mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
Merge parser: improve libapparmor_re build and dump info
Fix libapparmor_re/Makefile so it works correctly with rebuilds and improve state machine dump information, to aid with debugging of permission handling during the compile. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1410 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
015b41aeb4
5 changed files with 71 additions and 14 deletions
|
|
@ -14,6 +14,14 @@ AR ?= ar
|
||||||
CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
|
CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
|
||||||
CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
|
CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
|
||||||
|
|
||||||
|
LIB_HDRS = aare_rules.h flex-tables.h apparmor_re.h hfa.h chfa.h parse.h \
|
||||||
|
expr-tree.h policy_compat.h
|
||||||
|
|
||||||
|
OTHER_HDRS = ../common_optarg.h ../common_flags.h ../immunix.h \
|
||||||
|
../policydb.h ../perms.h ../rule.h
|
||||||
|
|
||||||
|
HDRS = ${LIB_HDRS} ${OTHER_HDRS}
|
||||||
|
|
||||||
ARFLAGS=-rcs
|
ARFLAGS=-rcs
|
||||||
|
|
||||||
BISON := bison
|
BISON := bison
|
||||||
|
|
@ -27,17 +35,17 @@ libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o policy_compat.o
|
||||||
|
|
||||||
expr-tree.o: expr-tree.cc expr-tree.h
|
expr-tree.o: expr-tree.cc expr-tree.h
|
||||||
|
|
||||||
hfa.o: hfa.cc apparmor_re.h hfa.h ../immunix.h policy_compat.h
|
hfa.o: hfa.cc ${HDRS}
|
||||||
|
|
||||||
aare_rules.o: aare_rules.cc aare_rules.h apparmor_re.h expr-tree.h hfa.h chfa.h parse.h ../immunix.h
|
aare_rules.o: aare_rules.cc ${HDRS}
|
||||||
|
|
||||||
chfa.o: chfa.cc chfa.h ../immunix.h
|
chfa.o: chfa.cc ${HDRS}
|
||||||
|
|
||||||
policy_compat.o: policy_compat.cc policy_compat.h ../perms.h ../immunix.h
|
policy_compat.o: policy_compat.cc ${HDRS}
|
||||||
|
|
||||||
parse.o : parse.cc apparmor_re.h expr-tree.h
|
parse.o : parse.cc ${HDRS}
|
||||||
|
|
||||||
parse.cc : parse.y parse.h flex-tables.h ../immunix.h
|
parse.cc : parse.y ${HDRS}
|
||||||
${BISON} -o $@ $<
|
${BISON} -o $@ $<
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
|
|
|
||||||
|
|
@ -305,7 +305,19 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
|
||||||
//cerr << "Checking extended perms " << extended_perms << "\n";
|
//cerr << "Checking extended perms " << extended_perms << "\n";
|
||||||
if (extended_perms) {
|
if (extended_perms) {
|
||||||
//cerr << "creating permstable\n";
|
//cerr << "creating permstable\n";
|
||||||
dfa.compute_perms_table(perms_table, prompt);
|
dfa.compute_perms_table(perms_table, prompt);
|
||||||
|
// TODO: move perms table to a class
|
||||||
|
if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
|
||||||
|
cerr << "Perms Table size: " << perms_table.size() << "\n";
|
||||||
|
perms_table[0].dump_header(cerr);
|
||||||
|
for (size_t i = 0; i < perms_table.size(); i++) {
|
||||||
|
perms_table[i].dump(cerr);
|
||||||
|
cerr << "accept1: 0x";
|
||||||
|
cerr << ", accept2: 0x";
|
||||||
|
cerr << "\n";
|
||||||
|
}
|
||||||
|
cerr << "\n";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
|
chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
|
||||||
if (opts.dump & DUMP_DFA_TRANS_TABLE)
|
if (opts.dump & DUMP_DFA_TRANS_TABLE)
|
||||||
|
|
|
||||||
|
|
@ -309,11 +309,16 @@ void CHFA::dump(ostream &os)
|
||||||
st.insert(make_pair(i->second, i->first));
|
st.insert(make_pair(i->second, i->first));
|
||||||
}
|
}
|
||||||
|
|
||||||
os << "size=" << default_base.size() << " (accept, default, base): {state} -> {default state}" << "\n";
|
os << "size=" << default_base.size() << " (accept, accept2, default, base): {state} -> {default state}" << "\n";
|
||||||
for (size_t i = 0; i < default_base.size(); i++) {
|
for (size_t i = 0; i < default_base.size(); i++) {
|
||||||
os << i << ": ";
