mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser/parser_merge.c

114 lines
2.7 KiB
C
Raw Normal View History

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
/*
update copyright dates
2007-04-11 08:12:51 +00:00
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
#include <linux/unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include "parser.h"
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
#include "profile.h"
[https://bugzilla.novell.com/show_bug.cgi?id=172061] This (updated) patch to trunk adds support for Px and Ux (toggle bprm_secure on exec) in the parser, As requested, lowercase p and u corresponds to an unfiltered environmnet on exec, uppercase will filter the environment. It applies after the 'm' patch. As a side effect, I tried to reduce the use of hardcoded characters in the debugging statements -- there are still a few warnings that have hard coded letters in them; not sure I can fix them all. This version issues a warning for every unsafe ux and issues a single warning for the first 'R', 'W', 'X', 'L', and 'I' it encounters, except when the "-q" or "--quiet" flag , "--remove" profile flag, or "-N" report names flags are passed. Unfortunately, it made the logic somewhat more convoluted. Wordsmithing improvements welcome.
2006-08-04 17:14:49 +00:00
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
static int file_comp(const void *c1, const void *c2)
{
struct cod_entry **e1, **e2;
e1 = (struct cod_entry **)c1;
e2 = (struct cod_entry **)c2;
add basic handling of profile namespaces
2007-11-16 09:18:48 +00:00
int res = 0;
fix bug where parser wasn't properly merging link rules, when a link pair was specified
2007-12-20 12:58:59 +00:00
if ((*e1)->link_name) {
if ((*e2)->link_name)
res = strcmp((*e1)->link_name, (*e2)->link_name);
else
return 1;
} else if ((*e2)->link_name) {
return -1;
}
if (res)
return res;
Add the ability to specify link subset test on a link pair, and fix a bug where link pairs could get improperly merged.
2008-03-13 16:49:10 +00:00
if ((*e1)->link_name)
parser: convert subset flag to a bool Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-09-08 02:50:31 -07:00
res = ((int) (*e2)->subset) - ((int) (*e1)->subset);
Add the ability to specify link subset test on a link pair, and fix a bug where link pairs could get improperly merged.
2008-03-13 16:49:10 +00:00
if (res)
return res;
parser: convert deny flag from bool to rule_mode We need to be able to support more rule types than allow and deny so convert to an enum. Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-09-09 01:42:51 -07:00
if ((*e1)->rule_mode != (*e2)->rule_mode)
return (*e1)->rule_mode < (*e2)->rule_mode ? -1 : 1;
Add Audit control to AppArmor through, the use of audit and deny key words. Deny is also used to subtract permissions from the profiles permission set. the audit key word can be prepended to any file, network, or capability rule, to force a selective audit when that rule is matched. Audit permissions accumulate just like standard permissions. eg. audit /bin/foo rw, will force an audit message when the file /bin/foo is opened for read or write. audit /etc/shadow w, /etc/shadow r, will force an audit message when /etc/shadow is opened for writing. The audit message is per permission bit so only opening the file for read access will not, force an audit message. audit can also be used in block form instead of prepending audit to every rule. audit { /bin/foo rw, /etc/shadow w, } /etc/shadow r, # don't audit r access to /etc/shadow the deny key word can be prepended to file, network and capability rules, to result in a denial of permissions when matching that rule. The deny rule specifically does 3 things - it gives AppArmor the ability to remember what has been denied so that the tools don't prompt for what has been denied in previous profiling sessions. - it subtracts globally from the allowed permissions. Deny permissions accumulate in the the deny set just as allow permissions accumulate then, the deny set is subtracted from the allow set. - it quiets known rejects. The default audit behavior of deny rules is to quiet known rejects so that audit logs are not flooded with already known rejects. To have known rejects logged prepend the audit keyword to the deny rule. Deny rules do not have a block form. eg. deny /foo/bar rw, audit deny /etc/shadow w, audit { deny owner /blah w, deny other /foo w, deny /etc/shadow w, }
2008-03-13 17:39:03 +00:00
parser: fixup audit struct to audit enum This removes the struct wrapper used in the previous patch to ensure that all uses are properly converted. Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-08-30 14:31:03 -07:00
if ((*e1)->audit != (*e2)->audit)
return (*e1)->audit < (*e2)->audit ? -1 : 1;
parser: Don't merge rules based on audit flags This is a step towards restructuring how "audit" is handled so we can add quiet support and push mapping of audit bits later. Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-06-09 14:47:52 -07:00
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
return strcmp((*e1)->name, (*e2)->name);
}
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
static int process_file_entries(Profile *prof)
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
{
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
struct cod_entry *cur, *next;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
struct cod_entry **table;
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
int n, count = 0;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
for (cur = prof->entries; cur; cur = cur->next)
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
count++;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (count < 2)
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
return 0;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
Convert the parser to C++ This conversion is nothing more than what is required to get it to compile. Further improvements will come as the code is refactored. Unfortunately due to C++ not supporting designated initializers, the auto generation of af names needed to be reworked, and "netlink" and "unix" domain socket keywords leaked in. Since these where going to be added in separate patches I have not bothered to do the extra work to replace them with a temporary place holder. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: merged with dbus changes and memory leak fixes] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:13:22 -07:00
table = (struct cod_entry **) malloc(sizeof(struct cod_entry *) * (count + 1));
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (!table) {
PERROR(_("Couldn't merge entries. Out of Memory\n"));
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
return ENOMEM;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
for (cur = prof->entries, n = 0; cur; cur = cur->next, n++)
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
table[n] = cur;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
qsort(table, count, sizeof(struct cod_entry *), file_comp);
table[count] = NULL;
parser: Never leave entries list in a bad state When merging file entries in process_file_entries(), an error condition can leave the entries list in a bad state which can cause invalid reads and/or double frees when freeing the codomain and entries list memory. The problem comes from the need to sort the entries linked list. An array of pointers is created to represent the linked list, then the array is sorted, then the linked list and the array coexist while the entries are merged, then the linked list is reconstructed and the array is freed. While the entries are being merged, an error condition can occur and the function can return while the linked list is partially modified. The solution is to complete the sorting, reconstruct the linked list, and free the array immediately. Once the linked list is in a good state, the entries can be merged. Care is taken to adjust the linked list pointers as entries are merged. An error condition can occur but the linked list is always in a good state and proper cleanup can be performed without any memory access issues. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:58:24 -07:00
for (n = 0; n < count; n++)
table[n]->next = table[n + 1];
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
prof->entries = table[0];
parser: Never leave entries list in a bad state When merging file entries in process_file_entries(), an error condition can leave the entries list in a bad state which can cause invalid reads and/or double frees when freeing the codomain and entries list memory. The problem comes from the need to sort the entries linked list. An array of pointers is created to represent the linked list, then the array is sorted, then the linked list and the array coexist while the entries are merged, then the linked list is reconstructed and the array is freed. While the entries are being merged, an error condition can occur and the function can return while the linked list is partially modified. The solution is to complete the sorting, reconstruct the linked list, and free the array immediately. Once the linked list is in a good state, the entries can be merged. Care is taken to adjust the linked list pointers as entries are merged. An error condition can occur but the linked list is always in a good state and proper cleanup can be performed without any memory access issues. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:58:24 -07:00
free(table);
[https://bugzilla.novell.com/show_bug.cgi?id=172061] This (updated) patch to trunk adds support for Px and Ux (toggle bprm_secure on exec) in the parser, As requested, lowercase p and u corresponds to an unfiltered environmnet on exec, uppercase will filter the environment. It applies after the 'm' patch. As a side effect, I tried to reduce the use of hardcoded characters in the debugging statements -- there are still a few warnings that have hard coded letters in them; not sure I can fix them all. This version issues a warning for every unsafe ux and issues a single warning for the first 'R', 'W', 'X', 'L', and 'I' it encounters, except when the "-q" or "--quiet" flag , "--remove" profile flag, or "-N" report names flags are passed. Unfortunately, it made the logic somewhat more convoluted. Wordsmithing improvements welcome.
2006-08-04 17:14:49 +00:00
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
/* walk the sorted table merging similar entries */
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
for (cur = prof->entries, next = cur->next; next; next = cur->next) {
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
if (file_comp(&cur, &next) != 0) {
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
cur = next;
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
continue;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
/* check for merged x consistency */
parser: int mode to perms Move from using and int for permissions bit mask to a perms_t type. Also move any perms mask that uses the name mode to perms to avoid confusing it with other uses of mode. Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-06-09 00:56:59 -07:00
if (!is_merged_x_consistent(cur->perms, next->perms)) {
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
PERROR(_("profile %s: has merged rule %s with conflicting x modifiers\n"),
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
prof->name, cur->name);
return -1;
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
}
parser: int mode to perms Move from using and int for permissions bit mask to a perms_t type. Also move any perms mask that uses the name mode to perms to avoid confusing it with other uses of mode. Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-06-09 00:56:59 -07:00
cur->perms |= next->perms;
parser: Clean up file entry processing Removes an unnecessary variable, simplifies and unifies some of the loop logic, and removes commented out code. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-11 11:59:00 -07:00
cur->next = next->next;
next->next = NULL;
free_cod_entries(next);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
return 0;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
int profile_merge_rules(Profile *prof)
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
{
Convert codomain to a class Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2013-09-27 16:16:37 -07:00
return process_file_entries(prof);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
Reference in a new issue Copy permalink