On Mon, Aug 25, 2014 at 05:06:17PM -0700, [email protected] wrote: > The old dfa table format has 2 64 bit permission field used to store > all of allow, quiet, audit, owner/!owner and transition mask. This leaves > 7 bits for entry + a few other special bits. > > Since policydb entries when using old style dfa permission format > don't use support the !owner permission entries we can map, the > high net work permission bits to these entries. > > This allows us to enforce base network permissions on system with > only support for the old dfa table format. > > Signed-off-by: John Johansen <[email protected]>
And again, here is the difference between the prior posted version and
this version.
diff -u 2.9-test/parser/af_unix.cc 2.9-test/parser/af_unix.cc
--- 2.9-test/parser/af_unix.cc
+++ 2.9-test/parser/af_unix.cc
@@ -220,8 +220,8 @@
{
return (mask & 0x7f) |
((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT
- 8)) |
- ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 6) |
/* AA_OTHER_SHIFT - 20 */
- ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 10); /*
AA_OTHER_SHIFT - 24 */
+ ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) |
/* 2 + (AA_OTHER_SHIFT - 20) */
+ ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 +
(AA_OTHER_SHIFT - 24) */
}
int unix_rule::gen_policy_re(Profile &prof)
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
