On Wed, Aug 06, 2014 at 05:32:46AM -0700, [email protected] wrote: > Signed-off-by: John Johansen <[email protected]>
I found a bug; it and other comments inline.
Thanks
> ---
> parser/Makefile | 11 +
> parser/network.c | 336
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> parser/network.h | 78 +++++++++++
> parser/parser.h | 30 ----
> parser/parser_misc.c | 308 ----------------------------------------------
> parser/profile.h | 24 ---
> 6 files changed, 424 insertions(+), 363 deletions(-)
>
> --- 2.9-test.orig/parser/Makefile
> +++ 2.9-test/parser/Makefile
> @@ -79,10 +79,10 @@
> SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
> parser_main.c parser_misc.c parser_merge.c parser_symtab.c \
> parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
> - parser_alias.c common_optarg.c lib.c \
> + parser_alias.c common_optarg.c lib.c network.c \
> mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc
> HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
> - rule.h common_optarg.h signal.h ptrace.h
> + rule.h common_optarg.h signal.h ptrace.h network.h
> TOOLS = apparmor_parser
>
> OBJECTS = $(SRCS:.c=.o)
> @@ -197,7 +197,7 @@
> parser_lex.o: parser_lex.c parser.h parser_yacc.h
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> -parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h af_names.h
> cap_names.h $(APPARMOR_H)
> +parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h cap_names.h
> $(APPARMOR_H)
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_yacc.o: parser_yacc.c parser_yacc.h $(APPARMOR_H)
> @@ -251,7 +251,10 @@
> ptrace.o: ptrace.c ptrace.h parser.h immunix.h parser_yacc.h rule.h
> $(APPARMOR_H)
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> -profile.o: profile.cc profile.h parser.h
> +network.o: network.c network.h parser.h immunix.h parser_yacc.h rule.h
> af_names.h $(APPARMOR_H)
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
> +
> +profile.o: profile.cc profile.h parser.h network.h
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> rule.o: rule.c rule.h policydb.h
> --- /dev/null
> +++ 2.9-test/parser/network.c
> @@ -0,0 +1,336 @@
> +/*
> + * Copyright (c) 2014
> + * Canonical, Ltd. (All rights reserved)
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, contact Novell, Inc. or Canonical
> + * Ltd.
> + */
> +
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/apparmor.h>
> +
> +#include <iomanip>
> +#include <string>
Is it kosher to include both string.h and string?
> +#include <sstream>
> +#include <map>
> +
> +#include "parser.h"
> +#include "profile.h"
> +#include "parser_yacc.h"
> +#include "network.h"
> +
> +
> +/* Bleah C++ doesn't have non-trivial designated initializers so we just
> + * have to make sure these are in order. This means we are more brittle
> + * but there isn't much we can do.
> + */
> +const char *sock_types[] = {
> + "none", /* 0 */
> + "stream", /* 1 [SOCK_STREAM] */
> + "dgram", /* 2 [SOCK_DGRAM] */
> + "raw", /* 3 [SOCK_RAW] */
> + "rdm", /* 4 [SOCK_RDM] */
> + "seqpacket", /* 5 [SOCK_SEQPACKET] */
> + "dccp", /* 6 [SOCK_DCCP] */
> + "invalid", /* 7 */
> + "invalid", /* 8 */
> + "invalid", /* 9 */
> + "packet", /* 10 [SOCK_PACKET] */
> + /*
> + * See comment above
> + */
> +};
> +
> +struct network_tuple {
> + const char *family_name;
> + unsigned int family;
> + const char *type_name;
> + unsigned int type;
> + const char *protocol_name;
> + unsigned int protocol;
> +};
> +
> +/* FIXME: currently just treating as a bit mask this will have to change
> + * set up a table of mappings, there can be several mappings for a
> + * given match.
> + * currently the mapping does not set the protocol for stream/dgram to
> + * anything other than 0.
> + * network inet tcp -> network inet stream 0 instead of
> + * network inet raw tcp.
> + * some entries are just provided for completeness at this time
> + */
> +/* values stolen from /etc/protocols - needs to change */
> +#define RAW_TCP 6
> +#define RAW_UDP 17
> +#define RAW_ICMP 1
> +#define RAW_ICMPv6 58
> +
> +/* used by af_name.h to auto generate table entries for "name", AF_NAME
> + * pair */
> +#define AA_GEN_NET_ENT(name, AF) \
> + {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \
> + {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \
> + {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
> + {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \
> + {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \
> + {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
> +/*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
> +
> +static struct network_tuple network_mappings[] = {
> + /* basic types */
> + #include "af_names.h"
> +/* FIXME: af_names.h is missing AF_LLC, AF_TIPC */
> + /* mapped types */
> + {"inet", AF_INET, "raw", SOCK_RAW,
> + "tcp", 1 << RAW_TCP},
> + {"inet", AF_INET, "raw", SOCK_RAW,
> + "udp", 1 << RAW_UDP},
> + {"inet", AF_INET, "raw", SOCK_RAW,
> + "icmp", 1 << RAW_ICMP},
> + {"inet", AF_INET, "tcp", SOCK_STREAM,
> + "", 0xffffffff}, /* should we give raw tcp too? */
> + {"inet", AF_INET, "udp", SOCK_DGRAM,
> + "", 0xffffffff}, /* should these be open masks? */
> + {"inet", AF_INET, "icmp", SOCK_RAW,
> + "", 1 << RAW_ICMP},
> + {"inet6", AF_INET6, "tcp", SOCK_STREAM,
> + "", 0xffffffff},
> + {"inet6", AF_INET6, "udp", SOCK_DGRAM,
> + "", 0xffffffff},
> +/* what do we do with icmp on inet6?
> + {"inet6", AF_INET, "icmp", SOCK_RAW, 0},
> + {"inet6", AF_INET, "icmpv6", SOCK_RAW, 0},
> +*/
> + /* terminate */
> + {NULL, 0, NULL, 0, NULL, 0}
> +};
> +
> +/* The apparmor kernel patches up until 2.6.38 didn't handle networking
> + * tables with sizes > AF_MAX correctly. This could happen when the
> + * parser was built against newer kernel headers and then used to load
> + * policy on an older kernel. This could happen during upgrades or
> + * in multi-kernel boot systems.
> + *
> + * Try to detect the running kernel version and use that to determine
> + * AF_MAX
> + */
> +#define PROC_VERSION "/proc/sys/kernel/osrelease"
> +static size_t kernel_af_max(void) {
> + char buffer[32];
> + int major;
> + int fd, res;
> +
> + if (!net_af_max_override) {
> + return 0;
> + }
> + /* the override parameter is specifying the max value */
> + if (net_af_max_override > 0)
> + return net_af_max_override;
> +
> + fd = open(PROC_VERSION, O_RDONLY);
> + if (!fd)
> + /* fall back to default provided during build */
> + return 0;
> + res = read(fd, &buffer, sizeof(buffer) - 1);
> + close(fd);
> + if (res <= 0)
> + return 0;
> + buffer[res] = '\0';
> + res = sscanf(buffer, "2.6.%d", &major);
> + if (res != 1)
> + return 0;
> +
> + switch(major) {
> + case 24:
> + case 25:
> + case 26:
> + return 34;
> + case 27:
> + return 35;
> + case 28:
> + case 29:
> + case 30:
> + return 36;
> + case 31:
> + case 32:
> + case 33:
> + case 34:
> + case 35:
> + return 37;
> + case 36:
> + case 37:
> + return 38;
> + /* kernels .38 and later should handle this correctly so no
> + * static mapping needed
> + */
> + default:
> + return 0;
> + }
> +}
> +
> +/* Yuck. We grab AF_* values to define above from linux/socket.h because
> + * they are more accurate than sys/socket.h for what the kernel actually
> + * supports. However, we can't just include linux/socket.h directly,
> + * because the AF_* definitions are protected with an ifdef KERNEL
> + * wrapper, but we don't want to define that because that can cause
> + * other redefinitions from glibc. However, because the kernel may have
> + * more definitions than glibc, we need make sure AF_MAX reflects this,
> + * hence the wrapping function.
