From 20dbc4d8cbf6c4d72e1aab60daddd07f55f0f248 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 1 Feb 2007 21:45:39 +0000 Subject: [PATCH] fix miss break #240986. Back out partial commit of dfa matcher support (that was mistakenly submitted) --- parser/Makefile | 8 +-- parser/immunix.h | 28 +-------- parser/parser.h | 11 ---- parser/parser_interface.c | 100 +++++++++++-------------------- parser/parser_main.c | 28 +++------ parser/parser_policy.c | 4 -- parser/parser_regex.c | 123 ++++++++------------------------------ 7 files changed, 72 insertions(+), 230 deletions(-) diff --git a/parser/Makefile b/parser/Makefile index 30b4959d9..fce175f30 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -77,8 +77,6 @@ OBJECTS = parser_lex.o parser_yacc.o parser_main.o parser_interface.o \ parser_include.o parser_merge.o parser_symtab.o parser_misc.o \ parser_regex.o parser_variable.o parser_policy.o -AARE = libapparmor_re/libapparmor_re.a - PCREDIR= pcre PCREOBJECTS = ${PCREDIR}/pcre.o @@ -112,8 +110,8 @@ all: $(LEX_C_FILES) $(YACC_C_FILES) $(TOOLS) $(Q)make -C po all $(Q)make -s tests -apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AARE) - $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} -Bstatic $(AARE) -lstdc++ +apparmor_parser: $(OBJECTS) $(PCREOBJECTS) + $(CC) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(PCREOBJECTS) $(LIBS) ${LEXLIB} parser_yacc.c parser_yacc.h: parser_yacc.y parser.h $(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y @@ -198,7 +196,7 @@ install-suse: ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd - + .PHONY: install-slackware install-slackware: install -m 755 -d $(APPARMOR_BIN_PREFIX)/install diff --git a/parser/immunix.h b/parser/immunix.h index e612a9407..fae82975b 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -54,9 +54,6 @@ #define POS_KERN_COD_MIN (POS_KERN_COD_FILE_MIN #define POS_KERN_COD_MAX (POS_KERN_COD_NET_MAX -/* Invalid perm permission */ -#define POS_AA_INVALID_POS 31 - /* Modeled after MAY_READ, MAY_WRITE, MAY_EXEC def'ns */ #define KERN_COD_MAY_EXEC (0x01 << POS_KERN_COD_MAY_EXEC) #define KERN_COD_MAY_WRITE (0x01 << POS_KERN_COD_MAY_WRITE) @@ -67,11 +64,9 @@ #define KERN_COD_EXEC_PROFILE (0x01 << POS_KERN_COD_EXEC_PROFILE) #define KERN_COD_EXEC_MMAP (0x01 << POS_KERN_COD_EXEC_MMAP) #define KERN_COD_EXEC_UNSAFE (0x01 << POS_KERN_COD_EXEC_UNSAFE) -#define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \ - AA_EXEC_UNCONSTRAINED | \ - AA_EXEC_PROFILE) -#define KERN_EXEC_MODIFIERS(X) (X & AA_EXEC_MODIFIERS) - +#define KERN_EXEC_MODIFIERS(X) (X & (KERN_COD_EXEC_INHERIT | \ + KERN_COD_EXEC_UNCONSTRAINED | \ + KERN_COD_EXEC_PROFILE)) /* Network subdomain extensions. */ #define KERN_COD_TCP_CONNECT (0x01 << POS_KERN_COD_TCP_CONNECT) #define KERN_COD_TCP_ACCEPT (0x01 << POS_KERN_COD_TCP_ACCEPT) @@ -82,19 +77,9 @@ #define KERN_COD_LOGTCP_SEND (0x01 << POS_KERN_COD_LOGTCP_SEND) #define KERN_COD_LOGTCP_RECEIVE (0x01 << POS_KERN_COD_LOGTCP_RECEIVE) -#define AA_INVALID_PERM (0x01 << POS_AA_INVALID_POS) #define KERN_COD_HAT_SIZE 975 /* Maximum size of a subdomain * ident (hat) */ -#define AA_MAY_EXEC KERN_COD_MAY_EXEC -#define AA_MAY_WRITE KERN_COD_MAY_WRITE -#define AA_MAY_READ KERN_COD_MAY_READ -#define AA_MAY_LINK KERN_COD_MAY_LINK -#define AA_EXEC_INHERIT KERN_COD_EXEC_INHERIT -#define AA_EXEC_UNCONSTRAINED KERN_COD_EXEC_UNCONSTRAINED -#define AA_EXEC_PROFILE KERN_COD_EXEC_PROFILE -#define AA_EXEC_MMAP KERN_COD_EXEC_MMAP -#define AA_EXEC_UNSAFE KERN_COD_EXEC_UNSAFE enum pattern_t { ePatternBasic, @@ -113,11 +98,4 @@ enum pattern_t { #define HAS_EXEC_MMAP(mode) ((mode) & KERN_COD_EXEC_MMAP) #define HAS_EXEC_UNSAFE(mode) ((mode) & KERN_COD_EXEC_UNSAFE) -#define AA_NOXMODS_PERM_MASK (AA_MAY_EXEC | AA_MAY_WRITE | \ - AA_MAY_READ | AA_MAY_LINK | \ - AA_EXEC_MMAP) -#define AA_VALID_PERM_MASK ((1 << (POS_KERN_COD_MAX + 1)) - 1) - -#define SINGLE_BIT_SET(X) (!