Okay, I tested nothing :) but didn't spot anything that looked wrong. Woot! -----Original Message----- From: John Johansen <john.johan...@canonical.com> Date: Tue, 14 Feb 2012 10:10:03 To: <seth.arn...@gmail.com> Cc: <apparmor@lists.ubuntu.com> Subject: Re: [apparmor] [PATCH 11/13] Add Basic infrastructure support for the policydb
On 02/14/2012 10:04 AM, Seth Arnold wrote: > The parser/policydb.h header says to contact Novell for a copy of the GPL > even though Canonical is the only listed copyright header. whee, copy and waste and its best :) thanks Seth > -----Original Message----- > From: John Johansen <john.johan...@canonical.com> > Sender: apparmor-boun...@lists.ubuntu.com > Date: Tue, 14 Feb 2012 09:32:33 > To: <apparmor@lists.ubuntu.com> > Subject: [apparmor] [PATCH 11/13] Add Basic infrastructure support for the > policydb > > policydb is the new matching format, that combines the matching portions > of different rules into a single dfa/hfa. This patch only lays some ground > work it does not add encoding of any rules into the policydb > > Signed-off-by: John Johansen <john.johan...@canonical.com> > --- > parser/parser.h | 8 ++++++++ > parser/parser_interface.c | 20 +++++++++++++++++--- > parser/parser_policy.c | 40 ++++++++++++++++++++++++++++++++++++++++ > parser/parser_regex.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > parser/policydb.h | 40 ++++++++++++++++++++++++++++++++++++++++ > 5 files changed, 147 insertions(+), 3 deletions(-) > create mode 100644 parser/policydb.h > > diff --git a/parser/parser.h b/parser/parser.h > index 6c1cc4f..1da5b87 100644 > --- a/parser/parser.h > +++ b/parser/parser.h > @@ -136,6 +136,11 @@ struct codomain { > int dfarule_count; > void *dfa; > size_t dfa_size; > + > + aare_ruleset_t *policy_rules; > + int policy_rule_count; > + void *policy_dfa; > + size_t policy_dfa_size; > }; > > struct sd_hat { > @@ -275,6 +280,8 @@ extern int process_regex(struct codomain *cod); > extern int post_process_entry(struct cod_entry *entry); > extern void reset_regex(void); > > +extern int process_policydb(struct codomain *cod); > + > /* parser_variable.c */ > extern int process_variables(struct codomain *cod); > extern struct var_string *split_out_var(char *string); > @@ -348,6 +355,7 @@ extern void post_process_nt_entries(struct codomain *cod); > extern int post_process_policy(int debug_only); > extern int process_hat_regex(struct codomain *cod); > extern int process_hat_variables(struct codomain *cod); > +extern int process_hat_policydb(struct codomain *cod); > extern int post_merge_rules(void); > extern int merge_hat_rules(struct codomain *cod); > extern struct codomain *merge_policy(struct codomain *a, struct codomain *b); > diff --git a/parser/parser_interface.c b/parser/parser_interface.c > index 6b6d57d..fdd610d 100644 > --- a/parser/parser_interface.c > +++ b/parser/parser_interface.c > @@ -59,6 +59,7 @@ > > #define SUBDOMAIN_INTERFACE_VERSION 2 > #define SUBDOMAIN_INTERFACE_DFA_VERSION 5 > +#define SUBDOMAIN_INTERFACE_POLICY_DB 16 > > int sd_serialize_codomain(int option, struct codomain *cod); > > @@ -654,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct > codomain *profile, > } else if (profile->network_allowed) > pwarn(_("profile %s network rules not enforced\n"), > profile->name); > > + if (profile->policy_dfa && regex_type == AARE_DFA) { > + if (!sd_write_struct(p, "policydb")) > + return 0; > + if (!sd_serialize_dfa(p, profile->policy_dfa, > profile->policy_dfa_size)) > + return 0; > + if (!sd_write_structend(p)) > + return 0; > + } > + > /* either have a single dfa or lists of different entry types */ > if (regex_type == AARE_DFA) { > if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size)) > @@ -685,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct > codomain *profile) > { > int version; > > - if (regex_type == AARE_DFA) > - version = SUBDOMAIN_INTERFACE_DFA_VERSION; > - else > + if (regex_type == AARE_DFA) { > + /* Not yet > + if (profile->policy_dfa) > + version = SUBDOMAIN_INTERFACE_POLICYDB; > + else */ > + version = SUBDOMAIN_INTERFACE_DFA_VERSION; > + } else > version = SUBDOMAIN_INTERFACE_VERSION; > > > diff --git a/parser/parser_policy.c b/parser/parser_policy.c > index 1d459d9..0e4a853 100644 > --- a/parser/parser_policy.c > +++ b/parser/parser_policy.c > @@ -294,6 +294,33 @@ int process_hat_regex(struct codomain *cod) > return 0; > } > > +static void __process_policydb(const void *nodep, const VISIT value, > + const int __unused depth) > +{ > + struct codomain **t = (struct codomain **) nodep; > + > + if (value == preorder || value == endorder) > + return; > + > + if (process_policydb(*t) != 0) { > + PERROR(_("ERROR processing policydb rules for profile %s, > failed to load\n"), > + (*t)->name); > + exit(1); > + } > +} > + > +int post_process_policydb(void) > +{ > + twalk(policy_list, __process_policydb); > + return 0; > +} > + > +int process_hat_policydb(struct codomain *cod) > +{ > + twalk(cod->hat_table, __process_policydb); > + return 0; > +} > + > static void __process_variables(const void *nodep, const VISIT value, > const int __unused depth) > { > @@ -706,6 +733,15 @@ int post_process_policy(int debug_only) > } > } > > + if (!debug_only) { > + retval = post_process_policydb(); > + if (retval != 0) { > + PERROR(_("%s: Errors found during policydb postprocess. > Aborting.\n"), > + progname); > + return retval; > + } > + } > + > return retval; > } > > @@ -731,6 +767,10 @@ void free_policy(struct codomain *cod) > aare_delete_ruleset(cod->dfarules); > if (cod->dfa) > free(cod->dfa); > + if (cod->policy_rules) > + aare_delete_ruleset(cod->policy_rules); > + if (cod->policy_dfa) > + free(cod->policy_dfa); > if (cod->name) > free(cod->name); > if (cod->attachment) > diff --git a/parser/parser_regex.c b/parser/parser_regex.c > index f5de63a..50a5836 100644 > --- a/parser/parser_regex.c > +++ b/parser/parser_regex.c > @@ -611,6 +611,48 @@ out: > return error; > } > > +int post_process_policydb_ents(struct codomain *cod) > +{ > + int ret = TRUE; > + int count = 0; > + > + /* Add fns for rules that should be added to policydb here */ > + > + cod->policy_rule_count = count; > + return ret; > +} > + > +int process_policydb(struct codomain *cod) > +{ > + int error = -1; > + > + if (regex_type == AARE_DFA) { > + cod->policy_rules = aare_new_ruleset(0); > + if (!cod->policy_rules) > + goto out; > + } > + if (!post_process_policydb_ents(cod)) > + goto out; > + > + if (regex_type == AARE_DFA && cod->policy_rule_count > 0) { > + cod->policy_dfa = aare_create_dfa(cod->policy_rules, > + &cod->policy_dfa_size, > + dfaflags); > + aare_delete_ruleset(cod->policy_rules); > + cod->policy_rules = NULL; > + if (!cod->policy_dfa) > + goto out; > + } > + > + if (process_hat_policydb(cod) != 0) > + goto out; > + > + error = 0; > + > +out: > + return error; > +} > + > void reset_regex(void) > { > aare_reset_matchflags(); > diff --git a/parser/policydb.h b/parser/policydb.h > new file mode 100644 > index 0000000..b488123 > --- /dev/null > +++ b/parser/policydb.h > @@ -0,0 +1,40 @@ > +/* > + * Copyright 2009-2010 Canonical Ltd. > + * > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of the GNU General Public License as > + * published by the Free Software Foundation, version 2 of the > + * License. > + * > + * This program is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, contact Novell, Inc. > + */ > + > +#ifndef __AA_POLICYDB_H > +#define __AA_POLICYDB_H > + > +/* > + * Class of mediation types in the AppArmor policy db > + */ > +#define AA_CLASS_COND 0 > +#define AA_CLASS_UNKNOWN 1 > +#define AA_CLASS_FILE 2 > +#define AA_CLASS_CAP 3 > +#define AA_CLASS_NET 4 > +#define AA_CLASS_RLIMITS 5 > +#define AA_CLASS_DOMAIN 6 > +#define AA_CLASS_MOUNT 7 > +#define AA_CLASS_NS_DOMAIN 8 > +#define AA_CLASS_PTRACE 9 > + > +#define AA_CLASS_ENV 16 > + > +#define AA_CLASS_DBUS 32 > +#define AA_CLASS_X 33 > + > +#endif /* __AA_POLICYDB_H */ -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor