Re: [apparmor] [PATCH 2/2] parser: Don't write the stream's address to the rule buffer

Wed, 27 Aug 2014 16:10:33 -0700 

On Wed, Aug 27, 2014 at 05:01:46PM -0500, Tyler Hicks wrote:
> The writeu16() function was returning the address of the passed in
> std::ostringstream and then the callers of that function were
> incorrectly writing that address to the rule buffer.
> 
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>

Acked-by: Seth Arnold <seth.arn...@canonical.com>

(Sigh, I even wondered if the "return o" was correct and chalked it up to
crazy C++ being crazy.)

Thanks

> ---
> 
> Before:
> 
>   $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser 
> -qQD dfa-states
>   {1} <== (allow/deny/audit/quiet)
>   {2} (0x 4/0/0/0)
>   {3} (0x 4/0/0/0)
>   {43} (0x 46/0/0/0)
>   {44} (0x 46/0/0/0)
>   
>   {1} -> {2}: 0x2
>   {1} -> {3}: 0x4
>   {1} -> {2}: 0x7
>   {1} -> {2}: 0x9
>   {1} -> {2}: 0xa
>   {1} -> {2}: 0x20 \ 
>   {1} -> {4}: 0x34 4
>   {3}  (0x 4/0/0/0) -> {5}: 0x0
>   {4} -> {6}: 0x0
>   {5} -> {7}: 0x1
>   {6} -> {2}: 0x31 1
>   {7} -> {8}: 0x30 0
>   {8} -> {9}: 0x78 x
>   {9} -> {10}: 0x37 7
>   {10} -> {11}: 0x66 f
>   {11} -> {12}: 0x66 f
>   {12} -> {13}: 0x66 f
>   {13} -> {14}: 0x31 1
>   {14} -> {15}: 0x30 0
>   {15} -> {16}: 0x34 4
>   {16} -> {17}: 0x66 f
>   {17} -> {18}: 0x33 3
>   {18} -> {19}: 0x35 5
>   {19} -> {20}: 0x31 1
>   {20} -> {21}: 0x38 8
>   {21} -> {22}: 0x0
>   {22} -> {23}: 0x1
>   {23} -> {24}: 0x30 0
>   {24} -> {25}: 0x78 x
>   {25} -> {26}: 0x37 7
>   {26} -> {27}: 0x66 f
>   {27} -> {28}: 0x66 f
>   {28} -> {29}: 0x66 f
>   {29} -> {30}: 0x31 1
>   {30} -> {31}: 0x30 0
>   {31} -> {32}: 0x34 4
>   {32} -> {33}: 0x66 f
>   {33} -> {34}: 0x33 3
>   {34} -> {35}: 0x35 5
>   {35} -> {36}: 0x31 1
>   {36} -> {37}: 0x38 8
>   {37} -> {38}: []
>   {38} -> {39}: []
>   {39} -> {40}: 0x0
>   {39} -> {39}: []
>   {40} -> {40}: 0x0
>   {40} -> {41}: 0x1
>   {40} -> {39}: []
>   {41} -> {42}: 0x0
>   {41} -> {39}: []
>   {42} -> {40}: 0x0
>   {42} -> {44}: 0x1
>   {42} -> {43}: []
>   {43}  (0x 46/0/0/0) -> {40}: 0x0
>   {43}  (0x 46/0/0/0) -> {43}: []
>   {44}  (0x 46/0/0/0) -> {42}: 0x0
>   {44}  (0x 46/0/0/0) -> {43}: []
> 
> After:
> 
>   $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser 
> -qQD dfa-states
>   {1} <== (allow/deny/audit/quiet)
>   {2} (0x 4/0/0/0)
>   {3} (0x 4/0/0/0)
>   {15} (0x 46/0/0/0)
>   {16} (0x 46/0/0/0)
>   
>   {1} -> {2}: 0x2
>   {1} -> {3}: 0x4
>   {1} -> {2}: 0x7
>   {1} -> {2}: 0x9
>   {1} -> {2}: 0xa
>   {1} -> {2}: 0x20 \ 
>   {1} -> {4}: 0x34 4
>   {3}  (0x 4/0/0/0) -> {5}: 0x0
>   {4} -> {6}: 0x0
>   {5} -> {7}: 0x1
>   {6} -> {2}: 0x31 1
>   {7} -> {8}: 0x0
>   {8} -> {9}: 0x1
>   {9} -> {10}: []
>   {10} -> {11}: []
>   {11} -> {12}: 0x0
>   {11} -> {11}: []
>   {12} -> {12}: 0x0
>   {12} -> {13}: 0x1
>   {12} -> {11}: []
>   {13} -> {14}: 0x0
>   {13} -> {11}: []
>   {14} -> {12}: 0x0
>   {14} -> {16}: 0x1
>   {14} -> {15}: []
>   {15}  (0x 46/0/0/0) -> {12}: 0x0
>   {15}  (0x 46/0/0/0) -> {15}: []
>   {16}  (0x 46/0/0/0) -> {14}: 0x0
>   {16}  (0x 46/0/0/0) -> {15}: []
> 
>  parser/af_unix.cc | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/parser/af_unix.cc b/parser/af_unix.cc
> index 7f6c0d0..51e986f 100644
> --- a/parser/af_unix.cc
> +++ b/parser/af_unix.cc
> @@ -189,7 +189,7 @@ static void warn_once(const char *name)
>       warn_once(name, "extended network unix socket rules not enforced");
>  }
>  
> -std::ostringstream &writeu16(std::ostringstream &o, int v)
> +static void writeu16(std::ostringstream &o, int v)
>  {
>       u16 tmp = htobe16((u16) v);
>       u8 *byte1 = (u8 *)&tmp;
> @@ -197,7 +197,6 @@ std::ostringstream &writeu16(std::ostringstream &o, int v)
>  
>       o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << 
> static_cast<unsigned int>(*byte1);
>       o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << 
> static_cast<unsigned int>(*byte2);
> -     return o;
>  }
>  
>  #define CMD_ADDR     1
> @@ -256,13 +255,13 @@ int unix_rule::gen_policy_re(Profile &prof)
>  
>  
>       buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << 
> AA_CLASS_NET;
> -     buffer << writeu16(buffer, AF_UNIX);
> +     writeu16(buffer, AF_UNIX);
>       if (sock_type)
> -             buffer << writeu16(buffer, sock_type_n);
> +             writeu16(buffer, sock_type_n);
>       else
>               buffer << "..";
>       if (proto)
> -             buffer << writeu16(buffer, proto_n);
> +             writeu16(buffer, proto_n);
>       else
>               buffer << "..";
>  
> -- 
> 2.1.0
> 
> 
> -- 
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to