> + */
> +size_t get_af_max() {
> + size_t af_max;
> + /* HACK: declare that version without "create" had a static AF_MAX */
> + if (!perms_create && !net_af_max_override)
> + net_af_max_override = -1;
> +
> +#if AA_AF_MAX > AF_MAX
> + af_max = AA_AF_MAX;
> +#else
> + af_max = AF_MAX;
> +#endif
> +
> + /* HACK: some kernels didn't handle network tables from parsers
> + * compiled against newer kernel headers as they are larger than
> + * the running kernel expected. If net_override is defined check
> + * to see if there is a static max specified for that kernel
> + */
> + if (net_af_max_override) {
> + size_t max = kernel_af_max();
> + if (max && max < af_max)
> + return max;
> + }
> +
> + return af_max;
> +}
> +struct aa_network_entry *new_network_ent(unsigned int family,
> + unsigned int type,
> + unsigned int protocol)
> +{
> + struct aa_network_entry *new_entry;
> + new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct
> aa_network_entry));
> + if (new_entry) {
> + new_entry->family = family;
> + new_entry->type = type;
> + new_entry->protocol = protocol;
> + new_entry->next = NULL;
> + }
> + return new_entry;
> +}
> +
> +struct aa_network_entry *network_entry(const char *family, const char *type,
> + const char *protocol)
> +{
> + int i;
> + struct aa_network_entry *new_entry, *entry = NULL;
> +
> + for (i = 0; network_mappings[i].family_name; i++) {
> + if (family) {
> + PDEBUG("Checking family %s\n",
> network_mappings[i].family_name);
> + if (strcmp(family, network_mappings[i].family_name) !=
> 0)
> + continue;
> + PDEBUG("Found family %s\n", family);
> + }
> + if (type) {
> + PDEBUG("Checking type %s\n",
> network_mappings[i].type_name);
> + if (strcmp(type, network_mappings[i].type_name) != 0)
> + continue;
> + PDEBUG("Found type %s\n", type);
> + }
> + if (protocol) {
> + PDEBUG("Checking protocol type %s\n",
> network_mappings[i].protocol_name);
> + if (strcmp(type, network_mappings[i].protocol_name) !=
> 0)
> + continue;
This strcmp checks type instead of protocol. The PDEBUG ought to be
changed to "Checking protocol %s\n" while you're here.
> + /* fixme should we allow specifying protocol by #
> + * without needing the protocol mapping? */
> + }
> + /* if here we have a match */
> + new_entry = new_network_ent(network_mappings[i].family,
> + network_mappings[i].type,
> + network_mappings[i].protocol);
> + if (!new_entry)
> + yyerror(_("Memory allocation error."));
> + new_entry->next = entry;
> + entry = new_entry;
> + }
> +
> + return entry;
> +};
> +
> +#define ALL_TYPES 0x43e
> +
> +/* another case of C++ not supporting non-trivial designated initializers */
> +#undef AA_GEN_NET_ENT
> +#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
> +
> +static const char *network_families[] = {
> +#include "af_names.h"
> +};
> +
> +void __debug_network(unsigned int *array, const char *name)
> +{
> + unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]);
> + unsigned int mask = ~((1 << count) -1);
> + unsigned int i, j;
> + int none = 1;
> + size_t af_max = get_af_max();
> +
> + for (i = AF_UNSPEC; i < af_max; i++)
> + if (array[i]) {
> + none = 0;
> + break;
> + }
> +
> + if (none)
> + return;
> +
> + printf("%s: ", name);
> +
> + /* This can only be set by an unqualified network rule */
> + if (array[AF_UNSPEC]) {
> + printf("<all>\n");
> + return;
> + }
> +
> + for (i = 0; i < af_max; i++) {
> + if (array[i]) {
> + const char *fam = network_families[i];
> + if (fam)
> + printf("%s ", fam);
> + else
> + printf("#%u ", i);
> +
> + /* All types/protocols */
> + if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
> + continue;
> +
> + printf("{ ");
> +
> + for (j = 0; j < count; j++) {
> + const char *type;
> + if (array[i] & (1 << j)) {
> + type = sock_types[j];
> + if (type)
> + printf("%s ", type);
> + else
> + printf("#%u ", j);
> + }
> + }
> + if (array[i] & mask)
> + printf("#%x ", array[i] & mask);
> +
> + printf("} ");
> + }
> + }
> + printf("\n");
> +}
> --- /dev/null
> +++ 2.9-test/parser/network.h
> @@ -0,0 +1,78 @@
> +/*
> + * Copyright (c) 2014
> + * Canonical, Ltd. (All rights reserved)
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, contact Novell, Inc. or Canonical
> + * Ltd.
> + */
> +
> +#ifndef __AA_NETWORK_H
> +#define __AA_NETWORK_H
> +
> +#include <fcntl.h>
> +#include <netinet/in.h>
> +#include <linux/socket.h>
> +#include <linux/limits.h>
> +#include <arpa/inet.h>
> +#include <sys/types.h>
> +#include <sys/stat.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <unistd.h>
> +#include <libintl.h>
> +
> +#include "parser.h"
> +#include "rule.h"
> +#include "profile.h"
> +
> +/* supported AF protocols */
> +struct aa_network_entry {
> + unsigned int family;
> + unsigned int type;
> + unsigned int protocol;
> +
> + struct aa_network_entry *next;
> +};
> +
> +extern struct aa_network_entry *new_network_ent(unsigned int family,
> + unsigned int type,
> + unsigned int protocol);
> +extern struct aa_network_entry *network_entry(const char *family,
> + const char *type,
> + const char *protocol);
> +extern size_t get_af_max(void);
> +
> +void __debug_network(unsigned int *array, const char *name);
> +
> +struct network {
> + unsigned int *allow; /* array of type masks
> + * indexed by AF_FAMILY */
> + unsigned int *audit;
> + unsigned int *deny;
> + unsigned int *quiet;
> +
> + network(void) { allow = audit = deny = quiet = NULL; }
> +
> + void dump(void) {
> + if (allow)
> + __debug_network(allow, "Network");
> + if (audit)
> + __debug_network(audit, "Audit Net");
> + if (deny)
> + __debug_network(deny, "Deny Net");
> + if (quiet)
> + __debug_network(quiet, "Quiet Net");
> + }
> +};
> +
> +#endif /* __AA_NETWORK_H */
> --- 2.9-test.orig/parser/parser.h
> +++ 2.9-test/parser/parser.h
> @@ -25,7 +25,6 @@
>
> #include <endian.h>
> #include <string.h>
> -#include <netinet/in.h>
> #include <sys/resource.h>
>
> #include <libintl.h>
> @@ -108,15 +107,6 @@
> struct cod_entry *next;
> };
>
> -/* supported AF protocols */
> -struct aa_network_entry {
> - unsigned int family;
> - unsigned int type;
> - unsigned int protocol;
> -
> - struct aa_network_entry *next;
> -};
> -
> struct aa_rlimits {
> unsigned int specified; /* limits that are set */
> rlim_t limits[RLIMIT_NLIMITS];
> @@ -132,18 +122,6 @@
> unsigned int hat_magic;
> };
>
> -/* describe an ip address */
> -struct ipv4_desc {
> - struct in_addr addr;
> - unsigned long mask;
> - unsigned short port[2];
> -};
> -
> -struct ipv4_endpoints {
> - struct ipv4_desc * src;
> - struct ipv4_desc * dest;
> -};
> -
> struct var_string {
> char *prefix;
> char *var;
> @@ -391,20 +369,12 @@
> extern int parse_mode(const char *mode);
> extern int parse_X_mode(const char *X, int valid, const char *str_mode, int
> *mode, int fail);
> extern struct cod_entry *new_entry(char *ns, char *id, int mode, char
> *link_id);
> -extern struct aa_network_entry *new_network_ent(unsigned int family,
> - unsigned int type,
> - unsigned int protocol);
> -extern struct aa_network_entry *network_entry(const char *family,
> - const char *type,
> - const char *protocol);
> -extern size_t get_af_max(void);
>
> /* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
> extern int str_to_boolean(const char* str);
> extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
> extern void free_cod_entries(struct cod_entry *list);
> extern void __debug_capabilities(uint64_t capset, const char *name);
> -void __debug_network(unsigned int *array, const char *name);
> void debug_cod_entries(struct cod_entry *list);
>
>
> --- 2.9-test.orig/parser/parser_misc.c
> +++ 2.9-test/parser/parser_misc.c
> @@ -26,10 +26,6 @@
> #include <stdlib.h>
> #include <stdarg.h>
> #include <string.h>
> -#include <netinet/in.h>
> -#include <linux/socket.h>
> -#include <linux/limits.h>
> -#include <arpa/inet.h>
> #include <linux/capability.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> @@ -229,221 +225,6 @@
> return get_table_token("rlimit", rlimit_table, name);
> }
>
> -struct network_tuple {
> - const char *family_name;
> - unsigned int family;
> - const char *type_name;
> - unsigned int type;
> - const char *protocol_name;
> - unsigned int protocol;
> -};
> -
> -/* FIXME: currently just treating as a bit mask this will have to change
> - * set up a table of mappings, there can be several mappings for a
> - * given match.
> - * currently the mapping does not set the protocol for stream/dgram to
> - * anything other than 0.
> - * network inet tcp -> network inet stream 0 instead of
> - * network inet raw tcp.
> - * some entries are just provided for completeness at this time
> - */
> -/* values stolen from /etc/protocols - needs to change */
> -#define RAW_TCP 6
> -#define RAW_UDP 17
> -#define RAW_ICMP 1
> -#define RAW_ICMPv6 58
> -
> -/* used by af_name.h to auto generate table entries for "name", AF_NAME
> - * pair */
> -#define AA_GEN_NET_ENT(name, AF) \
> - {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \
> - {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \
> - {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
> - {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \
> - {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \
> - {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
> -/*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
> -
> -static struct network_tuple network_mappings[] = {
> - /* basic types */
> - #include "af_names.h"
> -/* FIXME: af_names.h is missing AF_LLC, AF_TIPC */
> - /* mapped types */
> - {"inet", AF_INET, "raw", SOCK_RAW,
> - "tcp", 1 << RAW_TCP},
> - {"inet", AF_INET, "raw", SOCK_RAW,
> - "udp", 1 << RAW_UDP},
> - {"inet", AF_INET, "raw", SOCK_RAW,
> - "icmp", 1 << RAW_ICMP},
> - {"inet", AF_INET, "tcp", SOCK_STREAM,
> - "", 0xffffffff}, /* should we give raw tcp too? */
> - {"inet", AF_INET, "udp", SOCK_DGRAM,
> - "", 0xffffffff}, /* should these be open masks? */
> - {"inet", AF_INET, "icmp", SOCK_RAW,
> - "", 1 << RAW_ICMP},
> - {"inet6", AF_INET6, "tcp", SOCK_STREAM,
> - "", 0xffffffff},
> - {"inet6", AF_INET6, "udp", SOCK_DGRAM,
> - "", 0xffffffff},
> -/* what do we do with icmp on inet6?
> - {"inet6", AF_INET, "icmp", SOCK_RAW, 0},
> - {"inet6", AF_INET, "icmpv6", SOCK_RAW, 0},
> -*/
> - /* terminate */
> - {NULL, 0, NULL, 0, NULL, 0}
> -};
> -
> -/* The apparmor kernel patches up until 2.6.38 didn't handle networking
> - * tables with sizes > AF_MAX correctly. This could happen when the
> - * parser was built against newer kernel headers and then used to load
> - * policy on an older kernel. This could happen during upgrades or
> - * in multi-kernel boot systems.
> - *
> - * Try to detect the running kernel version and use that to determine
> - * AF_MAX
> - */
> -#define PROC_VERSION "/proc/sys/kernel/osrelease"
> -static size_t kernel_af_max(void) {
> - char buffer[32];
> - int major;
> - int fd, res;
> -
> - if (!net_af_max_override) {
> - return 0;
> - }
> - /* the override parameter is specifying the max value */
> - if (net_af_max_override > 0)
> - return net_af_max_override;
> -
> - fd = open(PROC_VERSION, O_RDONLY);
> - if (!fd)
> - /* fall back to default provided during build */
> - return 0;
> - res = read(fd, &buffer, sizeof(buffer) - 1);
> - close(fd);
> - if (res <= 0)
> - return 0;
> - buffer[res] = '\0';
> - res = sscanf(buffer, "2.6.%d", &major);
> - if (res != 1)
> - return 0;
> -
> - switch(major) {
> - case 24:
> - case 25:
> - case 26:
> - return 34;
> - case 27:
> - return 35;
> - case 28:
> - case 29:
> - case 30:
> - return 36;
> - case 31:
> - case 32:
> - case 33:
> - case 34:
> - case 35:
> - return 37;
> - case 36:
> - case 37:
> - return 38;
> - /* kernels .38 and later should handle this correctly so no
> - * static mapping needed
> - */
> - default:
> - return 0;
> - }
> -}
> -
> -/* Yuck. We grab AF_* values to define above from linux/socket.h because
> - * they are more accurate than sys/socket.h for what the kernel actually
> - * supports. However, we can't just include linux/socket.h directly,
> - * because the AF_* definitions are protected with an ifdef KERNEL
> - * wrapper, but we don't want to define that because that can cause
> - * other redefinitions from glibc. However, because the kernel may have
> - * more definitions than glibc, we need make sure AF_MAX reflects this,
> - * hence the wrapping function.
> - */
> -size_t get_af_max() {
> - size_t af_max;
> - /* HACK: declare that version without "create" had a static AF_MAX */
> - if (!perms_create && !net_af_max_override)
> - net_af_max_override = -1;
> -
> -#if AA_AF_MAX > AF_MAX
> - af_max = AA_AF_MAX;
> -#else
> - af_max = AF_MAX;
> -#endif
> -
> - /* HACK: some kernels didn't handle network tables from parsers
> - * compiled against newer kernel headers as they are larger than
> - * the running kernel expected. If net_override is defined check
> - * to see if there is a static max specified for that kernel
> - */
> - if (net_af_max_override) {
> - size_t max = kernel_af_max();
> - if (max && max < af_max)
> - return max;
> - }
> -
> - return af_max;
> -}
> -struct aa_network_entry *new_network_ent(unsigned int family,
> - unsigned int type,
> - unsigned int protocol)
> -{
> - struct aa_network_entry *new_entry;
> - new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct
> aa_network_entry));
> - if (new_entry) {
> - new_entry->family = family;
> - new_entry->type = type;
> - new_entry->protocol = protocol;
> - new_entry->next = NULL;
> - }
> - return new_entry;
> -}
> -
> -struct aa_network_entry *network_entry(const char *family, const char *type,
> - const char *protocol)
> -{
> - int i;
> - struct aa_network_entry *new_entry, *entry = NULL;
> -
> - for (i = 0; network_mappings[i].family_name; i++) {
> - if (family) {
> - PDEBUG("Checking family %s\n",
> network_mappings[i].family_name);
> - if (strcmp(family, network_mappings[i].family_name) !=
> 0)
> - continue;
> - PDEBUG("Found family %s\n", family);
> - }
> - if (type) {
> - PDEBUG("Checking type %s\n",
> network_mappings[i].type_name);
> - if (strcmp(type, network_mappings[i].type_name) != 0)
> - continue;
> - PDEBUG("Found type %s\n", type);
> - }
> - if (protocol) {
> - PDEBUG("Checking protocol type %s\n",
> network_mappings[i].protocol_name);
> - if (strcmp(type, network_mappings[i].protocol_name) !=
> 0)
> - continue;
Ohhhhh. Fixing this bug looks like it might affect existing profiles.
> - /* fixme should we allow specifying protocol by #
> - * without needing the protocol mapping? */
> - }
> - /* if here we have a match */
> - new_entry = new_network_ent(network_mappings[i].family,
> - network_mappings[i].type,
> - network_mappings[i].protocol);
> - if (!new_entry)
> - yyerror(_("Memory allocation error."));
> - new_entry->next = entry;
> - entry = new_entry;
> - }
> -
> - return entry;
> -};
> -
> char *processunquoted(const char *string, int len)
> {
> char *buffer, *s;
> @@ -1004,95 +785,6 @@
> printf("\n");
> }
>
> -/* Bleah C++ doesn't have non-trivial designated initializers so we just
> - * have to make sure these are in order. This means we are more brittle
> - * but there isn't much we can do.
> - */
> -const char *sock_types[] = {
> - "none", /* 0 */
> - "stream", /* 1 [SOCK_STREAM] */
> - "dgram", /* 2 [SOCK_DGRAM] */
> - "raw", /* 3 [SOCK_RAW] */
> - "rdm", /* 4 [SOCK_RDM] */
> - "seqpacket", /* 5 [SOCK_SEQPACKET] */
> - "dccp", /* 6 [SOCK_DCCP] */
> - "invalid", /* 7 */
> - "invalid", /* 8 */
> - "invalid", /* 9 */
> - "packet", /* 10 [SOCK_PACKET] */
> - /*
> - * See comment above
> - */
> -};
> -#define ALL_TYPES 0x43e
> -
> -/* another case of C++ not supporting non-trivial designated initializers */
> -#undef AA_GEN_NET_ENT
> -#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
> -
> -static const char *network_families[] = {
> -#include "af_names.h"
> -};
> -
> -void __debug_network(unsigned int *array, const char *name)
> -{
> - unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]);
> - unsigned int mask = ~((1 << count) -1);
> - unsigned int i, j;
> - int none = 1;
> - size_t af_max = get_af_max();
> -
> - for (i = AF_UNSPEC; i < af_max; i++)
> - if (array[i]) {
> - none = 0;
> - break;
> - }
> -
> - if (none)
> - return;
> -
> - printf("%s: ", name);
> -
> - /* This can only be set by an unqualified network rule */
> - if (array[AF_UNSPEC]) {
> - printf("<all>\n");
> - return;
> - }
> -
> - for (i = 0; i < af_max; i++) {
> - if (array[i]) {
> - const char *fam = network_families[i];
> - if (fam)
> - printf("%s ", fam);
> - else
> - printf("#%u ", i);
> -
> - /* All types/protocols */
> - if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
> - continue;
> -
> - printf("{ ");
> -
> - for (j = 0; j < count; j++) {
> - const char *type;
> - if (array[i] & (1 << j)) {
> - type = sock_types[j];
> - if (type)
> - printf("%s ", type);
> - else
> - printf("#%u ", j);
> - }
> - }
> - if (array[i] & mask)
> - printf("#%x ", array[i] & mask);
> -
> - printf("} ");
> - }
> - }
> - printf("\n");
> -}
> -
> -
> struct value_list *new_value_list(char *value)
> {
> struct value_list *val = (struct value_list *) calloc(1, sizeof(struct
> value_list));
> --- 2.9-test.orig/parser/profile.h
> +++ 2.9-test/parser/profile.h
> @@ -21,6 +21,7 @@
> #include "parser.h"
> #include "rule.h"
> #include "libapparmor_re/aare_rules.h"
> +#include "network.h"
>
> class Profile;
>
> @@ -101,27 +102,6 @@
> };
> };
>
> -struct network {
> - unsigned int *allow; /* array of type masks
> - * indexed by AF_FAMILY */
> - unsigned int *audit;
> - unsigned int *deny;
> - unsigned int *quiet;
> -
> - network(void) { allow = audit = deny = quiet = NULL; }
> -
> - void dump(void) {
> - if (allow)
> - __debug_network(allow, "Network");
> - if (audit)
> - __debug_network(audit, "Audit Net");
> - if (deny)
> - __debug_network(deny, "Deny Net");
> - if (quiet)
> - __debug_network(quiet, "Quiet Net");
> - }
> -};
> -
> struct dfa_stuff {
> aare_rules *rules;
> void *dfa;
> @@ -231,6 +211,8 @@
> hat_table.dump();
> }
>
> + bool alloc_net_table();
> +
> std::string* get_name(bool fqp)
> {
> std::string *buf;
>
>
> --
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
