mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
parser: maintain compatibility for fine grained inet network mediation
A simple rule without conditionals need to be generated for when the kernel does not support fine grained inet network mediation. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
parent
dd0d145a19
commit
119e3f38f9
4 changed files with 14 additions and 0 deletions
|
|
@ -612,6 +612,15 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
|
|||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff);
|
||||
}
|
||||
|
||||
if (!features_supports_inet) {
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
if (perms & AA_PEER_NET_PERMS) {
|
||||
gen_ip_conds(buffer, peer, true, false);
|
||||
|
||||
|
|
|
|||
|
|
@ -341,6 +341,7 @@ extern int kernel_load;
|
|||
extern int kernel_supports_setload;
|
||||
extern int features_supports_network;
|
||||
extern int features_supports_networkv8;
|
||||
extern int features_supports_inet;
|
||||
extern int kernel_supports_policydb;
|
||||
extern int kernel_supports_diff_encode;
|
||||
extern int features_supports_mount;
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ int kernel_load = 1;
|
|||
int kernel_supports_setload = 0; /* kernel supports atomic set loads */
|
||||
int features_supports_network = 0; /* kernel supports network rules */
|
||||
int features_supports_networkv8 = 0; /* kernel supports 4.17 network rules */
|
||||
int features_supports_inet = 0; /* kernel supports inet network rules */
|
||||
int features_supports_unix = 0; /* kernel supports unix socket rules */
|
||||
int kernel_supports_policydb = 0; /* kernel supports new policydb */
|
||||
int features_supports_mount = 0; /* kernel supports mount rules */
|
||||
|
|
|
|||
|
|
@ -919,6 +919,9 @@ void set_supported_features()
|
|||
features_supports_networkv8 = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network_v8");
|
||||
features_supports_inet = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_inet");
|
||||
features_supports_unix = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_unix");
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue