parser: fix mapping of AA_CONT_MATCH for policydb compat entries

The mapping of AA_CONT_MATCH was being dropped resulting in the tcp tests failing because they would only match up to the first conditional match check in the layout. Bug: https://gitlab.com/apparmor/apparmor/-/issues/462 Fixes: e29f5ce5f ("parser: if extended perms are supported by the kernel build a permstable") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2024-11-05 18:40:37 -07:00 · 2024-11-05 18:40:37 -07:00 · 15a02e0948
commit 15a02e0948
parent 3d1a3493af
3 changed files with 6 additions and 1 deletions
--- a/parser/libapparmor_re/policy_compat.cc
+++ b/parser/libapparmor_re/policy_compat.cc
@ -182,6 +182,8 @@ struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2,
 	perms.prompt = dfa_user_allow(accept3);
 	perms.audit = dfa_user_audit(accept1, accept2);
 	perms.quiet = dfa_user_quiet(accept1, accept2);
+	if (accept1 & AA_COMPAT_CONT_MATCH)
+		perms.allow |= AA_CONT_MATCH;

 	/*
 	 * This mapping is convulated due to history.
--- a/parser/network.cc
+++ b/parser/network.cc
@ -721,7 +721,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st

 	cond_perms = map_perms(perms);
 	if (!is_cmd && (label || is_peer))
-		cond_perms = (AA_CONT_MATCH << 1);
+		cond_perms = AA_COMPAT_CONT_MATCH;

 	for (auto &oss : streams) {
 		oss << "\\x00"; /* null transition */
--- a/parser/perms.h
+++ b/parser/perms.h
@ -65,6 +65,9 @@
 #define AA_MAY_DELEGATE
 #define AA_CONT_MATCH		0x08000000

+// TODO: move into a reworked immunix.h that is dependent on perms.h
+#define AA_COMPAT_CONT_MATCH	(AA_CONT_MATCH << 1)
+
 #define AA_MAY_STACK		0x10000000
 #define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
 #define AA_MAY_CHANGE_PROFILE	0x40000000