((X) & ((X) - 1))) -#define AA_EXEC_SINGLE_MODIFIER_SET(X) SINGLE_BIT_SET(((X) & AA_EXEC_MODIFIERS)) #endif /* ! _IMMUNIX_H */ diff --git a/parser/parser.h b/parser/parser.h index 9f0fe0629..eecf8512e 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -19,7 +19,6 @@ #include #include "pcre/internal.h" #include "immunix.h" -#include "libapparmor_re/apparmor_re.h" typedef enum pattern_t pattern_t; @@ -69,11 +68,6 @@ struct codomain { struct cod_net_entry * net_entries; void *hat_table; //struct codomain *next; - - aare_ruleset_t *dfarules; - int dfarule_count; - void *dfa; - size_t dfa_size; } ; struct cod_global_entry { @@ -122,10 +116,6 @@ struct var_string { #define OPTION_REPLACE 3 #define OPTION_STDOUT 4 -#define AARE_NONE 0 -#define AARE_PCRE 1 -#define AARE_DFA 2 - #ifdef DEBUG #define PDEBUG(fmt, args...) printf("parser: " fmt, ## args) #else @@ -156,7 +146,6 @@ extern char *profilename; /* from parser_main */ extern int force_complain; -extern int regex_type; extern void pwarn(char *fmt, ...) __attribute__((__format__(__printf__, 1, 2))); extern int yyparse(void); diff --git a/parser/parser_interface.c b/parser/parser_interface.c index b098b7214..13d68f406 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -26,7 +26,6 @@ #define _(s) gettext(s) #include "parser.h" -#include "libapparmor_re/apparmor_re.h" #include #include @@ -471,31 +470,6 @@ int sd_serialize_file_entry(sd_serialize *p, struct cod_entry *file_entry) return 1; } -int sd_serialize_dfa(sd_serialize *p, void *dfa, size_t size) -{ - /* fake up a file entry in regex entry list */ - PDEBUG("Writing file entry. name '%s'\n", file_entry->name); - if (!sd_write_list(p, "pgent")) - return 0; - if (!sd_write_struct(p, "fe")) - return 0; - if (!sd_write_string(p, "dfa", NULL)) - return 0; - /* list entry has having all perms but no exec modifiers */ - if (!sd_write32(p, 0x7fffffff & ~AA_EXEC_MODIFIERS)) - return 0; - if (!sd_write32(p, ePatternRegex)) - return 0; - if (!sd_write_blob(p, dfa, size, "aadfa")) - return 0; - if (!sd_write_structend(p)) - return 0; - if (!sd_write_listend(p)) - return 0; - - return 1; -} - int count_file_ents(struct cod_entry *list) { struct cod_entry *file_entry; @@ -555,55 +529,49 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile) if (!sd_write32(p, profile->capabilities)) return 0; - /* either have a single dfa or lists of different entry types */ - if (profile->dfa) { - if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size)) + /* pcre globbing entries */ + if (count_pcre_ents(profile->entries)) { + if (!sd_write_list(p, "pgent")) return 0; - } else { - /* pcre globbing entries */ - if (count_pcre_ents(profile->entries)) { - if (!sd_write_list(p, "pgent")) - return 0; - for (file_entry = profile->entries; file_entry; - file_entry = file_entry->next) { - if (file_entry->pattern_type == ePatternRegex) { - if (!sd_serialize_file_entry(p, file_entry)) - return 0; - } + for (file_entry = profile->entries; file_entry; + file_entry = file_entry->next) { + if (file_entry->pattern_type == ePatternRegex) { + if (!sd_serialize_file_entry(p, file_entry)) + return 0; } - if (!sd_write_listend(p)) - return 0; } + if (!sd_write_listend(p)) + return 0; + } - /* simple globbing entries */ - if (count_tailglob_ents(profile->entries)) { - if (!sd_write_list(p, "sgent")) - return 0; - for (file_entry = profile->entries; file_entry; - file_entry = file_entry->next) { - if (file_entry->pattern_type == ePatternTailGlob) { - if (!sd_serialize_file_entry(p, file_entry)) - return 0; - } + /* simple globbing entries */ + if (count_tailglob_ents(profile->entries)) { + if (!sd_write_list(p, "sgent")) + return 0; + for (file_entry = profile->entries; file_entry; + file_entry = file_entry->next) { + if (file_entry->pattern_type == ePatternTailGlob) { + if (!sd_serialize_file_entry(p, file_entry)) + return 0; } - if (!sd_write_listend(p)) - return 0; } + if (!sd_write_listend(p)) + return 0; + } - /* basic file entries */ - if (count_file_ents(profile->entries)) { - if (!sd_write_list(p, "fent")) - return 0; - for (file_entry = profile->entries; file_entry; - file_entry = file_entry->next) { - if (file_entry->pattern_type == ePatternBasic) { - if (!sd_serialize_file_entry(p, file_entry)) - return 0; - } + /* basic file entries */ + if (count_file_ents(profile->entries)) { + if (!sd_write_list(p, "fent")) + return 0; + for (file_entry = profile->entries; file_entry; + file_entry = file_entry->next) { + if (file_entry->pattern_type == ePatternBasic) { + if (!sd_serialize_file_entry(p, file_entry)) + return 0; } - if (!sd_write_listend(p)) - return 0; } + if (!sd_write_listend(p)) + return 0; } if (profile->net_entries) { diff --git a/parser/parser_main.c b/parser/parser_main.c index 5f3e080a0..50d54494d 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -48,7 +48,6 @@ #define MATCH_STRING "/sys/kernel/security/" MODULE_NAME "/matching" #define MOUNTED_FS "/proc/mounts" #define PCRE "pattern=pcre" -#define AADFA "pattern=aadfa" #define UNPRIVILEGED_OPS (debug || preprocess_only || option == OPTION_STDOUT || names_only || \ dump_vars || dump_expanded_vars) @@ -66,8 +65,6 @@ int conf_quiet = 0; char *subdomainbase = NULL; char *profilename; char *match_string = NULL; -int regex_type = AARE_NONE; - extern int current_lineno; struct option long_options[] = { @@ -390,7 +387,7 @@ static void get_match_string(void) { /* has process_args() already assigned a match string? */ if (match_string) - goto out; + return; FILE *ms = fopen(MATCH_STRING, "r"); if (!ms) @@ -407,28 +404,22 @@ static void get_match_string(void) { } out: - if (match_string) { - if (strstr(match_string, PCRE)) - regex_type = AARE_PCRE; - - if (strstr(match_string, AADFA)) - regex_type = AARE_DFA; - } - - if (ms) - fclose(ms); + fclose(ms); return; } /* return 1 --> PCRE should work fine return 0 --> no PCRE support */ -static int regex_support(void) { +static int pcre_support(void) { + + get_match_string(); + /* no match string, predates (or postdates?) the split matching module design */ if (!match_string) return 1; - if (regex_type != AARE_NONE) + if (strstr(match_string, PCRE)) return 1; return 0; @@ -446,9 +437,6 @@ int process_profile(int option, char *profilename) if (retval != 0) goto out; - /* Get the match string to determine type of regex support needed */ - get_match_string(); - retval = post_process_policy(); if (retval != 0) { PERROR(_("%s: Errors found in file. Aborting.\n"), progname); @@ -482,7 +470,7 @@ int process_profile(int option, char *profilename) if (!subdomainbase && !preprocess_only && !(option == OPTION_STDOUT)) find_subdomainfs_mountpoint(); - if (!regex_support()) { + if (!pcre_support()) { die_if_any_regex(); } diff --git a/parser/parser_policy.c b/parser/parser_policy.c index fa20f84fb..3f98014d9 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -451,9 +451,5 @@ void free_policy(struct codomain *cod) free_hat_table(cod->hat_table); free_cod_entries(cod->entries); free_net_entries(cod->net_entries); - if (cod->dfarules) - aare_delete_ruleset(cod->dfarules); - if (cod->dfa) - free(cod->dfa); free(cod); } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 2b8684acb..e23e18fc9 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -27,7 +27,6 @@ /* #define DEBUG */ #include "parser.h" -#include "libapparmor_re/apparmor_re.h" enum error_type { e_no_error, @@ -114,11 +113,10 @@ static void filter_slashes(char *path) } } -static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, - char *pcre, size_t pcre_size) +static int process_regex_entry(struct cod_entry *entry) { #define STORE(_src, _dest, _len) \ - if ((const char*)_dest + _len > (pcre + pcre_size)){ \ + if ((const char*)_dest + _len > tbufend){ \ error = e_buffer_overflow; \ } else { \ memcpy(_dest, _src, _len); \ @@ -130,6 +128,9 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, /* flag to indicate input error */ enum error_type error; + char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */ + const char *tbufend = &tbuf[PATH_MAX]; + const char *sptr; char *dptr; pattern_t ptype; @@ -141,12 +142,14 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, error = e_no_error; ptype = ePatternBasic; /* assume no regex */ - sptr = aare; - dptr = pcre; + if (!entry) /* shouldn't happen */ + return TRUE; - if (anchor) - /* anchor beginning of regular expression */ - *dptr++ = '^'; + sptr = entry->name; + dptr = tbuf; + + /* anchor beginning of regular expression */ + *dptr++ = '^'; while (error == e_no_error && *sptr) { switch (*sptr) { @@ -339,10 +342,10 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, } /* anchor end and terminate pattern string */ - if (error == e_no_error && anchor) - STORE("$" , dptr, 1); if (error == e_no_error) { - STORE("", dptr, 1); + char buf[2] = { '$', 0 }; + + STORE(buf, dptr, 2); } /* check error again, as above STORE may have set it */ @@ -353,31 +356,12 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, } PERROR(_("%s: Unable to parse input line '%s'\n"), - progname, aare); + progname, entry->name); ret = FALSE; goto out; } -out: - if (ret == FALSE) - ptype = ePatternInvalid; - return ptype; -} - -static int process_pcre_entry(struct cod_entry *entry) -{ - char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */ - int ret = TRUE; - pattern_t ptype; - - if (!entry) /* shouldn't happen */ - return TRUE; - - ptype = convert_aaregex_to_pcre(entry->name, 1, tbuf, PATH_MAX + 3); - if (ptype == ePatternInvalid) - return FALSE; - entry->pattern_type = ptype; /* @@ -438,89 +422,33 @@ static int process_pcre_entry(struct cod_entry *entry) filter_escapes(entry->name); } /* ptype == ePatternRegex */ +out: return ret; } -static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) -{ - char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */ - int ret = TRUE; - pattern_t ptype; - - if (!entry) /* shouldn't happen */ - return TRUE; - - ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, PATH_MAX + 3); - if (ptype == ePatternInvalid) - return FALSE; - - entry->pattern_type = ptype; - - /* ix implies m but the apparmor module does not add m bit to - * dfa states like it does for pcre - */ - if (entry->mode & KERN_COD_EXEC_INHERIT) - entry->mode |= KERN_COD_EXEC_MMAP; - if (!aare_add_rule(dfarules, tbuf, entry->mode)) - ret = FALSE; - - return ret; -} - -int post_process_entries(struct codomain *cod) +int post_process_entries(struct cod_entry *entry_list) { int ret = TRUE, rc; struct cod_entry *entry; - int count = 0; - for (entry = cod->entries; entry; entry = entry->next) { + for (entry = entry_list; entry; entry = entry->next) { filter_slashes(entry->name); - if (regex_type == AARE_DFA) - rc = process_dfa_entry(cod->dfarules, entry); - else - rc = process_pcre_entry(entry); + rc = process_regex_entry(entry); if (!rc) ret = FALSE; - count++; } - code->dfarule_count = count; return ret; } int process_regex(struct codomain *cod) { - int error = -1; + int error = 0; - if (regex_type == AARE_DFA) { - cod->dfarules = aare_new_ruleset(0); - if (!cod->dfarules) - goto out; + if (!post_process_entries(cod->entries)) { + error = -1; } - if (!post_process_entries(cod)) -{ -fprintf(stderr, "Failed post_process_entries\n"); - goto out; -} - if (regex_type == AARE_DFA && cod->dfarule_count > 0) { - cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size); - if (!cod->dfa) -{ -fprintf(stderr, "Failed create dfa\n"); - goto out; -} -/* - if (cod->dfa_size == 0) { - PERROR(_("profile %s: has merged rules (%s) with " - "multiple x modifiers\n"), - cod->name, (char *) cod->dfa); - free(cod->dfa); - cod->dfa = NULL; - goto out; - } -*/ - } /* * Post process subdomain(s): * @@ -536,11 +464,8 @@ fprintf(stderr, "Failed create dfa\n"); * } */ if (process_hat_regex(cod) != 0) - goto out; + error = -1; - error = 0; - -out: return error; }