From 45964d34e7d141214340920402cd0964c6565027 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Mon, 28 Oct 2024 09:22:02 -0600
Subject: [PATCH] parser: add the abilitiy to dump the permissions table

Instead of encoding permissions in the accept and accept2 tables
extended perms uses a permissions table and accept becomes an index
into the table.

Add the ability to dump the permissions table so that it can be
compared and debugged.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/aare_rules.cc | 14 ++++++++++-
 parser/libapparmor_re/hfa.cc        |  3 +--
 parser/perms.h                      | 37 +++++++++++++++++++++++++++--
 3 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index 96b46e16a..d4b9e28b2 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -306,7 +306,19 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-		  dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table, prompt);
+			// TODO: move perms table to a class
+			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
+				cerr << "Perms Table size: " << perms_table.size() << "\n";
+				perms_table[0].dump_header(cerr);
+				for (size_t i = 0; i < perms_table.size(); i++) {
+					perms_table[i].dump(cerr);
+					cerr << "accept1: 0x";
+					cerr << ", accept2: 0x";
+					cerr << "\n";
+				}
+				cerr << "\n";
+			}
 		}
 		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc
index 9318f8562..575d72073 100644
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -1334,8 +1334,7 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);
 
 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	if (filedfa)
-	  compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
 	compute_perms_table_ent(start, 1, perms_table, prompt);
 
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
diff --git a/parser/perms.h b/parser/perms.h
index ab92632eb..5cbfde1e1 100644
--- a/parser/perms.h
+++ b/parser/perms.h
@@ -24,6 +24,11 @@
  * older versions
  */
 
+#include <ostream>
+#include <iostream>
+using std::ostream;
+using std::cerr;
+
 #include <stdint.h>
 #include <sys/apparmor.h>
 
@@ -79,7 +84,7 @@
  * - exec type - which determines how the executable name and index are used
  * - flags - which modify how the destination name is applied
  */
-#define AA_X_INDEX_MASK		AA_INDEX_MASK
+#define AA_X_INDEX_MASK		0xffffff
 
 #define AA_X_TYPE_MASK		0x0c000000
 #define AA_X_NONE		AA_INDEX_NONE
@@ -93,7 +98,8 @@
 
 typedef uint32_t perm32_t;
 
-struct aa_perms {
+class aa_perms {
+public:
 	perm32_t allow;
 	perm32_t deny;	/* explicit deny, or conflict if allow also set */
 
@@ -112,6 +118,33 @@ struct aa_perms {
 	uint32_t xindex;
 	uint32_t tag;	/* tag string index, if present */
 	uint32_t label;	/* label string index, if present */
+
+	void dump_header(ostream &os)
+	{
+		os << "(allow/deny/prompt//audit/quiet//xindex)\n";
+	}
+
+	void dump(ostream &os)
+	{
+		os << std::hex << "(0x" << allow << "/0x" << deny << "/0x"
+		   << prompt << "//0x" << audit << "/0x" << quiet
+		   << std::dec << "//";
+		if (xindex & AA_X_UNSAFE)
+			os << "unsafe ";
+		if (xindex & AA_X_TYPE_MASK) {
+			if (xindex & AA_X_CHILD)
+				os << "c";
+			else
+				os << "p";
+		}
+		if (xindex & AA_X_INHERIT)
+			os << "i";
+		if (xindex & AA_X_UNCONFINED)
+			os << "u";
+		os << (xindex & AA_X_INDEX_MASK);
+		os << ")";
+	}
+
 };
 
 #endif /* __AA_PERM_H */