mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
parser: don't set xbits when using permstable32_v1
The use of xbits can not pass verification so we need to leave them off this makes the profile a leaf profile. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
5bd2271189
commit
89673d0c5e
6 changed files with 43 additions and 14 deletions
|
|
@ -32,6 +32,8 @@
|
|||
|
||||
#include "policy_compat.h"
|
||||
#include "../perms.h"
|
||||
#include "../rule.h"
|
||||
extern int prompt_compat_mode;
|
||||
|
||||
|
||||
/* remap old accept table embedded permissions to separate permission table */
|
||||
|
|
@ -131,9 +133,11 @@ struct aa_perms compute_fperms_user(uint32_t accept1, uint32_t accept2,
|
|||
perms.prompt = map_old_perms(dfa_user_allow(accept3));
|
||||
perms.audit = map_old_perms(dfa_user_audit(accept1, accept2));
|
||||
perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2));
|
||||
if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
|
||||
perms.xindex = dfa_user_xindex(accept1);
|
||||
|
||||
compute_fperms_allow(&perms, accept1);
|
||||
perms.prompt &= ~(perms.allow | perms.deny);
|
||||
return perms;
|
||||
}
|
||||
|
||||
|
|
@ -146,9 +150,11 @@ struct aa_perms compute_fperms_other(uint32_t accept1, uint32_t accept2,
|
|||
perms.prompt = map_old_perms(dfa_other_allow(accept3));
|
||||
perms.audit = map_old_perms(dfa_other_audit(accept1, accept2));
|
||||
perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2));
|
||||
if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
|
||||
perms.xindex = dfa_other_xindex(accept1);
|
||||
|
||||
compute_fperms_allow(&perms, accept1);
|
||||
perms.prompt &= ~(perms.allow | perms.deny);
|
||||
return perms;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ int kernel_supports_oob = 0; /* out of band transitions */
|
|||
int kernel_supports_promptdev = 0; /* prompt via audit perms */
|
||||
int kernel_supports_permstable32 = 0; /* extended permissions */
|
||||
int kernel_supports_permstable32_v1 = 0; /* extended permissions */
|
||||
int prompt_compat_mode = 0;
|
||||
int prompt_compat_mode = PROMPT_COMPAT_UNKNOWN;
|
||||
int conf_verbose = 0;
|
||||
int conf_quiet = 0;
|
||||
int names_only = 0;
|
||||
|
|
@ -176,12 +176,19 @@ bool prompt_compat_mode_supported(int mode)
|
|||
if (mode == PROMPT_COMPAT_PERMSV2 &&
|
||||
(kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
|
||||
return true;
|
||||
/*
|
||||
else if (mode == PROMPT_COMPAT_DEV &&
|
||||
kernel_supports_promptdev)
|
||||
return true;
|
||||
*/
|
||||
else if (mode == PROMPT_COMPAT_FLAG &&
|
||||
kernel_supports_permstable32)
|
||||
return true;
|
||||
/*
|
||||
else if (mode == PROMPT_COMPAT_PERMSV1 &&
|
||||
(kernel_supports_permstable32_v1))
|
||||
return true;
|
||||
*/
|
||||
else if (mode == PROMPT_COMPAT_IGNORE)
|
||||
return true;
|
||||
|
||||
|
|
@ -194,6 +201,8 @@ int default_prompt_compat_mode()
|
|||
return PROMPT_COMPAT_PERMSV2;
|
||||
if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
|
||||
return PROMPT_COMPAT_DEV;
|
||||
if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG))
|
||||
return PROMPT_COMPAT_FLAG;
|
||||
if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
|
||||
return PROMPT_COMPAT_PERMSV1;
|
||||
if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
|
||||
|
|
@ -207,6 +216,9 @@ void print_prompt_compat_mode(FILE *f)
|
|||
case PROMPT_COMPAT_IGNORE:
|
||||
fprintf(f, "ignore");
|
||||
break;
|
||||
case PROMPT_COMPAT_FLAG:
|
||||
fprintf(f, "flag");
|
||||
break;
|
||||
case PROMPT_COMPAT_PERMSV2:
|
||||
fprintf(f, "permsv2");
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -795,13 +795,17 @@ static int process_arg(int c, char *optarg)
