On 04/06/2012 02:30 PM, Jeff Mahoney wrote: > Hi all - > Hey Jeff > Here's a patch to implement network rule debugging for apparmor_parser. > thanks,
> I have already integrated our AppArmor network extensions with 3.4-rc1 > and can post those if there is interest in including them upstream. > We've been dragging around the network rule code for a while already. > oh please do, there are network extension/improvement patches that are a work in progress, if things work out we should have much better networking support in the 3.0 release. Out of curiosity what patches did you use for 3.4? I have been meaning to send you the revisions to the compatibility patches for 3.4. > Please CC me on replies as I'm not on the list. > > -Jeff > > --- > > While integrating 3.4-rc1, I ran into a problem where network rules > weren't being processed. It ultimately boiled down to a kernel issue > but I found it useful to see what the parser thought it was working > with. Since the parser already has a debugging mode that will show things > like capabilities, it was an obvious extension to add network rules. > > Signed-off-by: Jeff Mahoney <[email protected]> There are a couple of compile warnings that I will fix but other than that it looks good to me Acked-by: John Johansen <[email protected]> > --- > parser/parser_misc.c | 104 > ++++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 103 insertions(+), 1 deletion(-) > > --- a/parser/parser_misc.c > +++ b/parser/parser_misc.c > @@ -178,7 +178,13 @@ struct network_tuple { > > /* used by af_name.h to auto generate table entries for "name", AF_NAME > * pair */ > -#define AA_GEN_NET_ENT(name, AF) {name, AF, "stream", SOCK_STREAM, "", > 0xffffff}, {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, {name, AF, > "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "", > 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF, "packet", > SOCK_PACKET, "", 0xffffff}, > +#define AA_GEN_NET_ENT(name, AF) \ > + {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \ > + {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \ > + {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \ > + {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \ > + {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \ > + {name, AF, "packet", SOCK_PACKET, "", 0xffffff}, > /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */ > > static struct network_tuple network_mappings[] = { > @@ -908,6 +914,100 @@ void debug_capabilities(struct codomain > __debug_capabilities(cod->set_caps, "Set Capabilities"); > } > > +const char *sock_types[] = { > + [0] = "none", > + [SOCK_STREAM] = "stream", > + [SOCK_DGRAM] = "dgram", > + [SOCK_RAW] = "raw", > + [SOCK_RDM] = "rdm", > + [SOCK_SEQPACKET] = "seqpacket", > + [SOCK_PACKET] = "packet", > + /* > + * See comment above > + [SOCK_DCCP] = "dccp", > + */ > +}; > +#define ALL_TYPES 0x43e > + > +#undef AA_GEN_NET_ENT > +#define AA_GEN_NET_ENT(name, AF) [AF] = name, > + > +static const char *network_families[] = { > +#include "af_names.h" > +}; > + > +void __debug_network(unsigned int *array, const char *name) > +{ > + int count = sizeof(sock_types)/sizeof(sock_types[0]); > + unsigned int mask = ~((1 << count) -1); > + unsigned int i, j; > + int none = 1; > + size_t af_max = get_af_max(); > + > + for (i = AF_UNSPEC; i < af_max; i++) > + if (array[i]) { > + none = 0; > + break; > + } > + > + if (none) > + return; > + > + printf("%s: ", name); > + > + /* This can only be set by an unqualified network rule */ > + if (array[AF_UNSPEC]) { > + printf("<all>\n"); > + return; > + } > + > + for (i = 0; i < af_max; i++) { > + if (array[i]) { > + const char *fam = network_families[i]; > + int brackets = 0; > + if (fam) > + printf("%s ", fam); > + else > + printf("#%u ", i); > + > + /* All types/protocols */ > + if (array[i] == 0xffffffff || array[i] == ALL_TYPES) > + continue; > + > + printf("{ "); > + > + for (j = 0; j < count; j++) { > + const char *type; > + if (array[i] & (1 << j)) { > + type = sock_types[j]; > + if (type) > + printf("%s ", type); > + else > + printf("#%u ", j); > + } > + } > + if (array[i] & mask) > + printf("#%x ", array[i] & mask); > + > + printf("} "); > + } > + } > + printf("\n"); > +} > + > +void debug_network(struct codomain *cod) > +{ > + if (cod->network_allowed) > + __debug_network(cod->network_allowed, "Network"); > + if (cod->audit_network) > + __debug_network(cod->audit_network, "Audit Net"); > + if (cod->deny_network) > + __debug_network(cod->deny_network, "Deny Net"); > + if (cod->quiet_network) > + __debug_network(cod->quiet_network, "Quiet Net"); > + > +} > + > void debug_cod_list(struct codomain *cod) > { > if (cod->namespace) > @@ -925,6 +1025,8 @@ void debug_cod_list(struct codomain *cod > > debug_capabilities(cod); > > + debug_network(cod); > + > if (cod->entries) > debug_cod_entries(cod->entries); > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
