mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
parser: Make xattr attachment generation conditional on kernel support
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
9b0a98d00e
commit
e5ea3e4a0d
4 changed files with 31 additions and 0 deletions
|
|
@ -309,6 +309,8 @@ extern int kernel_supports_signal;
|
|||
extern int kernel_supports_ptrace;
|
||||
extern int kernel_supports_unix;
|
||||
extern int kernel_supports_stacking;
|
||||
extern int kernel_supports_domain_xattr;
|
||||
extern int kernel_supports_oob;
|
||||
extern int conf_verbose;
|
||||
extern int conf_quiet;
|
||||
extern int names_only;
|
||||
|
|
|
|||
|
|
@ -74,6 +74,8 @@ int kernel_supports_diff_encode = 0; /* kernel supports diff_encode */
|
|||
int kernel_supports_signal = 0; /* kernel supports signal rules */
|
||||
int kernel_supports_ptrace = 0; /* kernel supports ptrace rules */
|
||||
int kernel_supports_stacking = 0; /* kernel supports stacking */
|
||||
int kernel_supports_domain_xattr = 0; /* x attachment cond */
|
||||
int kernel_supports_oob = 0; /* out of band transitions */
|
||||
int conf_verbose = 0;
|
||||
int conf_quiet = 0;
|
||||
int names_only = 0;
|
||||
|
|
|
|||
|
|
@ -788,6 +788,10 @@ static void set_supported_features(aa_features *kernel_features unused)
|
|||
"policy/diff_encode");
|
||||
kernel_supports_stacking = aa_features_supports(compile_features,
|
||||
"domain/stack");
|
||||
kernel_supports_domain_xattr = aa_features_supports(compile_features,
|
||||
"domain/attach_conditions/xattr");
|
||||
kernel_supports_oob = aa_features_supports(compile_features,
|
||||
"policy/outofband");
|
||||
|
||||
if (aa_features_supports(compile_features, "policy/versions/v7"))
|
||||
kernel_abi_version = 7;
|
||||
|
|
|
|||
|
|
@ -457,6 +457,22 @@ char *get_xattr_value(struct cond_entry *entry)
|
|||
return entry->vals->value;
|
||||
}
|
||||
|
||||
/* do we want to warn once/profile or just once per compile?? */
|
||||
static void warn_once_xattr(const char *name)
|
||||
{
|
||||
static const char *warned_name = NULL;
|
||||
|
||||
if ((warnflags & WARN_RULE_DOWNGRADED) && warned_name != name) {
|
||||
cerr << "Warning from profile " << name << " (";
|
||||
if (current_filename)
|
||||
cerr << current_filename;
|
||||
else
|
||||
cerr << "stdin";
|
||||
cerr << ") xattr attachment conditional ignored\n";
|
||||
warned_name = name;
|
||||
}
|
||||
}
|
||||
|
||||
static int process_profile_name_xmatch(Profile *prof)
|
||||
{
|
||||
std::string tbuf;
|
||||
|
|
@ -508,6 +524,12 @@ static int process_profile_name_xmatch(Profile *prof)
|
|||
}
|
||||
}
|
||||
if (prof->xattrs.list) {
|
||||
if (!(kernel_supports_domain_xattr && kernel_supports_oob)) {
|
||||
warn_once_xattr(name);
|
||||
free_cond_entry_list(prof->xattrs);
|
||||
goto build;
|
||||
}
|
||||
|
||||
for (entry = prof->xattrs.list; entry; entry = entry->next) {
|
||||
xattr_value = get_xattr_value(entry);
|
||||
if (!xattr_value)
|
||||
|
|
@ -529,6 +551,7 @@ static int process_profile_name_xmatch(Profile *prof)
|
|||
}
|
||||
}
|
||||
}
|
||||
build:
|
||||
prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags);
|
||||
delete rules;
|
||||
if (!prof->xmatch)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue