lp:~tyhicks/apparmor/for-jj

Created by Tyler Hicks and last modified
Get this branch:
bzr branch lp:~tyhicks/apparmor/for-jj
Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Tyler Hicks
Project:
AppArmor
Status:
Development

Recent revisions

2619. By Tyler Hicks

parser: Don't write the stream's address to the rule buffer

The writeu16() function was returning the address of the passed in
std::ostringstream and then the callers of that function were
incorrectly writing that address to the rule buffer.

Signed-off-by: Tyler Hicks <email address hidden>

2618. By Tyler Hicks

parser: Adjust writeu16() to output escaped byte sequences

The writeu16() function was outputting unescaped byte sequences to the
rule buffer. That resulted the generation of in an incomplete rule if
one of those unescaped byte sequences contained 0x00.

This patch uses u8 pointers, instead of char pointers, when writing out
the big endian u16 value. More importantly, it casts the u8 values to
unsigned ints, which is what's needed to get the properly escaped byte
sequences.

Signed-off-by: Tyler Hicks <email address hidden>

2617. By Steve Beattie

parser: initialize perms in unix_rule constructor

On Mon, Aug 25, 2014 at 05:06:07PM -0700, <email address hidden> wrote:
> +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
> + af_rule("unix"), path(NULL), peer_path(NULL)
> +{
> + if (type_p != 0xffffffff) {
> + sock_type_n = type_p;
> + sock_type = strdup(net_find_type_name(type_p));
> + if (!sock_type)
> + yyerror("socket rule: invalid socket type '%d'", type_p);
> + }
> + mode = AA_VALID_NET_PERMS;
> + audit = audit_p ? AA_VALID_NET_PERMS : 0;
> + deny = denied;
> +}

This unix_rule constructor sets audit and deny (so they do
not to be initialized); yet

> +unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
> + struct cond_entry *peer_conds):
> + af_rule("unix"), path(NULL), peer_path(NULL)
> +{
> + move_conditionals(conds);
> + move_peer_conditionals(peer_conds);
> +
> + if (mode_p) {
> + mode = mode_p;
> + if (mode & ~AA_VALID_NET_PERMS)
> + yyerror("mode contains invalid permissions for unix socket rules\n");
> + else if ((mode & AA_NET_BIND) &&
> + ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> + /* Do we want to loosen this? */
> + yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
> + else if ((mode & AA_NET_LISTEN) &&
> + ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> + /* Do we want to loosen this? */
> + yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> + else if ((mode & AA_NET_ACCEPT) &&
> + ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> + /* Do we want to loosen this? */
> + yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n");
> + } else {
> + mode = AA_VALID_NET_PERMS;
> + }
> +
> + free_cond_list(conds);
> + free_cond_list(peer_conds);

this unix_rule constructor does not. The following patch fixes the issue.

Signed-off-by: Steve Beattie <email address hidden>

2616. By Tyler Hicks

parser: Fix AF_UNIX stub rule creation

The patch titled "parser: Add support for unix domain socket rules."
modified the code the creates the stub rules for rule types that the
parser supports.

It added new stub rules for extended network and AF_UNIX rule types but
it also changed the stub rules for all existing rule types. That change
causes the kernel to not enforce some rule types.

This patch fixes the stub rule creation so that existing rule types
continue to be enforced, as well as AF_UNIX rule types when the parser
and kernel both support them.

Here's the DFA states generated before applying the patch mentioned
above:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)

{1} -> {2}: 0x2
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \

Here are the DFA states generated after applying the patch mentioned
above:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{4} (0x 4/0/0/0)

{1} -> {2}: 0x0
{1} -> {3}: 0x34 4
{2} -> {4}: 0x2
{2} -> {4}: 0x4
{2} -> {4}: 0x7
{2} -> {4}: 0x9
{2} -> {4}: 0xa
{2} -> {4}: 0x20 \
{3} -> {4}: 0x31 1

Here are DFA states generated after applying this patch:

$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)

{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)

{1} -> {2}: 0x2
{1} -> {2}: 0x4
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {3}: 0x34 4
{3} -> {4}: 0x0
{4} -> {2}: 0x31 1

Signed-off-by: Tyler Hicks <email address hidden>

2615. By John Johansen

map the net permission set into a form compatible with the old dfa table

The old dfa table format has 2 64 bit permission field used to store
all of allow, quiet, audit, owner/!owner and transition mask. This leaves
7 bits for entry + a few other special bits.

Since policydb entries when using old style dfa permission format
don't use support the !owner permission entries we can map, the
high net work permission bits to these entries.

This allows us to enforce base network permissions on system with
only support for the old dfa table format.

Signed-off-by: John Johansen <email address hidden>

2614. By John Johansen

split accept perm processing from rule parsing

Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>

2613. By John Johansen

Refactor add_new_state into two version, one that splits anodes from nnodes, and one for use when anodes and nnodes are presplit

Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>

=== modified file 'parser/libapparmor_re/hfa.cc'

2612. By John Johansen

Refactor the process_work_queue code into its own fn

Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>

=== modified file 'parser/libapparmor_re/hfa.cc'

2611. By John Johansen

Refactor accept nodes to be common to a shared node type

The shared node type will be used in the future to add new capabilities

Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>

=== modified file 'parser/libapparmor_re/expr-tree.h'

2610. By John Johansen

Refactor rule accumulation to use some helper functions

Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:apparmor/2.12
This branch contains Public information 
Everyone can see this information.

Subscribers