The patch titled "parser: Add support for unix domain socket rules."
modified the code the creates the stub rules for rule types that the
parser supports.
It added new stub rules for extended network and AF_UNIX rule types but
it also changed the stub rules for all existing rule types. That change
causes the kernel to not enforce some rule types.
This patch fixes the stub rule creation so that existing rule types
continue to be enforced, as well as AF_UNIX rule types when the parser
and kernel both support them.
Here's the DFA states generated before applying the patch mentioned
above:
$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)
{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{1} -> {2}: 0x2
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
Here are the DFA states generated after applying the patch mentioned
above:
$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)
{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f
{1} <== (allow/deny/audit/quiet)
{4} (0x 4/0/0/0)
{1} -> {2}: 0x0
{1} -> {3}: 0x34 4
{2} -> {4}: 0x2
{2} -> {4}: 0x4
{2} -> {4}: 0x7
{2} -> {4}: 0x9
{2} -> {4}: 0xa
{2} -> {4}: 0x20 \
{3} -> {4}: 0x31 1
Here are DFA states generated after applying this patch:
$ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{3} (0x 10004/0/0/0)
{1} -> {2}: 0x2f /
{2} -> {3}: 0x66 f
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{1} -> {2}: 0x2
{1} -> {2}: 0x4
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {3}: 0x34 4
{3} -> {4}: 0x0
{4} -> {2}: 0x31 1
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Note that I mostly guessed at the magic byte sequence to use for
CLASS_SUB_STR(). I'm expecting John to verify its correctness. I have verified
that the AF_UNIX mediation kernel code correctly detects the presence of the
stub rule and enforces AF_UNIX mediation appropriately.
parser/parser_regex.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index b0735bc..77ed6c9 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -665,9 +665,10 @@ int post_process_policydb_ents(Profile *prof)
return TRUE;
}
-#define MAKE_STR(A) #A
-#define CLASS_STR(X) "\\000\\d" MAKE_STR(X)
-#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_STR(Y)
+#define MAKE_STR(X) #X
+#define CLASS_STR(X) "\\d" MAKE_STR(X)
+#define MAKE_SUB_STR(X) "\\000" MAKE_STR(X)
+#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_SUB_STR(Y)
static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
--
2.1.0
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