|
os << i << ": ";
|
||||||
os << "(" << accept[i] << ", " << num[default_base[i].first]
|
os << "(" << accept[i] << ", ";
|
||||||
<< ", " << default_base[i].second << ")";
|
if (accept2.size() > 0)
|
||||||
|
os << accept2[i];
|
||||||
|
else
|
||||||
|
os << "---, ";
|
||||||
|
os << num[default_base[i].first] << ", " <<
|
||||||
|
default_base[i].second << ")";
|
||||||
if (st[i])
|
if (st[i])
|
||||||
os << " " << *st[i];
|
os << " " << *st[i];
|
||||||
if (default_base[i].first)
|
if (default_base[i].first)
|
||||||
|
|
|
||||||
|
|
@ -1334,8 +1334,7 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
|
||||||
perms_table.resize(states.size() * mult);
|
perms_table.resize(states.size() * mult);
|
||||||
|
|
||||||
// nonmatching and start need to be 0 and 1 so handle outside of loop
|
// nonmatching and start need to be 0 and 1 so handle outside of loop
|
||||||
if (filedfa)
|
compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
|
||||||
compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
|
|
||||||
compute_perms_table_ent(start, 1, perms_table, prompt);
|
compute_perms_table_ent(start, 1, perms_table, prompt);
|
||||||
|
|
||||||
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
|
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,11 @@
|
||||||
* older versions
|
* older versions
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <ostream>
|
||||||
|
#include <iostream>
|
||||||
|
using std::ostream;
|
||||||
|
using std::cerr;
|
||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <sys/apparmor.h>
|
#include <sys/apparmor.h>
|
||||||
|
|
||||||
|
|
@ -82,7 +87,7 @@
|
||||||
* - exec type - which determines how the executable name and index are used
|
* - exec type - which determines how the executable name and index are used
|
||||||
* - flags - which modify how the destination name is applied
|
* - flags - which modify how the destination name is applied
|
||||||
*/
|
*/
|
||||||
#define AA_X_INDEX_MASK AA_INDEX_MASK
|
#define AA_X_INDEX_MASK 0xffffff
|
||||||
|
|
||||||
#define AA_X_TYPE_MASK 0x0c000000
|
#define AA_X_TYPE_MASK 0x0c000000
|
||||||
#define AA_X_NONE AA_INDEX_NONE
|
#define AA_X_NONE AA_INDEX_NONE
|
||||||
|
|
@ -96,7 +101,8 @@
|
||||||
|
|
||||||
typedef uint32_t perm32_t;
|
typedef uint32_t perm32_t;
|
||||||
|
|
||||||
struct aa_perms {
|
class aa_perms {
|
||||||
|
public:
|
||||||
perm32_t allow;
|
perm32_t allow;
|
||||||
perm32_t deny; /* explicit deny, or conflict if allow also set */
|
perm32_t deny; /* explicit deny, or conflict if allow also set */
|
||||||
|
|
||||||
|
|
@ -115,6 +121,33 @@ struct aa_perms {
|
||||||
uint32_t xindex;
|
uint32_t xindex;
|
||||||
uint32_t tag; /* tag string index, if present */
|
uint32_t tag; /* tag string index, if present */
|
||||||
uint32_t label; /* label string index, if present */
|
uint32_t label; /* label string index, if present */
|
||||||
|
|
||||||
|
void dump_header(ostream &os)
|
||||||
|
{
|
||||||
|
os << "(allow/deny/prompt//audit/quiet//xindex)\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
void dump(ostream &os)
|
||||||
|
{
|
||||||
|
os << std::hex << "(0x" << allow << "/0x" << deny << "/0x"
|
||||||
|
<< prompt << "//0x" << audit << "/0x" << quiet
|
||||||
|
<< std::dec << "//";
|
||||||
|
if (xindex & AA_X_UNSAFE)
|
||||||
|
os << "unsafe ";
|
||||||
|
if (xindex & AA_X_TYPE_MASK) {
|
||||||
|
if (xindex & AA_X_CHILD)
|
||||||
|
os << "c";
|
||||||
|
else
|
||||||
|
os << "p";
|
||||||
|
}
|
||||||
|
if (xindex & AA_X_INHERIT)
|
||||||
|
os << "i";
|
||||||
|
if (xindex & AA_X_UNCONFINED)
|
||||||
|
os << "u";
|
||||||
|
os << (xindex & AA_X_INDEX_MASK);
|
||||||
|
os << ")";
|
||||||
|
}
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif /* __AA_PERM_H */
|
#endif /* __AA_PERM_H */
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue