parser: add the abilitiy to dump the permissions table

Instead of encoding permissions in the accept and accept2 tables extended perms uses a permissions table and accept becomes an index into the table. Add the ability to dump the permissions table so that it can be compared and debugged. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2024-10-28 09:22:02 -06:00 · 2024-10-28 09:22:02 -06:00 · 45964d34e7
commit 45964d34e7
parent 00dedf10ad
3 changed files with 49 additions and 5 deletions
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@ -306,7 +306,19 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-		  dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table, prompt);
+			// TODO: move perms table to a class
+			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
+				cerr << "Perms Table size: " << perms_table.size() << "\n";
+				perms_table[0].dump_header(cerr);
+				for (size_t i = 0; i < perms_table.size(); i++) {
+					perms_table[i].dump(cerr);
+					cerr << "accept1: 0x";
+					cerr << ", accept2: 0x";
+					cerr << "\n";
+				}
+				cerr << "\n";
+			}
 		}
 		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@ -1334,8 +1334,7 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);

 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	if (filedfa)
-	  compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
 	compute_perms_table_ent(start, 1, perms_table, prompt);

 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
--- a/parser/perms.h
+++ b/parser/perms.h
@ -24,6 +24,11 @@
 * older versions
 */

+#include <ostream>
+#include <iostream>
+using std::ostream;
+using std::cerr;
+
 #include <stdint.h>
 #include <sys/apparmor.h>

@ -79,7 +84,7 @@
 * - exec type - which determines how the executable name and index are used
 * - flags - which modify how the destination name is applied
 */
-#define AA_X_INDEX_MASK		AA_INDEX_MASK
+#define AA_X_INDEX_MASK		0xffffff

 #define AA_X_TYPE_MASK		0x0c000000
 #define AA_X_NONE		AA_INDEX_NONE
@ -93,7 +98,8 @@

 typedef uint32_t perm32_t;

-struct aa_perms {
+class aa_perms {
+public:
 	perm32_t allow;
 	perm32_t deny;	/* explicit deny, or conflict if allow also set */

@ -112,6 +118,33 @@ struct aa_perms {
 	uint32_t xindex;
 	uint32_t tag;	/* tag string index, if present */
 	uint32_t label;	/* label string index, if present */
+
+	void dump_header(ostream &os)
+	{
+		os << "(allow/deny/prompt//audit/quiet//xindex)\n";
+	}
+
+	void dump(ostream &os)
+	{
+		os << std::hex << "(0x" << allow << "/0x" << deny << "/0x"
+		   << prompt << "//0x" << audit << "/0x" << quiet
+		   << std::dec << "//";
+		if (xindex & AA_X_UNSAFE)
+			os << "unsafe ";
+		if (xindex & AA_X_TYPE_MASK) {
+			if (xindex & AA_X_CHILD)
+				os << "c";
+			else
+				os << "p";
+		}
+		if (xindex & AA_X_INHERIT)
+			os << "i";
+		if (xindex & AA_X_UNCONFINED)
+			os << "u";
+		os << (xindex & AA_X_INDEX_MASK);
+		os << ")";
+	}
+
 };

 #endif /* __AA_PERM_H */