mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: Fix AF_UNIX stub rule creation

Browse source 
The patch titled "parser: Add support for unix domain socket rules."
modified the code the creates the stub rules for rule types that the
parser supports.

It added new stub rules for extended network and AF_UNIX rule types but
it also changed the stub rules for all existing rule types. That change
causes the kernel to not enforce some rule types.

This patch fixes the stub rule creation so that existing rule types
continue to be enforced, as well as AF_UNIX rule types when the parser
and kernel both support them.

Here's the DFA states generated before applying the patch mentioned
above:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)

{1} -> {2}: 0x2
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \

Here are the DFA states generated after applying the patch mentioned
above:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{4} (0x 4/0/0/0)

{1} -> {2}: 0x0
{1} -> {3}: 0x34 4
{2} -> {4}: 0x2
{2} -> {4}: 0x4
{2} -> {4}: 0x7
{2} -> {4}: 0x9
{2} -> {4}: 0xa
{2} -> {4}: 0x20 \
{3} -> {4}: 0x31 1

Here are DFA states generated after applying this patch:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)

{1} -> {2}: 0x2
{1} -> {2}: 0x4
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {3}: 0x34 4
{3} -> {4}: 0x0
{4} -> {2}: 0x31 1

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Tyler Hicks 2014-09-03 13:45:44 -07:00 committed by Steve Beattie
parent 019de74059
commit 5b46e3b334
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
parser/parser_regex.c
View file

@ -665,9 +665,10 @@ int post_process_policydb_ents(Profile *prof)
return TRUE;
}
#define MAKE_STR(A) #A
#define CLASS_STR(X) "\\000\\d" MAKE_STR(X)
#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_STR(Y)
#define MAKE_STR(X) #X
#define CLASS_STR(X) "\\d" MAKE_STR(X)
#define MAKE_SUB_STR(X) "\\000" MAKE_STR(X)
#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_SUB_STR(Y)
static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);