mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: change xattr encoding and allow append_rule to embedd permissions

Browse source 
The current encoding makes every xattr optional and uses this to
propogate the permission from the tail to the individual rule match
points.

This however is wrong. Instead change the encoding so that an xattr
(unless optional) is required to be matched before allowing moving
onto the next xattr match.

The permission is carried on the end on each rule portion file match,
xattr 1, xattr 2, ...

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2019-09-06 02:08:57 -07:00
parent e13af5dc96
commit 444b8e3836
3 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
parser/libapparmor_re/aare_rules.cc
View file

@ -147,7 +147,8 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
* This is used by xattrs matching where, after matching the path, the DFA is
* advanced by a null character for each xattr.
*/
bool aare_rules::append_rule(const char *rule, bool oob, dfaflags_t flags)
bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
dfaflags_t flags)
{
Node *tree = NULL;
if (regex_parse(&tree, rule))
@ -169,10 +170,13 @@ bool aare_rules::append_rule(const char *rule, bool oob, dfaflags_t flags)
* the path, then each value of the xattrs. Using an optional node
* lets each rule end up in an accepting state.
*/
tree = new OptionalNode(new CatNode(oob ? new CharNode(transchar(-1, true)) : new CharNode(0), tree));
tree = new CatNode(oob ? new CharNode(transchar(-1, true)) : new CharNode(0), tree);
PermExprMap::iterator it;
for (it = expr_map.begin(); it != expr_map.end(); it++) {
expr_map[it->first] = new CatNode(it->second, tree);
if (with_perm)
expr_map[it->first] = new CatNode(it->second, new AltNode(it->first, tree));
else
expr_map[it->first] = new CatNode(it->second, tree);
}
return true;
}

2
parser/libapparmor_re/aare_rules.h
View file

@ -104,7 +104,7 @@ class aare_rules {
uint32_t audit, dfaflags_t flags);
bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
const char **rulev, dfaflags_t flags, bool oob);
bool append_rule(const char *rule, bool oob, dfaflags_t flags);
bool append_rule(const char *rule, bool oob, bool with_perm, dfaflags_t flags);
void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags);
};

2
parser/parser_regex.c
View file

@ -559,7 +559,7 @@ static int process_profile_name_xmatch(Profile *prof)
convert_aaregex_to_pcre(xattr_value, 0,
glob_null, tbuf,
&len);
if (!rules->append_rule(tbuf.c_str(), true, dfaflags)) {
if (!rules->append_rule(tbuf.c_str(), true, true, dfaflags)) {
delete rules;
return FALSE;
}