mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: equality tests: fix cx specified profile transition

Browse source 
cx rules using a specified profile transition, may be emulated by
using px and a hierarchical profile name. That is

  cx -> b

may be transformed into

  px -> profile//b

which will generate an xtable entry of

  profile//b

which means the previous patch using

  pivot_root -> b,

to reliably add b to the xtable will not cover this case.

transition to using two pivot_root rules to provide the xtable entries
  pivot_root /a -> b,
  pivot_root /c -> /t//b,

the paths /a and /c are irrelavent as long as they don't have an
overlap with the generic globbing expression in the test, Two table
entries will be generated. We guarantee no overlap by converting the

  /** to /f**

Also the xtable reserving rules are moved to the end of the profile so
the table order can be reliably created. A follow on MR around xtable
improvements should add reliability to xtable order.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-12-12 09:16:58 -08:00
parent 84650beb2f
commit 369029dc07
1 changed files with 9 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
parser/tst/equality.sh
View file

@ -649,7 +649,6 @@ do
"pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
"cix -> b" "Cix -> b"
do
# Fixme: have to do special handling for -> b, as this
# creates an entry in the transition table. However
# priority rules can make it so the reference to the
@ -657,16 +656,19 @@ do
# the tranition. This can lead to a situation where the
# test dfa with a "-> b" transition is functionally equivalent
# but will fail equality comparison.
# fix this by adding a pivot_root -> b, rule which add
# add an xtable entry that is deduped with the xrule
# fix this by adding two none overlapping x rules to add
# xtable entries
# /c -> /t//b, for cx rules being converted to px -> /t//b
# /a -> b, for px rules
# the rules must come last guarantee xtable order
if [ "$perm1" == "$perm2" ] || priority_gt "$p1" "" ; then
verify_binary_equality "'$p1'x'$p2' Exec perm \"${perm1}\" - most specific match: same as glob" \
"/t { $p1 /* ${perm1}, /f ${perm2}, pivot_root -> b, }" \
"/t { $p2 /* ${perm1}, pivot_root -> b, }"
"/t { $p1 /f* ${perm1}, /f ${perm2}, /a px -> b, /c px -> /t//b, }" \
"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
else
verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \
"/t { $p1 /* ${perm1}, /f ${perm2}, pivot_root -> b, }" \
"/t { $p2 /* ${perm1}, pivot_root -> b, }"
"/t { $p1 /f* ${perm1}, /f ${perm2}, /a px -> b, /c px -> /t//b, }" \
"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
fi
done
verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \