mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: implement dedup of network rules

Browse source 
Since network rules don't use the "perms" attribute, it is using the
dedup class in which duplicate rules are removed.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2023-08-02 17:58:38 -03:00 committed by John Johansen
parent 820f1fb5f2
commit 05de4b82e7
2 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
parser/network.cc
View file

@ -309,7 +309,7 @@ void network_rule::set_netperm(unsigned int family, unsigned int type)
network_rule::network_rule(const char *family, const char *type,
const char *protocol):
perms_rule_t(AA_CLASS_NETV8)
dedup_perms_rule_t(AA_CLASS_NETV8)
{
if (!family && !type && !protocol) {
size_t family_index;
@ -337,7 +337,7 @@ network_rule::network_rule(const char *family, const char *type,
}
network_rule::network_rule(unsigned int family, unsigned int type):
perms_rule_t(AA_CLASS_NETV8)
dedup_perms_rule_t(AA_CLASS_NETV8)
{
network_map[family].push_back({ family, type, 0xFFFFFFFF });
set_netperm(family, type);
@ -421,7 +421,7 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
parseopts))
return false;
@ -520,3 +520,25 @@ void network_rule::update_compat_net(void)
}
}
}
static int cmp_network_map(std::unordered_map<unsigned int, perms_t> lhs,
std::unordered_map<unsigned int, perms_t> rhs)
{
int res;
size_t family_index;
for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
res = lhs[family_index] - rhs[family_index];
if (res)
return res;
}
return 0;
}
int network_rule::cmp(rule_t const &rhs) const
{
int res = dedup_perms_rule_t::cmp(rhs);
if (res)
return res;
network_rule const &nrhs = rule_cast<network_rule const &>(rhs);
return cmp_network_map(network_perms, nrhs.network_perms);
};

9
parser/network.h
View file

@ -104,7 +104,7 @@ int net_find_type_val(const char *type);
const char *net_find_type_name(int type);
const char *net_find_af_name(unsigned int af);
class network_rule: public perms_rule_t {
class network_rule: public dedup_perms_rule_t {
public:
std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
std::unordered_map<unsigned int, perms_t> network_perms;
@ -112,7 +112,7 @@ public:
/* empty constructor used only for the profile to access
* static elements to maintain compatibility with
* AA_CLASS_NET */
network_rule(): perms_rule_t(AA_CLASS_NETV8) { }
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
network_rule(const char *family, const char *type,
const char *protocol);
network_rule(unsigned int family, unsigned int type);
@ -150,7 +150,10 @@ public:
virtual ostream &dump(ostream &os);
virtual int expand_variables(void);
virtual int gen_policy_re(Profile &prof);
// TODO: implement rule dedup cmp member function
virtual bool is_mergeable(void) { return true; }
virtual int cmp(rule_t const &rhs) const;
/* array of type masks indexed by AF_FAMILY */
/* allow, audit, deny and quiet are used for compatibility with AA_CLASS_NET */
static unsigned int *allow;