The patch titled "parser: Add support for unix domain socket rules." modified the code the creates the stub rules for rule types that the parser supports.
It added new stub rules for extended network and AF_UNIX rule types but it also changed the stub rules for all existing rule types. That change causes the kernel to not enforce some rule types. This patch fixes the stub rule creation so that existing rule types continue to be enforced, as well as AF_UNIX rule types when the parser and kernel both support them. Here's the DFA states generated before applying the patch mentioned above: $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ Here are the DFA states generated after applying the patch mentioned above: $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {4} (0x 4/0/0/0) {1} -> {2}: 0x0 {1} -> {3}: 0x34 4 {2} -> {4}: 0x2 {2} -> {4}: 0x4 {2} -> {4}: 0x7 {2} -> {4}: 0x9 {2} -> {4}: 0xa {2} -> {4}: 0x20 \ {3} -> {4}: 0x31 1 Here are DFA states generated after applying this patch: $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {3}: 0x34 4 {3} -> {4}: 0x0 {4} -> {2}: 0x31 1 Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Note that I mostly guessed at the magic byte sequence to use for CLASS_SUB_STR(). I'm expecting John to verify its correctness. I have verified that the AF_UNIX mediation kernel code correctly detects the presence of the stub rule and enforces AF_UNIX mediation appropriately. parser/parser_regex.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index b0735bc..77ed6c9 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -665,9 +665,10 @@ int post_process_policydb_ents(Profile *prof) return TRUE; } -#define MAKE_STR(A) #A -#define CLASS_STR(X) "\\000\\d" MAKE_STR(X) -#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_STR(Y) +#define MAKE_STR(X) #X +#define CLASS_STR(X) "\\d" MAKE_STR(X) +#define MAKE_SUB_STR(X) "\\000" MAKE_STR(X) +#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_SUB_STR(Y) static const char *mediates_file = CLASS_STR(AA_CLASS_FILE); static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT); -- 2.1.0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor