mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: Generate accept states for denied dbus and mount rules

Browse source 
When using the deny rule modifier, accept states were not being
generated for dbus and mount rules. This means that the actions were
being denied, but it was not possible to quiet the auditing of the
actions.

The problem is that the deny and audit members of the dbus_entry and
mnt_entry structs were being used incorrectly. The deny member is a
boolean, not a bitmask. When the deny modifier is exclusively used in a
rule, the deny boolean should be true and the audit mask should be equal
to the perm mask.

Here's the old parser output for denied dbus and mount rules:

  $ dbus="/t { deny dbus, }"
  $ mount="/t { deny mount, }"
  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)

With this patch, the accept states are generated correctly with deny and
quiet masks:

  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 0/40/0/40)
  {7} (0x 0/46/0/46)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {5} (0x 0/2/0/2)

https://launchpad.net/bugs/1226356

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Tyler Hicks 2013-09-27 17:25:39 -07:00
parent a28e66c5fe
commit 6d2b2ef2b9
1 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
parser/parser_yacc.y
View file

@ -658,10 +658,12 @@ rules: rules opt_prefix mnt_rule
{
if ($2.owner)
yyerror(_("owner prefix not allow on mount rules"));
if ($2.deny)
$3->deny = $3->allow;
if ($2.audit)
if ($2.deny) {
$3->deny = 1;
$3->audit = $3->allow;
} else if ($2.audit) {
$3->audit = $3->allow;
}
$3->next = $1->mnt_ents;
$1->mnt_ents = $3;
$$ = $1;
@ -671,10 +673,12 @@ rules: rules opt_prefix dbus_rule
{
if ($2.owner)
yyerror(_("owner prefix not allow on dbus rules"));
if ($2.deny)
$3->deny = $3->mode;
if ($2.audit)
if ($2.deny) {
$3->deny = 1;
$3->audit = $3->mode;
} else if ($2.audit) {
$3->audit = $3->mode;
}
$3->next = $1->dbus_ents;
$1->dbus_ents = $3;
$$ = $1;