The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits.
Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Signed-off-by: John Johansen <[email protected]> --- parser/af_unix.cc | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) --- 2.9-test.orig/parser/af_unix.cc +++ 2.9-test/parser/af_unix.cc @@ -216,6 +216,14 @@ } } +static uint32_t map_perms(uint32_t mask) +{ + return (mask & 0x7f) | + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) | + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */ + ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */ +} + int unix_rule::gen_policy_re(Profile &prof) { std::ostringstream buffer, tmp; @@ -258,8 +266,8 @@ if (mask & AA_NET_CREATE) { buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, - AA_NET_CREATE, - audit & AA_NET_CREATE, + map_perms(AA_NET_CREATE), + map_perms(audit & AA_NET_CREATE), dfaflags)) goto fail; mask &= ~AA_NET_CREATE; @@ -300,8 +308,8 @@ if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) { buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, - mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD, - audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD, + map_perms(mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD), + map_perms(audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD), dfaflags)) goto fail; } @@ -312,8 +320,8 @@ tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ACCEPT; buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, - AA_NET_ACCEPT, - audit & AA_NET_ACCEPT, + map_perms(AA_NET_ACCEPT), + map_perms(audit & AA_NET_ACCEPT), dfaflags)) goto fail; } @@ -324,8 +332,8 @@ tmp << ".."; buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, - AA_NET_LISTEN, - audit & AA_NET_LISTEN, + map_perms(AA_NET_LISTEN), + map_perms(audit & AA_NET_LISTEN), dfaflags)) goto fail; } @@ -336,8 +344,8 @@ tmp << ".."; buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, - AA_NET_OPT, - audit & AA_NET_OPT, + map_perms(AA_NET_OPT), + map_perms(audit & AA_NET_OPT), dfaflags)) goto fail; } @@ -375,7 +383,7 @@ } buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode & AA_PEER_NET_PERMS, audit, dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mode & AA_PEER_NET_PERMS), map_perms(audit), dfaflags)) goto fail; } -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