|
|||
break;
|
||||
case ARG_PROMPT_COMPAT:
|
||||
if (strcmp(optarg, "permsv2") == 0) {
|
||||
prompt_compat_mode = PROMPT_COMPAT_PERMSV1;
|
||||
prompt_compat_mode = PROMPT_COMPAT_PERMSV2;
|
||||
} else if (strcmp(optarg, "permsv1") == 0) {
|
||||
prompt_compat_mode = PROMPT_COMPAT_PERMSV1;
|
||||
} else if (strcmp(optarg, "default") == 0) {
|
||||
prompt_compat_mode = default_prompt_compat_mode();
|
||||
} else if (strcmp(optarg, "dev") == 0) {
|
||||
prompt_compat_mode = PROMPT_COMPAT_DEV;
|
||||
} else if (strcmp(optarg, "ignore") == 0) {
|
||||
prompt_compat_mode = PROMPT_COMPAT_IGNORE;
|
||||
} else if (strcmp(optarg, "flag") == 0) {
|
||||
prompt_compat_mode = PROMPT_COMPAT_FLAG;
|
||||
} else {
|
||||
PERROR("%s: Invalid --prompt-compat option '%s'\n",
|
||||
progname, optarg);
|
||||
|
|
@ -1571,15 +1575,17 @@ static bool get_kernel_features(struct aa_features **features)
|
|||
kernel_supports_promptdev = aa_features_supports(*features, "policy/perms_compatprompt");
|
||||
kernel_supports_permstable32 = aa_features_supports(*features, "policy/permstable32");
|
||||
if (kernel_supports_permstable32) {
|
||||
fprintf(stderr, "kernel supports prompt\n");
|
||||
//fprintf(stderr, "kernel supports prompt\n");
|
||||
}
|
||||
kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32/1");
|
||||
kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001");
|
||||
if (kernel_supports_permstable32_v1) {
|
||||
fprintf(stderr, "kernel supports prompt\n");
|
||||
//fprintf(stderr, "kernel supports prompt_v1\n");
|
||||
}
|
||||
|
||||
/* set default prompt_compat_mode to the best that is supported */
|
||||
if (prompt_compat_mode == PROMPT_COMPAT_UNKNOWN) {
|
||||
prompt_compat_mode = default_prompt_compat_mode();
|
||||
}
|
||||
if (!kernel_supports_diff_encode)
|
||||
/* clear diff_encode because it is not supported */
|
||||
parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE;
|
||||
|
|
|
|||
|
|
@ -244,6 +244,9 @@ int post_process_profile(Profile *profile, int debug_only)
|
|||
if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules)
|
||||
profile->flags.flags |= FLAG_PROMPT_COMPAT;
|
||||
|
||||
else if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
|
||||
profile->flags.mode = MODE_PROMPT;
|
||||
|
||||
return error;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -785,7 +785,7 @@ int process_profile_regex(Profile *prof)
|
|||
prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
|
||||
&xmatch_len, prof->dfa.perms_table,
|
||||
parseopts, true,
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32,
|
||||
prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
|
||||
prof->uses_prompt_rules);
|
||||
delete prof->dfa.rules;
|
||||
prof->dfa.rules = NULL;
|
||||
|
|
@ -1167,7 +1167,7 @@ int process_profile_policydb(Profile *prof)
|
|||
&xmatch_len,
|
||||
prof->policy.perms_table,
|
||||
parseopts, false,
|
||||
prof->uses_prompt_rules && kernel_supports_permstable32,
|
||||
prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
|
||||
prof->uses_prompt_rules);
|
||||
delete prof->policy.rules;
|
||||
|
||||
|
|
|
|||
|
|
@ -27,10 +27,12 @@
|
|||
|
||||
using namespace std;
|
||||
|
||||
#define PROMPT_COMPAT_IGNORE 0
|
||||
#define PROMPT_COMPAT_PERMSV2 1
|
||||
#define PROMPT_COMPAT_DEV 2
|
||||
#define PROMPT_COMPAT_PERMSV1 3
|
||||
#define PROMPT_COMPAT_UNKNOWN 0
|
||||
#define PROMPT_COMPAT_IGNORE 1
|
||||
#define PROMPT_COMPAT_PERMSV2 2
|
||||
#define PROMPT_COMPAT_DEV 3
|
||||
#define PROMPT_COMPAT_FLAG 4
|
||||
#define PROMPT_COMPAT_PERMSV1 5
|
||||
|
||||
|
||||
class Profile;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue