mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: split accept perm processing from rule parsing

Browse source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen 2014-09-03 14:40:08 -07:00 committed by Steve Beattie
parent fb53ec793b
commit 19c942e5c2
1 changed files with 42 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
parser/libapparmor_re/aare_rules.cc
View file

@ -91,42 +91,13 @@ static Node *cat_with_null_seperator(Node *l, Node *r)
return new CatNode(new CatNode(l, new CharNode(0)), r); return new CatNode(new CatNode(l, new CharNode(0)), r);
} }
bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit, static Node *convert_file_perms(int deny, uint32_t perms, uint32_t audit,
int count, const char **rulev, dfaflags_t flags) bool exact_match)
{ {
Node *tree = NULL, *accept; Node *accept;
int exact_match;
uint32_t allow = perms;
assert(perms != 0); assert(perms != 0);
if (regex_parse(&tree, rulev[0]))
return false;
for (int i = 1; i < count; i++) {
Node *subtree = NULL;
if (regex_parse(&subtree, rulev[i]))
return false;
tree = cat_with_null_seperator(tree, subtree);
}
/*
* Check if we have an expression with or without wildcards. This
* determines how exec modifiers are merged in accept_perms() based
* on how we split permission bitmasks here.
*/
exact_match = 1;
for (depth_first_traversal i(tree); i && exact_match; i++) {
if (dynamic_cast<StarNode *>(*i) ||
dynamic_cast<PlusNode *>(*i) ||
dynamic_cast<AnyCharNode *>(*i) ||
dynamic_cast<CharSetNode *>(*i) ||
dynamic_cast<NotCharSetNode *>(*i))
exact_match = 0;
}
if (reverse)
flip_tree(tree);
/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ /* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
@ -195,6 +166,44 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
accept = flag; accept = flag;
} /* for ... */ } /* for ... */
return accept;
}
bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
int count, const char **rulev, dfaflags_t flags)
{
Node *tree = NULL, *accept;
int exact_match;
if (regex_parse(&tree, rulev[0]))
return false;
for (int i = 1; i < count; i++) {
Node *subtree = NULL;
if (regex_parse(&subtree, rulev[i]))
return false;
tree = cat_with_null_seperator(tree, subtree);
}
/*
* Check if we have an expression with or without wildcards. This
* determines how exec modifiers are merged in accept_perms() based
* on how we split permission bitmasks here.
*/
exact_match = 1;
for (depth_first_traversal i(tree); i && exact_match; i++) {
if (dynamic_cast<StarNode *>(*i) ||
dynamic_cast<PlusNode *>(*i) ||
dynamic_cast<AnyCharNode *>(*i) ||
dynamic_cast<CharSetNode *>(*i) ||
dynamic_cast<NotCharSetNode *>(*i))
exact_match = 0;
}
if (reverse)
flip_tree(tree);
accept = convert_file_perms(deny, perms, audit, exact_match);
if (flags & DFA_DUMP_RULE_EXPR) { if (flags & DFA_DUMP_RULE_EXPR) {
cerr << "rule: "; cerr << "rule: ";
cerr << rulev[0]; cerr << rulev[0];
@ -206,7 +215,7 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
tree->dump(cerr); tree->dump(cerr);
if (deny) if (deny)
cerr << " deny"; cerr << " deny";
cerr << " (0x" << hex << allow <<"/" << audit << dec << ")"; cerr << " (0x" << hex << perms <<"/" << audit << dec << ")";
accept->dump(cerr); accept->dump(cerr);
cerr << "\n\n"; cerr << "\n\n";
} }