mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
extend the flags in preparation for audit control
This commit is contained in:
John Johansen
parent
814773b2e1
commit
d2eeef8291
3 changed files with 38 additions and 17 deletions
|
|
@ -32,36 +32,50 @@
|
|||
#define AA_MAY_LINK (1 << 4)
|
||||
#define AA_MAY_LOCK (1 << 5)
|
||||
#define AA_EXEC_MMAP (1 << 6)
|
||||
#define AA_EXEC_UNSAFE (1 << 7)
|
||||
#define AA_EXEC_MOD_0 (1 << 8)
|
||||
#define AA_EXEC_MOD_1 (1 << 9)
|
||||
#define AA_MAY_MOUNT (1 << 7)
|
||||
#define AA_EXEC_UNSAFE (1 << 8)
|
||||
#define AA_EXEC_MOD_0 (1 << 9)
|
||||
#define AA_EXEC_MOD_1 (1 << 10)
|
||||
#define AA_EXEC_MOD_2 (1 << 11)
|
||||
#define AA_EXEC_MOD_3 (1 << 12)
|
||||
#define AA_EXEC_MOD_4 (1 << 13)
|
||||
|
||||
#define AA_BASE_PERMS (AA_MAY_EXEC | AA_MAY_WRITE | \
|
||||
AA_MAY_READ | AA_MAY_APPEND | \
|
||||
AA_MAY_LINK | AA_MAY_LOCK | \
|
||||
AA_EXEC_MMAP | AA_EXEC_UNSAFE | \
|
||||
AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||
AA_MAY_MOUNT | AA_EXEC_MMAP | \
|
||||
AA_EXEC_UNSAFE | \
|
||||
AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
|
||||
AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
|
||||
AA_EXEC_MOD_4)
|
||||
|
||||
#define AA_USER_SHIFT 0
|
||||
#define AA_OTHER_SHIFT 10
|
||||
#define AA_OTHER_SHIFT 14
|
||||
|
||||
#define AA_USER_PERMS (AA_BASE_PERMS << AA_USER_SHIFT)
|
||||
#define AA_OTHER_PERMS (AA_BASE_PERMS << AA_OTHER_SHIFT)
|
||||
|
||||
#define AA_FILE_PERMS (AA_USER_PERMS | AA_OTHER_PERMS )
|
||||
|
||||
#define AA_AUDIT_FIELD (1 << 28)
|
||||
#define AA_CHANGE_HAT (1 << 29)
|
||||
#define AA_CHANGE_PROFILE (1 << 30)
|
||||
#define AA_ERROR_BIT (1 << 31)
|
||||
#define AA_SHARED_PERMS (AA_CHANGE_PROFILE | AA_ERROR_BIT)
|
||||
#define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE | \
|
||||
AA_AUDIT_FIELD | AA_ERROR_BIT)
|
||||
|
||||
|
||||
#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||
#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
|
||||
AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
|
||||
AA_EXEC_MOD_4)
|
||||
|
||||
#define AA_EXEC_TYPE (AA_MAY_EXEC | AA_EXEC_UNSAFE | \
|
||||
AA_EXEC_MODIFIERS)
|
||||
|
||||
#define AA_EXEC_UNCONFINED 0
|
||||
#define AA_EXEC_INHERIT (AA_EXEC_MOD_0)
|
||||
#define AA_EXEC_PROFILE (AA_EXEC_MOD_1)
|
||||
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||
#define AA_EXEC_UNCONFINED (AA_EXEC_MOD_0)
|
||||
#define AA_EXEC_INHERIT (AA_EXEC_MOD_1)
|
||||
#define AA_EXEC_PROFILE (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_2)
|
||||
|
||||
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE)
|
||||
|
||||
|
|
|
|||
|
|
@ -1538,6 +1538,9 @@ uint32_t accept_perms(State *state)
|
|||
fprintf(stderr, "error bit 0x%x\n", perms);
|
||||
exit(255);
|
||||
}
|
||||
|
||||
//if (perms & AA_EXEC_BITS)
|
||||
//fprintf(stderr, "accept perm: 0x%x\n", perms);
|
||||
/*
|
||||
if (perms & ~AA_VALID_PERMS)
|
||||
yyerror(_("Internal error accumulated invalid perm 0x%llx\n"), perms);
|
||||
|
|
@ -1554,8 +1557,8 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, uint32_t perms,
|
|||
int count, char **rulev)
|
||||
{
|
||||
static MatchFlag *match_flags[sizeof(perms) * 8 - 1];
|
||||
static MatchFlag *exec_match_flags[8 * 2];
|
||||
static ExactMatchFlag *exact_match_flags[8 * 2];
|
||||
static MatchFlag *exec_match_flags[64 * 2]; /* mods + unsafe *u::o*/
|
||||
static ExactMatchFlag *exact_match_flags[64 * 2]; /* mods + unsafe *u::o*/
|
||||
Node *tree = NULL, *accept;
|
||||
int exact_match;
|
||||
|
||||
|
|
@ -1593,11 +1596,14 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, uint32_t perms,
|
|||
flip_tree(tree);
|
||||
|
||||
#define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
|
||||
#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7)
|
||||
#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
|
||||
|
||||
if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
|
||||
fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
|
||||
|
||||
//if (perms & ALL_EXEC_TYPE)
|
||||
// fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
|
||||
|
||||
accept = NULL;
|
||||
for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) - 1; n++) {
|
||||
uint32_t mask = 1 << n;
|
||||
|
|
@ -1614,8 +1620,9 @@ if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
|
|||
index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
|
||||
} else {
|
||||
eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
|
||||
index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + 8;
|
||||
index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + 16;
|
||||
}
|
||||
//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
|
||||
if (exact_match) {
|
||||
if (exact_match_flags[index]) {
|
||||
flag = exact_match_flags[index]->dup();
|
||||
|
|
|
|||
|
|
@ -569,7 +569,7 @@ rule: file_mode id_or_var TOK_END_OF_RULE
|
|||
|
||||
rule: TOK_UNSAFE file_mode id_or_var TOK_END_OF_RULE
|
||||
{
|
||||
int mode = (($2 & AA_EXEC_BITS) << 7) & ALL_AA_EXEC_UNSAFE;
|
||||
int mode = (($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE;
|
||||
if (!($2 & AA_EXEC_BITS))
|
||||
yyerror(_("unsafe rule missing exec permissions"));
|
||||
$$ = do_file_rule(NULL, $3, ($2 & ~ALL_AA_EXEC_UNSAFE) | mode,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue