen(alt->name);
 				if (len < prof->xmatch_len)
 					prof->xmatch_len = len;
-				if (!aare_add_rule(rule, tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
+				if (!rules->add_rule(tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
-					aare_delete_ruleset(rule);
+					delete rules;
 					return FALSE;
 				}
 			}
 		}
-		prof->xmatch = aare_create_dfa(rule, &prof->xmatch_size,
+		prof->xmatch = rules->create_dfa(&prof->xmatch_size, dfaflags);
-					      dfaflags);
+		delete rules;
 		aare_delete_ruleset(rule);
 		if (!prof->xmatch)
 			return FALSE;
 	}
@ -466,7 +465,7 @@ static int process_profile_name_xmatch(Profile *prof)
 	return TRUE;
 }
-static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
+static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 {
 	std::string tbuf;
 	pattern_t ptype;
@ -498,12 +497,12 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	 * entry of the pair
 	 */
 	if (entry->deny && (entry->mode & AA_LINK_BITS)) {
-		if (!aare_add_rule(dfarules, tbuf.c_str(), entry->deny,
+		if (!dfarules->add_rule(tbuf.c_str(), entry->deny,
 					entry->mode & ~AA_LINK_BITS,
 					entry->audit & ~AA_LINK_BITS, dfaflags))
 			return FALSE;
 	} else if (entry->mode & ~AA_CHANGE_PROFILE) {
-		if (!aare_add_rule(dfarules, tbuf.c_str(), entry->deny, entry->mode,
+		if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode,
 					entry->audit, dfaflags))
 			return FALSE;
 	}
@ -526,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 			perms |= LINK_TO_LINK_SUBSET(perms);
 			vec[1] = "/[^/].*";
 		}
-		if (!aare_add_rule_vec(dfarules, entry->deny, perms, entry->audit & AA_LINK_BITS, 2, vec, dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit & AA_LINK_BITS, 2, vec, dfaflags))
 			return FALSE;
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
@ -545,12 +544,12 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 		vec[index++] = tbuf.c_str();
 		/* regular change_profile rule */
-		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
+		if (!dfarules->add_rule_vec(0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
 			return FALSE;
 		/* onexec rules - both rules are needed for onexec */
-		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags))
+		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, 1, vec, dfaflags))
 			return FALSE;
-		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
+		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, index, vec, dfaflags))
 			return FALSE;
 	}
 	return TRUE;
@ -560,15 +559,12 @@ int post_process_entries(Profile *prof)
 {
 	int ret = TRUE;
 	struct cod_entry *entry;
 	int count = 0;
 	list_for_each(prof->entries, entry) {
 		if (!process_dfa_entry(prof->dfa.rules, entry))
 			ret = FALSE;
 		count++;
 	}
 	prof->dfa.count = count;
 	return ret;
 }
@ -579,17 +575,17 @@ int process_profile_regex(Profile *prof)
 	if (!process_profile_name_xmatch(prof))
 		goto out;
-	prof->dfa.rules = aare_new_ruleset(0);
+	prof->dfa.rules = new aare_rules();
 	if (!prof->dfa.rules)
 		goto out;
 	if (!post_process_entries(prof))
 		goto out;
-	if (prof->dfa.count > 0) {
+	if (prof->dfa.rules->rule_count > 0) {
-		prof->dfa.dfa = aare_create_dfa(prof->dfa.rules, &prof->dfa.size,
+		prof->dfa.dfa = prof->dfa.rules->create_dfa(&prof->dfa.size,
 							    dfaflags);
-		aare_delete_ruleset(prof->dfa.rules);
+		delete prof->dfa.rules;
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
 			goto out;
@ -683,7 +679,7 @@ int process_profile_policydb(Profile *prof)
 {
 	int error = -1;
-	prof->policy.rules = aare_new_ruleset(0);
+	prof->policy.rules = new aare_rules();
 	if (!prof->policy.rules)
 		goto out;
@ -694,26 +690,21 @@ int process_profile_policydb(Profile *prof)
 	 * to be supported
 	 */
-	if (kernel_supports_mount) {
+	if (kernel_supports_mount &&
-		if (!aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
+	    !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
 			goto out;
-		prof->policy.count++;
+	if (kernel_supports_dbus &&
-	}
+	    !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
 	if (kernel_supports_dbus) {
 		if (!aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
 		goto out;
-		prof->policy.count++;
+	if (prof->policy.rules->rule_count > 0) {
-	}
+		prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size, dfaflags);
-	if (prof->policy.count > 0) {
+		delete prof->policy.rules;
-		prof->policy.dfa = aare_create_dfa(prof->policy.rules,
+
 						  &prof->policy.size,
 						  dfaflags);
 		aare_delete_ruleset(prof->policy.rules);
 		prof->policy.rules = NULL;
 		if (!prof->policy.dfa)
 			goto out;
 	} else {
-		aare_delete_ruleset(prof->policy.rules);
+		delete prof->policy.rules;
 		prof->policy.rules = NULL;
 	}
@ -722,7 +713,7 @@ int process_profile_policydb(Profile *prof)
 	error = 0;
 out:
-	aare_delete_ruleset(prof->policy.rules);
+	delete prof->policy.rules;
 	prof->policy.rules = NULL;
 	return error;
--- a/parser/profile.cc
+++ b/parser/profile.cc
@ -67,11 +67,11 @@ Profile::~Profile()
 	for (RuleList::iterator i = rule_ents.begin(); i != rule_ents.end(); i++)
 		delete *i;
 	if (dfa.rules)
-		aare_delete_ruleset(dfa.rules);
+		delete dfa.rules;
 	if (dfa.dfa)
 		free(dfa.dfa);
 	if (policy.rules)
-		aare_delete_ruleset(policy.rules);
+		delete policy.rules;
 	if (policy.dfa)
 		free(policy.dfa);
 	if (xmatch)
--- a/parser/profile.h
+++ b/parser/profile.h
@ -18,6 +18,7 @@
 #include "parser.h"
 #include "rule.h"
 #include "libapparmor_re/aare_rules.h"
 class Profile;
@ -120,12 +121,11 @@ struct network {
 };
 struct dfa_stuff {
-	aare_ruleset_t *rules;
+	aare_rules *rules;
 	int count;
 	void *dfa;
 	size_t size;
-	dfa_stuff(void): rules(NULL), count(0), dfa(NULL), size(0) { }
+	dfa_stuff(void): rules(NULL), dfa(NULL), size(0) { }
 };
 class Profile {