mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

update for ptrace rules

Browse source
This commit is contained in:
John Johansen 2008-04-09 23:56:31 +00:00
parent 4dd0e8ead8
commit 16b5a26306
4 changed files with 15 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parser/immunix.h
View file

@ -59,6 +59,8 @@
#define AA_USER_PTRACE (1 << 28)
#define AA_OTHER_PTRACE (1 << 29)
#define AA_PTRACE_PERMS (AA_USER_PTRACE | AA_OTHER_PTRACE)
#define AA_CHANGE_HAT (1 << 30)
#define AA_CHANGE_PROFILE (1 << 31)
#define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE)
@ -81,7 +83,8 @@
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_2)
#define AA_EXEC_LOCAL (AA_EXEC_MOD_2 | AA_EXEC_MOD_0)
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE)
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_PTRACE_PERMS | \
AA_OTHER_PERMS)
#define AA_USER_EXEC (AA_MAY_EXEC << AA_USER_SHIFT)
#define AA_OTHER_EXEC (AA_MAY_EXEC << AA_OTHER_SHIFT)

6
parser/parser_merge.c
View file

@ -67,6 +67,12 @@ static int file_comp(const void *c1, const void *c2)
if ((*e1)->deny != (*e2)->deny)
return (*e1)->deny < (*e2)->deny ? -1 : 1;
/* rules with ptrace and change_profile can only merge with
* rules with exact same perm */
if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) !=
((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)))
return 1;
return strcmp((*e1)->name, (*e2)->name);
}

3
parser/parser_regex.c
View file

@ -503,6 +503,8 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
AA_EXEC_INHERIT)
entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
/* relying on ptrace and change_profile not getting merged earlier */
/* the link bit on the first pair entry should not get masked
* out by a deny rule, as both pieces of the link pair must
* match. audit info for the link is carried on the second
@ -518,6 +520,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
entry->audit))
return FALSE;
}
if (entry->mode & (AA_LINK_BITS)) {
/* add the pair rule */
char lbuf[PATH_MAX + 8];

4
parser/parser_yacc.y
View file

@ -481,9 +481,9 @@ rules: rules opt_audit_flag opt_owner_flag TOK_OPEN rules TOK_CLOSE
yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
}
if ($3 == 1)
entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
else if ($3 == 2)
entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
if ($2 && !entry->deny)
entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;