Cleanup mount commands flag masking for policy generation

Simplify flag masking and fix the MS_MAKE_CMDS flag set. This is a
step in fixing

Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017

Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed MS_MAKE_CMDS definition to the correct one.
We shouldn't add (MS_ALL_FLAGS & ~(MNT_FLAGS)) to this bitmask.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

parser/mount.cc

@@ -593,7 +593,6 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@@ -616,13 +615,8 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;
 
-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_REMOUNT_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_REMOUNT_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_REMOUNT_FLAGS,
+			     inv_flags & MS_REMOUNT_FLAGS))
 		goto fail;
 
 	vec[3] = flagsbuf;
@@ -667,7 +661,6 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
@@ -683,13 +676,8 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;
 
-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_BIND_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_BIND_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_BIND_FLAGS,
+			     inv_flags & MS_BIND_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@@ -712,7 +700,6 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
@@ -728,13 +715,8 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count)
 	vec[1] = default_match_pattern;
 	vec[2] = default_match_pattern;
 
-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_MAKE_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_MAKE_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MAKE_FLAGS,
+			     inv_flags & MS_MAKE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@@ -757,7 +739,6 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
@@ -775,13 +756,8 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count)
 	/* skip type */
 	vec[2] = default_match_pattern;
 
-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= MS_MOVE_FLAGS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpflags &= MS_MOVE_FLAGS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MOVE_FLAGS,
+			     inv_flags & MS_MOVE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
@@ -804,7 +780,6 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	unsigned int tmpflags, tmpinv_flags;
 	int tmpallow;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@@ -822,13 +797,8 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count)
 		goto fail;
 	vec[2] = typebuf.c_str();
 
-	tmpflags = flags;
-	tmpinv_flags = inv_flags;
-	if (tmpflags != MS_ALL_FLAGS)
-		tmpflags &= ~MS_CMDS;
-	if (tmpinv_flags != MS_ALL_FLAGS)
-		tmpinv_flags &= ~MS_CMDS;
-	if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_NEW_FLAGS,
+			     inv_flags & MS_NEW_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
 
@@ -911,7 +881,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 		if (gen_policy_bind_mount(prof, count) == RULE_ERROR)
 			goto fail;
 	} else if ((allow & AA_MAY_MOUNT) &&
-		   (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
+		   (flags & (MS_MAKE_CMDS))
 		   && !device && !dev_type && !opts) {
 		if (gen_policy_change_mount_type(prof, count) == RULE_ERROR)
 			goto fail;

parser/mount.h

@@ -94,16 +94,15 @@
 			 MS_KERNMOUNT | MS_STRICTATIME)
 
 #define MS_BIND_FLAGS (MS_BIND | MS_RBIND)
-#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_RUNBINDABLE | \
+#define MS_MAKE_CMDS (MS_UNBINDABLE | MS_RUNBINDABLE | \
 			MS_PRIVATE | MS_RPRIVATE | \
-			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED) | \
-		       (MS_ALL_FLAGS & ~(MNT_FLAGS)))
+			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_MAKE_FLAGS  (MS_ALL_FLAGS & ~(MNT_FLAGS))
 #define MS_MOVE_FLAGS (MS_MOVE)
 
-#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | \
-		 MS_UNBINDABLE | MS_RUNBINDABLE | MS_PRIVATE | MS_RPRIVATE | \
-		 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | MS_MAKE_CMDS)
 #define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT & ~MS_BIND & ~MS_RBIND))
+#define MS_NEW_FLAGS (MS_ALL_FLAGS & ~MS_CMDS)
 
 #define MNT_SRC_OPT 1
 #define MNT_DST_OPT 2