mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: Clean up dbus accept state bitmasks

Browse source 
AppArmor dbus rules are split into two classes. The first is
(send receive) rules and the second in bind rules. When the parser was
creating its internal representation of dbus rules, it wasn't separating
the overlapping bitmasks for (send receive) perms and bind perms.

(send receive) perms are 0x06 and bind perms are 0x40. Here's the old
parser output for an audit dbus rule that has accept states for
(send receive) and for bind:

  $ dbus="/t { audit dbus, }"
  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 40/0/40/0)
  {7} (0x 46/0/46/0)

The {3} state is the accept state for the bind perms. The {7} state is
the accept state for the (send receive) perms. Note that the bind perm
mask bled over into the (send receive) accept state's mask.

With this patch, the masks for the two accept states do not overlap:

  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 40/0/40/0)
  {7} (0x 6/0/6/0)

Additionally, this patch makes the rule creation for (send receive)
perms more strict to keep any future perm bits from unintentionally
slipping into the (send receive) accept states.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Tyler Hicks 2013-09-27 17:27:23 -07:00
parent ef8a468f1f
commit c70710d4c7
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
parser/parser_regex.c
View file

@ -1112,11 +1112,17 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
}
if (entry->mode & AA_DBUS_BIND) {
if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode & AA_DBUS_BIND, entry->audit & AA_DBUS_BIND, 2, vec, dfaflags))
if (!aare_add_rule_vec(dfarules, entry->deny,
entry->mode & AA_DBUS_BIND,
entry->audit & AA_DBUS_BIND,
2, vec, dfaflags))
goto fail;
}
if (entry->mode & ~AA_DBUS_BIND) {
if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode, entry->audit, 6, vec, dfaflags))
if (entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
if (!aare_add_rule_vec(dfarules, entry->deny,
entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
entry->audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
6, vec, dfaflags))
goto fail;
}
return TRUE;