parser: rework perms rule merging

Instead of pushing the cmp logic for rule merging into each rule class make it the default behavior for the perms_rule_t parent class. Also save off the original perms for the merged rule. For classes that don't want perms merging add an alternate dedup_perms_rule_t clase. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2023-07-10 20:04:53 -07:00 · 2023-07-10 20:04:53 -07:00 · 5e8567c9e9
commit 5e8567c9e9
parent 1dfd26aea7
8 changed files with 51 additions and 24 deletions
--- a/parser/af_rule.h
+++ b/parser/af_rule.h
@ -80,8 +80,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		af_rule const &trhs = (rule_cast<af_rule const &>(rhs));
--- a/parser/dbus.h
+++ b/parser/dbus.h
@ -65,8 +65,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		dbus_rule const &trhs = (rule_cast<dbus_rule const &>(rhs));
--- a/parser/io_uring.h
+++ b/parser/io_uring.h
@ -52,8 +52,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(label,
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -649,8 +649,7 @@ static int cmp_vec_int(std::vector<unsigned int> const &lhs,
 }
 int mnt_rule::cmp(rule_t const &rhs) const {
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res != 0)
 			return res;
 		mnt_rule const &rhs_mnt = rule_cast<mnt_rule const &>(rhs);
--- a/parser/mqueue.h
+++ b/parser/mqueue.h
@ -110,8 +110,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		mqueue_rule const &trhs = rule_cast<mqueue_rule const &>(rhs);
--- a/parser/ptrace.h
+++ b/parser/ptrace.h
@ -55,8 +55,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
+		int res = perms_rule_t::cmp(rhs);
 		int res = class_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(peer_label,
--- a/parser/rule.h
+++ b/parser/rule.h
@ -353,9 +353,48 @@ public:
 };
 /* same as perms_rule_t except enable rule merging instead of just dedup
 * original permission set is saved off
 */
 class perms_rule_t: public class_rule_t {
 public:
-	perms_rule_t(int c): class_rule_t(c), perms(0) { };
+	perms_rule_t(int c): class_rule_t(c), perms(0), saved(0) { };
 	virtual int cmp(rule_t const &rhs) const {
 		/* don't compare perms so they can be merged */
 		return class_rule_t::cmp(rhs);
 	}
 	virtual bool merge(rule_t &rhs)
 	{
 		int res = class_rule_t::merge(rhs);
 		if (!res)
 			return res;
 		if (!saved)
 			saved = perms;
 		perms |= (rule_cast<perms_rule_t const &>(rhs)).perms;
 		return true;
 	};
 	/* defaut perms, override/mask off if none default used */
 	virtual ostream &dump(ostream &os) {
 		class_rule_t::dump(os);
 		if (saved)
 			os << "(0x" << hex << perms << "/orig " << saved << ") ";
 		else
 			os << "(0x" << hex << perms << ") ";
 		return os;
 	}
 	perms_t perms, saved;
 };
 // alternate perms rule class that only does dedup instead of perms merging
 class dedup_perms_rule_t: public class_rule_t {
 public:
 	dedup_perms_rule_t(int c): class_rule_t(c), perms(0) { };
 	virtual int cmp(rule_t const &rhs) const {
 		int res = class_rule_t::cmp(rhs);
@ -364,24 +403,19 @@ public:
 		return perms - (rule_cast<perms_rule_t const &>(rhs)).perms;
 	}
-	virtual bool merge(rule_t &rhs)
+	// inherit default merge which does dedup
 	{
 		int res = class_rule_t::merge(rhs);
 		if (!res)
 			return res;
 		perms |= (rule_cast<perms_rule_t const &>(rhs)).perms;
 		return true;
 	};
 	/* defaut perms, override/mask off if none default used */
 	virtual ostream &dump(ostream &os) {
 		class_rule_t::dump(os);
 		os << "(0x" << hex << perms << ") ";
 		return os;
 	}
 	perms_t perms;
 };
 #endif /* __AA_RULE_H */
--- a/parser/signal.cc
+++ b/parser/signal.cc
@ -249,8 +249,7 @@ static int cmp_set_int(Signals const &lhs, Signals const &rhs)
 int signal_rule::cmp(rule_t const &rhs) const
 {
-	/* use class_rule_t instead of perms_rule_t to merge perms */
+	int res = perms_rule_t::cmp(rhs);
 	int res = class_rule_t::cmp(rhs);
 	if (res)
 		return res;
 	signal_rule const &trhs = rule_cast<signal_rule const &>(rhs);