mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: enable extended perms if supported by the kernel

Browse source 
Currently use of extended perms are dependent on prompt rules being present
in policy. Switch to using extended perms if they are supported.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-05-14 05:02:19 -07:00
parent 2737cb2c2b
commit ee1a5e6e18
3 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parser/parser_main.c
View file

@ -1583,7 +1583,10 @@ static bool get_kernel_features(struct aa_features **features)
} }
kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001"); kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001");
if (kernel_supports_permstable32_v1) { if (kernel_supports_permstable32_v1) {
//fprintf(stderr, "kernel supports prompt_v1\n"); /* permstabl32 is broken in kernels that only support v1
* so disable it
*/
kernel_supports_permstable32 = false;
} }
/* set default prompt_compat_mode to the best that is supported */ /* set default prompt_compat_mode to the best that is supported */

4
parser/parser_regex.c
View file

@ -791,7 +791,7 @@ int process_profile_regex(Profile *prof)
prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size, prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
&xmatch_len, prof->dfa.perms_table, &xmatch_len, prof->dfa.perms_table,
parseopts, true, parseopts, true,
prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2), kernel_supports_permstable32,
prof->uses_prompt_rules); prof->uses_prompt_rules);
delete prof->dfa.rules; delete prof->dfa.rules;
prof->dfa.rules = NULL; prof->dfa.rules = NULL;
@ -1174,7 +1174,7 @@ int process_profile_policydb(Profile *prof)
&xmatch_len, &xmatch_len,
prof->policy.perms_table, prof->policy.perms_table,
parseopts, false, parseopts, false,
prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2), kernel_supports_permstable32,
prof->uses_prompt_rules); prof->uses_prompt_rules);
delete prof->policy.rules; delete prof->policy.rules;

2
parser/tst/minimize.sh
View file

@ -155,7 +155,7 @@ echo "ok"
## NOTE: change count from 6 to 7 when extend perms is not dependent on ## NOTE: change count from 6 to 7 when extend perms is not dependent on
## prompt rules being present ## prompt rules being present
echo -n "Minimize profiles extended no-filter audit deny perms " echo -n "Minimize profiles extended no-filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 7 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi