mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Add the ability to specify link subset test on a link pair, and
fix a bug where link pairs could get improperly merged.
This commit is contained in:
John Johansen
parent
d2eeef8291
commit
36ad7de2c5
6 changed files with 43 additions and 11 deletions
|
|
@ -68,9 +68,14 @@
|
|||
#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
|
||||
AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
|
||||
AA_EXEC_MOD_4)
|
||||
#define AA_EXEC_COUNT 32
|
||||
|
||||
#define AA_EXEC_TYPE (AA_MAY_EXEC | AA_EXEC_UNSAFE | \
|
||||
AA_EXEC_MODIFIERS)
|
||||
#define AA_USER_EXEC_MODIFIERS (AA_EXEC_MODIFIERS << AA_USER_SHIFT)
|
||||
#define AA_OTHER_EXEC_MODIFIERS (AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
|
||||
#define AA_ALL_EXEC_MODIFIERS (AA_USER_EXEC_MODIFIERS | \
|
||||
AA_OTHER_EXEC_MODIFIERS)
|
||||
|
||||
#define AA_EXEC_TYPE (AA_EXEC_UNSAFE | AA_EXEC_MODIFIERS)
|
||||
|
||||
#define AA_EXEC_UNCONFINED (AA_EXEC_MOD_0)
|
||||
#define AA_EXEC_INHERIT (AA_EXEC_MOD_1)
|
||||
|
|
@ -79,8 +84,10 @@
|
|||
|
||||
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE)
|
||||
|
||||
#define AA_EXEC_BITS ((AA_MAY_EXEC << AA_USER_SHIFT) | \
|
||||
(AA_MAY_EXEC << AA_OTHER_SHIFT))
|
||||
#define AA_USER_EXEC (AA_MAY_EXEC << AA_USER_SHIFT)
|
||||
#define AA_OTHER_EXEC (AA_MAY_EXEC << AA_OTHER_SHIFT)
|
||||
|
||||
#define AA_EXEC_BITS (AA_USER_EXEC | AA_OTHER_EXEC)
|
||||
|
||||
#define ALL_AA_EXEC_UNSAFE ((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \
|
||||
(AA_EXEC_UNSAFE << AA_OTHER_SHIFT))
|
||||
|
|
@ -88,6 +95,8 @@
|
|||
#define AA_USER_EXEC_TYPE (AA_EXEC_TYPE << AA_USER_SHIFT)
|
||||
#define AA_OTHER_EXEC_TYPE (AA_EXEC_TYPE << AA_OTHER_SHIFT)
|
||||
|
||||
#define ALL_AA_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
|
||||
|
||||
#define AA_LINK_BITS ((AA_MAY_LINK << AA_USER_SHIFT) | \
|
||||
(AA_MAY_LINK << AA_OTHER_SHIFT))
|
||||
|
||||
|
|
@ -102,6 +111,13 @@
|
|||
(AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
|
||||
#define LINK_TO_LINK_SUBSET(X) (((X) << 1) & AA_LINK_SUBSET_TEST)
|
||||
|
||||
|
||||
/* Pack the audit, and quiet masks into a single 28 bit field in the
|
||||
* format oq:oa:uq:ua
|
||||
*/
|
||||
#define PACK_AUDIT_CTL(audit, quiet) (((audit) & 0x1fc07f) | \
|
||||
(((quiet) & 0x1fc07f) << 7))
|
||||
|
||||
#define AA_HAT_SIZE 975 /* Maximum size of a subdomain
|
||||
* ident (hat) */
|
||||
#define AA_IP_TCP 0x0001
|
||||
|
|
|
|||
|
|
@ -44,6 +44,8 @@ struct cod_entry {
|
|||
int mode; /* mode is 'or' of AA_* bits */
|
||||
int deny; /* TRUE or FALSE */
|
||||
|
||||
int subset;
|
||||
|
||||
pattern_t pattern_type;
|
||||
struct cod_pattern pat;
|
||||
|
||||
|
|
|
|||
|
|
@ -59,6 +59,11 @@ static int file_comp(const void *c1, const void *c2)
|
|||
if (res)
|
||||
return res;
|
||||
|
||||
if ((*e1)->link_name)
|
||||
res = (*e2)->subset - (*e1)->subset;
|
||||
if (res)
|
||||
return res;
|
||||
|
||||
return strcmp((*e1)->name, (*e2)->name);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ static struct keyword_table keyword_table[] = {
|
|||
{"unsafe", TOK_UNSAFE},
|
||||
{"link", TOK_LINK},
|
||||
{"owner", TOK_OWNER},
|
||||
{"subset", TOK_SUBSET},
|
||||
/* terminate */
|
||||
{NULL, 0}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -515,6 +515,8 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
|
|||
ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, PATH_MAX + 8);
|
||||
if (ptype == ePatternInvalid)
|
||||
return FALSE;
|
||||
if (entry->subset)
|
||||
perms |= LINK_TO_LINK_SUBSET(perms);
|
||||
vec[1] = lbuf;
|
||||
} else {
|
||||
perms |= LINK_TO_LINK_SUBSET(perms);
|
||||
|
|
|
|||
|
|
@ -95,6 +95,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
|
|||
%token TOK_COLON
|
||||
%token TOK_LINK
|
||||
%token TOK_OWNER
|
||||
%token TOK_SUBSET
|
||||
|
||||
/* capabilities */
|
||||
%token TOK_CAPABILITY
|
||||
|
|
@ -150,7 +151,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
|
|||
%type <val_list> valuelist
|
||||
%type <boolean> expr
|
||||
%type <id> id_or_var
|
||||
|
||||
%type <boolean> opt_subset_flag
|
||||
%%
|
||||
|
||||
|
||||
|
|
@ -357,6 +358,9 @@ flagval: TOK_FLAG_ID
|
|||
$$ = fv;
|
||||
};
|
||||
|
||||
opt_subset_flag: { /* nothing */ $$ = 0; }
|
||||
| TOK_SUBSET { $$ = 1; }
|
||||
|
||||
rules: { /* nothing */
|
||||
struct codomain *cod = NULL;
|
||||
cod = (struct codomain *) calloc(1, sizeof(struct codomain));
|
||||
|
|
@ -585,27 +589,29 @@ rule: id_or_var file_mode id_or_var
|
|||
yyerror(_("missing an end of line character? (entry: %s)"), $1);
|
||||
};
|
||||
|
||||
rule: TOK_LINK TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
|
||||
rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $2, $4);
|
||||
entry = new_entry(NULL, $2, AA_LINK_BITS, $4);
|
||||
PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
|
||||
entry = new_entry(NULL, $3, AA_LINK_BITS, $5);
|
||||
if (!entry)
|
||||
yyerror(_("Memory allocation error."));
|
||||
entry->subset = $2;
|
||||
PDEBUG("rule.entry: link (%s)\n", entry->name);
|
||||
$$ = entry;
|
||||
};
|
||||
|
||||
rule: TOK_LINK file_mode TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
|
||||
rule: file_mode opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
|
||||
if ($2 & ~AA_LINK_BITS) {
|
||||
if ($1 & ~AA_LINK_BITS) {
|
||||
yyerror(_("only link perms can be specified in a link rule."));
|
||||
} else {
|
||||
entry = new_entry(NULL, $3, $2, $5);
|
||||
entry = new_entry(NULL, $3, AA_LINK_BITS, $5);
|
||||
if (!entry)
|
||||
yyerror(_("Memory allocation error."));
|
||||
entry->subset = $2;
|
||||
}
|
||||
PDEBUG("rule.entry: link (%s)\n", entry->name);
|
||||
$$ = entry;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue