mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
pass prompt info down into the backend for mapping
mapping for PROMPT_DEV needs to know that we should prompt
This commit is contained in:
John Johansen
parent
2510698f63
commit
5bd2271189
9 changed files with 64 additions and 39 deletions
|
|
@ -199,8 +199,8 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
|
|||
*/
|
||||
CHFA *aare_rules::create_chfa(int *min_match_len,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts,
|
||||
bool filedfa, bool extended_perms)
|
||||
optflags const &opts, bool filedfa,
|
||||
bool extended_perms, bool prompt)
|
||||
{
|
||||
/* finish constructing the expr tree from the different permission
|
||||
* set nodes */
|
||||
|
|
@ -310,9 +310,9 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
|
|||
//cerr << "Checking extended perms " << extended_perms << "\n";
|
||||
if (extended_perms) {
|
||||
//cerr << "creating permstable\n";
|
||||
dfa.compute_perms_table(perms_table);
|
||||
dfa.compute_perms_table(perms_table, prompt);
|
||||
}
|
||||
chfa = new CHFA(dfa, eq, opts, extended_perms);
|
||||
chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
|
||||
if (opts.dump & DUMP_DFA_TRANS_TABLE)
|
||||
chfa->dump(cerr);
|
||||
}
|
||||
|
|
@ -331,14 +331,15 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
|
|||
void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts, bool filedfa,
|
||||
bool extended_perms)
|
||||
bool extended_perms, bool prompt)
|
||||
{
|
||||
char *buffer = NULL;
|
||||
stringstream stream;
|
||||
|
||||
try {
|
||||
CHFA *chfa = create_chfa(min_match_len, perms_table,
|
||||
opts, filedfa, extended_perms);
|
||||
opts, filedfa, extended_perms,
|
||||
prompt);
|
||||
if (!chfa) {
|
||||
*size = 0;
|
||||
return NULL;
|
||||
|
|
@ -375,7 +376,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
|
|||
size_t *new_start,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts,
|
||||
bool extended_perms)
|
||||
bool extended_perms, bool prompt)
|
||||
{
|
||||
int file_min_len;
|
||||
vector <aa_perms> file_perms;
|
||||
|
|
@ -383,7 +384,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
|
|||
try {
|
||||
file_chfa = file_rules->create_chfa(&file_min_len,
|
||||
file_perms, opts,
|
||||
true, extended_perms);
|
||||
true, extended_perms, prompt);
|
||||
if (!file_chfa) {
|
||||
*size = 0;
|
||||
return NULL;
|
||||
|
|
@ -398,7 +399,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
|
|||
try {
|
||||
policy_chfa = create_chfa(min_match_len,
|
||||
perms_table, opts,
|
||||
false, extended_perms);
|
||||
false, extended_perms, prompt);
|
||||
if (!policy_chfa) {
|
||||
delete file_chfa;
|
||||
*size = 0;
|
||||
|
|
@ -414,7 +415,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
|
|||
stringstream stream;
|
||||
try {
|
||||
policy_chfa->weld_file_to_policy(*file_chfa, *new_start,
|
||||
extended_perms,
|
||||
extended_perms, prompt,
|
||||
perms_table, file_perms);
|
||||
policy_chfa->flex_table(stream);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -118,17 +118,17 @@ class aare_rules {
|
|||
CHFA *create_chfa(int *min_match_len,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts, bool filedfa,
|
||||
bool extended_perms);
|
||||
bool extended_perms, bool prompt);
|
||||
void *create_dfablob(size_t *size, int *min_match_len,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts,
|
||||
bool filedfa, bool extended_perms);
|
||||
bool filedfa, bool extended_perms, bool prompt);
|
||||
void *create_welded_dfablob(aare_rules *file_rules,
|
||||
size_t *size, int *min_match_len,
|
||||
size_t *new_start,
|
||||
vector <aa_perms> &perms_table,
|
||||
optflags const &opts,
|
||||
bool extended_perms);
|
||||
bool extended_perms, bool prompt);
|
||||
};
|
||||
|
||||
#endif /* __LIBAA_RE_RULES_H */
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ void CHFA::init_free_list(vector<pair<size_t, size_t> > &free_list,
|
|||
* permtable index flag
|
||||
*/
|
||||
CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
|
||||
bool permindex): eq(eq)
|
||||
bool permindex, bool prompt): eq(eq)
|
||||
{
|
||||
if (opts.dump & DUMP_DFA_TRANS_PROGRESS)
|
||||
fprintf(stderr, "Compressing HFA:\r");
|
||||
|
|
@ -110,11 +110,16 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
|
|||
accept[0] = dfa.nonmatching->idx;
|
||||
accept[1] = dfa.start->idx;
|
||||
} else {
|
||||
uint32_t accept3;
|
||||
accept2.resize(max(dfa.states.size(), (size_t) 2));
|
||||
dfa.nonmatching->map_perms_to_accept(accept[0],
|
||||
accept2[0]);
|
||||
accept2[0],
|
||||
accept3,
|
||||
prompt);
|
||||
dfa.start->map_perms_to_accept(accept[1],
|
||||
accept2[1]);
|
||||
accept2[1],
|
||||
accept3,
|
||||
prompt);
|
||||
}
|
||||
next_check.resize(max(optimal, (size_t) dfa.max_range));
|
||||
free_list.resize(next_check.size());
|
||||
|
|
@ -131,12 +136,15 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
|
|||
if (!(opts.control & CONTROL_DFA_TRANS_HIGH)) {
|
||||
for (Partition::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
|
||||
if (*i != dfa.nonmatching && *i != dfa.start) {
|
||||
uint32_t accept3;
|
||||
insert_state(free_list, *i, dfa);
|
||||
if (permindex)
|
||||
accept[num.size()] = (*i)->idx;
|
||||
else
|
||||
(*i)->map_perms_to_accept(accept[num.size()],
|
||||
accept2[num.size()]);
|
||||
accept2[num.size()],
|
||||
accept3,
|
||||
prompt);
|
||||
num.insert(make_pair(*i, num.size()));
|
||||
}
|
||||
if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
|
||||
|
|
@ -151,12 +159,15 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
|
|||
i != order.end(); i++) {
|
||||
if (i->second != dfa.nonmatching &&
|
||||
i->second != dfa.start) {
|
||||
uint32_t accept3;
|
||||
insert_state(free_list, i->second, dfa);
|
||||
if (permindex)
|
||||
accept[num.size()] = i->second->idx;
|
||||
else
|
||||
i->second->map_perms_to_accept(accept[num.size()],
|
||||
accept2[num.size()]);
|
||||
accept2[num.size()],
|
||||
accept3,
|
||||
prompt);
|
||||
num.insert(make_pair(i->second, num.size()));
|
||||
}
|
||||
if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
|
||||
|
|
@ -484,7 +495,7 @@ void CHFA::flex_table(ostream &os)
|
|||
|
||||
*/
|
||||
void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
|
||||
bool accept_idx,
|
||||
bool accept_idx, bool prompt,
|
||||
vector <aa_perms> &policy_perms,
|
||||
vector <aa_perms> &file_perms)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -40,8 +40,7 @@ class CHFA {
|
|||
public:
|
||||
CHFA(void);
|
||||
CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
|
||||
bool permindex);
|
||||
|
||||
bool permindex, bool prompt);
|
||||
void dump(ostream & os);
|
||||
void flex_table(ostream &os);
|
||||
void init_free_list(vector<pair<size_t, size_t> > &free_list,
|
||||
|
|
@ -51,7 +50,7 @@ class CHFA {
|
|||
void insert_state(vector<pair<size_t, size_t> > &free_list,
|
||||
State *state, DFA &dfa);
|
||||
void weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
|
||||
bool accept_idx,
|
||||
bool accept_idx, bool prompt,
|
||||
vector <aa_perms> &policy_perms,
|
||||
vector <aa_perms> &file_perms);
|
||||
|
||||
|
|
|
|||
|
|
@ -1308,12 +1308,13 @@ void DFA::apply_equivalence_classes(map<transchar, transchar> &eq)
|
|||
}
|
||||
|
||||
void DFA::compute_perms_table_ent(State *state, size_t pos,
|
||||
vector <aa_perms> &perms_table)
|
||||
vector <aa_perms> &perms_table,
|
||||
bool prompt)
|
||||
{
|
||||
uint32_t accept1, accept2, accept3;
|
||||
|
||||
// until front end doesn't map the way it does
|
||||
state->map_perms_to_accept(accept1, accept2, accept3);
|
||||
state->map_perms_to_accept(accept1, accept2, accept3, prompt);
|
||||
if (filedfa) {
|
||||
state->idx = pos * 2;
|
||||
perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3);
|
||||
|
|
@ -1324,7 +1325,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos,
|
|||
}
|
||||
}
|
||||
|
||||
void DFA::compute_perms_table(vector <aa_perms> &perms_table)
|
||||
void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
|
||||
{
|
||||
size_t mult = filedfa ? 2 : 1;
|
||||
size_t pos = 2;
|
||||
|
|
@ -1334,13 +1335,13 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table)
|
|||
|
||||
// nonmatching and start need to be 0 and 1 so handle outside of loop
|
||||
if (filedfa)
|
||||
compute_perms_table_ent(nonmatching, 0, perms_table);
|
||||
compute_perms_table_ent(start, 1, perms_table);
|
||||
compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
|
||||
compute_perms_table_ent(start, 1, perms_table, prompt);
|
||||
|
||||
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
|
||||
if (*i == nonmatching || *i == start)
|
||||
continue;
|
||||
compute_perms_table_ent(*i, pos, perms_table);
|
||||
compute_perms_table_ent(*i, pos, perms_table, prompt);
|
||||
pos++;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,6 +34,8 @@
|
|||
|
||||
#include "expr-tree.h"
|
||||
#include "policy_compat.h"
|
||||
#include "../rule.h"
|
||||
extern int prompt_compat_mode;
|
||||
|
||||
#define DiffEncodeFlag 1
|
||||
|
||||
|
|
@ -258,9 +260,13 @@ public:
|
|||
void flatten_relative(State *, int upper_bound);
|
||||
|
||||
int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); }
|
||||
void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2, uint32_t &accept3)
|
||||
void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2,
|
||||
uint32_t &accept3, bool prompt)
|
||||
{
|
||||
accept1 = perms.allow;
|
||||
if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV)
|
||||
accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet & perms.deny);
|
||||
else
|
||||
accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet & perms.deny);
|
||||
accept3 = perms.prompt;
|
||||
}
|
||||
|
|
@ -358,8 +364,10 @@ public:
|
|||
void apply_equivalence_classes(map<transchar, transchar> &eq);
|
||||
|
||||
void compute_perms_table_ent(State *state, size_t pos,
|
||||
vector <aa_perms> &perms_table);
|
||||
void compute_perms_table(vector <aa_perms> &perms_table);
|
||||
vector <aa_perms> &perms_table,
|
||||
bool prompt);
|
||||
void compute_perms_table(vector <aa_perms> &perms_table,
|
||||
bool prompt);
|
||||
|
||||
unsigned int diffcount;
|
||||
int oob_range;
|
||||
|
|
|
|||
|
|
@ -324,10 +324,6 @@ do { \
|
|||
/* The parser fills this variable in automatically */
|
||||
#define PROFILE_NAME_VARIABLE "profile_name"
|
||||
|
||||
#define PROMPT_COMPAT_IGNORE 0
|
||||
#define PROMPT_COMPAT_PERMSV2 1
|
||||
#define PROMPT_COMPAT_DEV 2
|
||||
#define PROMPT_COMPAT_PERMSV1 3
|
||||
|
||||
/* from parser_common.c */
|
||||
extern uint32_t policy_version;
|
||||
|
|
|
|||
|
|
@ -578,7 +578,7 @@ build:
|
|||
*
|
||||
* we don't need to build xmatch for permstable32, so don't
|
||||
*/
|
||||
prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, kernel_supports_permstable32 && !kernel_supports_permstable32_v1);
|
||||
prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false);
|
||||
delete rules;
|
||||
if (!prof->xmatch)
|
||||
return FALSE;
|
||||
|
|
@ -785,7 +785,8 @@ int process_profile_regex(Profile *prof)
|
|||
prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
|
||||
&xmatch_len, prof->dfa.perms_table,
|
||||
parseopts, true,
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32);
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32,
|
||||
prof->uses_prompt_rules);
|
||||
delete prof->dfa.rules;
|
||||
prof->dfa.rules = NULL;
|
||||
if (!prof->dfa.dfa)
|
||||
|
|
@ -1149,7 +1150,8 @@ int process_profile_policydb(Profile *prof)
|
|||
&xmatch_len,
|
||||
&prof->policy.file_start,
|
||||
prof->policy.perms_table, parseopts,
|
||||
kernel_supports_permstable32_v1);
|
||||
kernel_supports_permstable32_v1,
|
||||
prof->uses_prompt_rules);
|
||||
delete prof->policy.rules;
|
||||
delete prof->dfa.rules;
|
||||
prof->policy.rules = NULL;
|
||||
|
|
@ -1165,7 +1167,8 @@ int process_profile_policydb(Profile *prof)
|
|||
&xmatch_len,
|
||||
prof->policy.perms_table,
|
||||
parseopts, false,
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32);
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32,
|
||||
prof->uses_prompt_rules);
|
||||
delete prof->policy.rules;
|
||||
|
||||
prof->policy.rules = NULL;
|
||||
|
|
|
|||
|
|
@ -27,6 +27,12 @@
|
|||
|
||||
using namespace std;
|
||||
|
||||
#define PROMPT_COMPAT_IGNORE 0
|
||||
#define PROMPT_COMPAT_PERMSV2 1
|
||||
#define PROMPT_COMPAT_DEV 2
|
||||
#define PROMPT_COMPAT_PERMSV1 3
|
||||
|
||||
|
||||
class Profile;
|
||||
|
||||
#define RULE_NOT_SUPPORTED 0
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue