mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
a28e66c5fe
Convert the codomain to a class, and the policy lists that store codomains to stl containers instead of glibc twalk. Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Merge with dbus changes and process_file_entries() cleanup] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
437 lines
10 KiB
C
437 lines
10 KiB
C
/*
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
* NOVELL (All rights reserved)
|
|
*
|
|
* Copyright (c) 2010 - 2012
|
|
* Canonical Ltd. (All rights reserved)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
* License published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, contact Novell, Inc. or Canonical,
|
|
* Ltd.
|
|
*/
|
|
|
|
#include <algorithm>
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stdarg.h>
|
|
#include <search.h>
|
|
#include <string.h>
|
|
#include <libintl.h>
|
|
#include <errno.h>
|
|
#define _(s) gettext(s)
|
|
|
|
#include "parser.h"
|
|
#include "profile.h"
|
|
#include "mount.h"
|
|
#include "dbus.h"
|
|
#include "parser_yacc.h"
|
|
|
|
/* #define DEBUG */
|
|
#ifdef DEBUG
|
|
#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
|
|
#else
|
|
#define PDEBUG(fmt, args...) /* Do nothing */
|
|
#endif
|
|
#define NPDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
|
ProfileList policy_list;
|
|
|
|
|
|
void add_to_list(Profile *prof)
|
|
{
|
|
pair<ProfileList::iterator, bool> res = policy_list.insert(prof);
|
|
if (!res.second) {
|
|
PERROR("Multiple definitions for profile %s exist,"
|
|
"bailing out.\n", prof->name);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
void add_hat_to_policy(Profile *prof, Profile *hat)
|
|
{
|
|
hat->parent = prof;
|
|
|
|
pair<ProfileList::iterator, bool> res = prof->hat_table.insert(hat);
|
|
if (!res.second) {
|
|
PERROR("Multiple definitions for hat %s in profile %s exist,"
|
|
"bailing out.\n", hat->name, prof->name);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
static int add_entry_to_x_table(Profile *prof, char *name)
|
|
{
|
|
int i;
|
|
for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
|
|
if (!prof->exec_table[i]) {
|
|
prof->exec_table[i] = name;
|
|
return i;
|
|
} else if (strcmp(prof->exec_table[i], name) == 0) {
|
|
/* name already in table */
|
|
free(name);
|
|
return i;
|
|
}
|
|
}
|
|
free(name);
|
|
return 0;
|
|
}
|
|
|
|
static int add_named_transition(Profile *prof, struct cod_entry *entry)
|
|
{
|
|
char *name = NULL;
|
|
|
|
/* check to see if it is a local transition */
|
|
if (!entry->ns) {
|
|
char *sub = strstr(entry->nt_name, "//");
|
|
/* does the subprofile name match the rule */
|
|
|
|
if (sub && strncmp(prof->name, sub, sub - entry->nt_name) &&
|
|
strcmp(sub + 2, entry->name) == 0) {
|
|
free(entry->nt_name);
|
|
entry->nt_name = NULL;
|
|
return AA_EXEC_LOCAL >> 10;
|
|
} else if (((entry->mode & AA_USER_EXEC_MODIFIERS) ==
|
|
SHIFT_MODE(AA_EXEC_LOCAL, AA_USER_SHIFT)) ||
|
|
((entry->mode & AA_OTHER_EXEC_MODIFIERS) ==
|
|
SHIFT_MODE(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) {
|
|
if (strcmp(entry->nt_name, entry->name) == 0) {
|
|
free(entry->nt_name);
|
|
entry->nt_name = NULL;
|
|
return AA_EXEC_LOCAL >> 10;
|
|
}
|
|
/* specified as cix so profile name is implicit */
|
|
name = (char *) malloc(strlen(prof->name) + strlen(entry->nt_name)
|
|
+ 3);
|
|
if (!name) {
|
|
PERROR("Memory allocation error\n");
|
|
exit(1);
|
|
}
|
|
sprintf(name, "%s//%s", prof->name, entry->nt_name);
|
|
free(entry->nt_name);
|
|
entry->nt_name = name;
|
|
}
|
|
}
|
|
if (entry->ns) {
|
|
name = (char *) malloc(strlen(entry->ns) + strlen(entry->nt_name) + 3);
|
|
if (!name) {
|
|
PERROR("Memory allocation error\n");
|
|
exit(1);
|
|
}
|
|
sprintf(name, ":%s:%s", entry->ns, entry->nt_name);
|
|
free(entry->ns);
|
|
free(entry->nt_name);
|
|
entry->ns = NULL;
|
|
entry->nt_name = NULL;
|
|
} else {
|
|
name = entry->nt_name;
|
|
}
|
|
|
|
return add_entry_to_x_table(prof, name);
|
|
}
|
|
|
|
void add_entry_to_policy(Profile *prof, struct cod_entry *entry)
|
|
{
|
|
entry->next = prof->entries;
|
|
prof->entries = entry;
|
|
}
|
|
|
|
void post_process_file_entries(Profile *prof)
|
|
{
|
|
struct cod_entry *entry;
|
|
int cp_mode = 0;
|
|
|
|
list_for_each(prof->entries, entry) {
|
|
if (entry->nt_name) {
|
|
int mode = 0;
|
|
int n = add_named_transition(prof, entry);
|
|
if (!n) {
|
|
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
|
|
exit(1);
|
|
}
|
|
if (entry->mode & AA_USER_EXEC)
|
|
mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
|
|
if (entry->mode & AA_OTHER_EXEC)
|
|
mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
|
|
entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
|
|
(mode & AA_ALL_EXEC_MODIFIERS));
|
|
entry->ns = NULL;
|
|
entry->nt_name = NULL;
|
|
}
|
|
/* FIXME: currently change_profile also implies onexec */
|
|
cp_mode |= entry->mode & (AA_CHANGE_PROFILE);
|
|
}
|
|
|
|
/* if there are change_profile rules, this implies that we need
|
|
* access to /proc/self/attr/current
|
|
*/
|
|
if (cp_mode & AA_CHANGE_PROFILE) {
|
|
/* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
|
|
struct cod_entry *new_ent;
|
|
char *buffer = strdup("/proc/*/attr/{current,exec}");
|
|
if (!buffer) {
|
|
PERROR("Memory allocation error\n");
|
|
exit(1);
|
|
}
|
|
new_ent = new_entry(NULL, buffer, AA_MAY_WRITE, NULL);
|
|
if (!new_ent) {
|
|
PERROR("Memory allocation error\n");
|
|
exit(1);
|
|
}
|
|
add_entry_to_policy(prof, new_ent);
|
|
}
|
|
}
|
|
|
|
void post_process_mnt_entries(Profile *prof)
|
|
{
|
|
struct mnt_entry *entry;
|
|
|
|
list_for_each(prof->mnt_ents, entry) {
|
|
if (entry->trans) {
|
|
unsigned int mode = 0;
|
|
int n = add_entry_to_x_table(prof, entry->trans);
|
|
if (!n) {
|
|
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
|
|
exit(1);
|
|
}
|
|
|
|
if (entry->allow & AA_USER_EXEC)
|
|
mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
|
|
if (entry->allow & AA_OTHER_EXEC)
|
|
mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
|
|
entry->allow = ((entry->allow & ~AA_ALL_EXEC_MODIFIERS) |
|
|
(mode & AA_ALL_EXEC_MODIFIERS));
|
|
|
|
entry->trans = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
|
|
|
|
/* add file rules to access /proc files to call change_hat()
|
|
*/
|
|
static int profile_add_hat_rules(Profile *prof)
|
|
{
|
|
struct cod_entry *entry;
|
|
|
|
/* TODO: ??? fix logic for when to add to hat/base vs. local */
|
|
/* don't add hat rules for local_profiles or base profiles */
|
|
if (prof->local || prof->hat_table.empty())
|
|
return 0;
|
|
|
|
/* add entry to hat */
|
|
entry = new_entry(NULL, strdup(CHANGEHAT_PATH), AA_MAY_WRITE, NULL);
|
|
if (!entry)
|
|
return ENOMEM;
|
|
|
|
add_entry_to_policy(prof, entry);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int load_policy_list(ProfileList &list, int option)
|
|
{
|
|
int res = 0;
|
|
|
|
for (ProfileList::iterator i = list.begin(); i != list.end(); i++) {
|
|
res = load_profile(option, *i);
|
|
if (res != 0)
|
|
break;
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
int load_flattened_hats(Profile *prof, int option)
|
|
{
|
|
return load_policy_list(prof->hat_table, option);
|
|
}
|
|
|
|
int load_policy(int option)
|
|
{
|
|
return load_policy_list(policy_list, option);
|
|
}
|
|
|
|
int load_hats(sd_serialize *p, Profile *prof)
|
|
{
|
|
for (ProfileList::iterator i = prof->hat_table.begin(); i != prof->hat_table.end(); i++) {
|
|
if (!sd_serialize_profile(p, *i, 0)) {
|
|
PERROR(_("ERROR in profile %s, failed to load\n"),
|
|
(*i)->name);
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
void dump_policy(void)
|
|
{
|
|
policy_list.dump();
|
|
}
|
|
|
|
void dump_policy_names(void)
|
|
{
|
|
policy_list.dump_profile_names(true);
|
|
}
|
|
|
|
/* merge_hats: merges hat_table into hat_table owned by prof */
|
|
static void merge_hats(Profile *prof, ProfileList &hats)
|
|
{
|
|
for (ProfileList::iterator i = hats.begin(); i != hats.end(); ) {
|
|
ProfileList::iterator cur = i++;
|
|
add_hat_to_policy(prof, *cur);
|
|
hats.erase(cur);
|
|
}
|
|
|
|
}
|
|
|
|
Profile *merge_policy(Profile *a, Profile *b)
|
|
{
|
|
Profile *ret = a;
|
|
struct cod_entry *last;
|
|
|
|
if (!a) {
|
|
ret = b;
|
|
goto out;
|
|
}
|
|
if (!b)
|
|
goto out;
|
|
|
|
if (a->name || b->name) {
|
|
PERROR("ASSERT: policy merges shouldn't have names %s %s\n",
|
|
a->name ? a->name : "",
|
|
b->name ? b->name : "");
|
|
exit(1);
|
|
}
|
|
|
|
if (a->entries) {
|
|
list_last_entry(a->entries, last);
|
|
last->next = b->entries;
|
|
} else {
|
|
a->entries = b->entries;
|
|
}
|
|
b->entries = NULL;
|
|
|
|
a->flags.complain = a->flags.complain || b->flags.complain;
|
|
a->flags.audit = a->flags.audit || b->flags.audit;
|
|
|
|
a->caps.allow |= b->caps.allow;
|
|
a->caps.audit |= b->caps.audit;
|
|
a->caps.deny |= b->caps.deny;
|
|
a->caps.quiet |= b->caps.quiet;
|
|
|
|
if (a->net.allow) {
|
|
size_t i;
|
|
for (i = 0; i < get_af_max(); i++) {
|
|
a->net.allow[i] |= b->net.allow[i];
|
|
a->net.audit[i] |= b->net.audit[i];
|
|
a->net.deny[i] |= b->net.deny[i];
|
|
a->net.quiet[i] |= b->net.quiet[i];
|
|
}
|
|
}
|
|
|
|
merge_hats(a, b->hat_table);
|
|
delete b;
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
int process_profile_rules(Profile *profile)
|
|
{
|
|
int error;
|
|
|
|
error = process_profile_regex(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR processing regexs for profile %s, failed to load\n"), profile->name);
|
|
exit(1);
|
|
return error;
|
|
}
|
|
|
|
error = process_profile_policydb(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"),
|
|
(profile)->name);
|
|
exit(1);
|
|
return error;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int post_process_policy_list(ProfileList &list, int debug_only);
|
|
int post_process_profile(Profile *profile, int debug_only)
|
|
{
|
|
int error = 0;
|
|
|
|
error = profile_add_hat_rules(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR adding hat access rule for profile %s\n"),
|
|
profile->name);
|
|
return error;
|
|
}
|
|
|
|
error = process_profile_variables(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR expanding variables for profile %s, failed to load\n"), profile->name);
|
|
exit(1);
|
|
return error;
|
|
}
|
|
|
|
error = replace_profile_aliases(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR replacing aliases for profile %s, failed to load\n"), profile->name);
|
|
return error;
|
|
}
|
|
|
|
error = profile_merge_rules(profile);
|
|
if (error) {
|
|
PERROR(_("ERROR merging rules for profile %s, failed to load\n"), profile->name);
|
|
exit(1);
|
|
return error;
|
|
}
|
|
|
|
if (!debug_only) {
|
|
error = process_profile_rules(profile);
|
|
if (error)
|
|
return error;
|
|
}
|
|
|
|
error = post_process_policy_list(profile->hat_table, debug_only);
|
|
return error;
|
|
}
|
|
|
|
int post_process_policy_list(ProfileList &list, int debug_only)
|
|
{
|
|
int error = 0;
|
|
for (ProfileList::iterator i = list.begin(); i != list.end(); i++) {
|
|
error = post_process_profile(*i, debug_only);
|
|
if (error)
|
|
break;
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
int post_process_policy(int debug_only)
|
|
{
|
|
return post_process_policy_list(policy_list, debug_only);
|
|
}
|
|
|
|
void free_policies(void)
|
|
{
|
|
policy_list.clear();
|
|
}
|