On Mon, Aug 25, 2014 at 05:06:16PM -0700, [email protected] wrote: > Signed-off-by: John Johansen <[email protected]> > Acked-by: Steve Beattie <[email protected]>
Acked-by: Seth Arnold <[email protected]> Thanks > > --- > parser/libapparmor_re/aare_rules.cc | 75 > ++++++++++++++++++++---------------- > 1 file changed, 42 insertions(+), 33 deletions(-) > > --- 2.9-test.orig/parser/libapparmor_re/aare_rules.cc > +++ 2.9-test/parser/libapparmor_re/aare_rules.cc > @@ -91,42 +91,13 @@ > return new CatNode(new CatNode(l, new CharNode(0)), r); > } > > -bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit, > - int count, const char **rulev, dfaflags_t flags) > +static Node *convert_file_perms(int deny, uint32_t perms, uint32_t audit, > + bool exact_match) > { > - Node *tree = NULL, *accept; > - int exact_match; > - uint32_t allow = perms; > + Node *accept; > > assert(perms != 0); > > - if (regex_parse(&tree, rulev[0])) > - return false; > - for (int i = 1; i < count; i++) { > - Node *subtree = NULL; > - if (regex_parse(&subtree, rulev[i])) > - return false; > - tree = cat_with_null_seperator(tree, subtree); > - } > - > - /* > - * Check if we have an expression with or without wildcards. This > - * determines how exec modifiers are merged in accept_perms() based > - * on how we split permission bitmasks here. > - */ > - exact_match = 1; > - for (depth_first_traversal i(tree); i && exact_match; i++) { > - if (dynamic_cast<StarNode *>(*i) || > - dynamic_cast<PlusNode *>(*i) || > - dynamic_cast<AnyCharNode *>(*i) || > - dynamic_cast<CharSetNode *>(*i) || > - dynamic_cast<NotCharSetNode *>(*i)) > - exact_match = 0; > - } > - > - if (reverse) > - flip_tree(tree); > - > /* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift > */ > #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) > > @@ -195,6 +166,44 @@ > accept = flag; > } /* for ... */ > > + return accept; > +} > + > +bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit, > + int count, const char **rulev, dfaflags_t flags) > +{ > + Node *tree = NULL, *accept; > + int exact_match; > + > + if (regex_parse(&tree, rulev[0])) > + return false; > + for (int i = 1; i < count; i++) { > + Node *subtree = NULL; > + if (regex_parse(&subtree, rulev[i])) > + return false; > + tree = cat_with_null_seperator(tree, subtree); > + } > + > + /* > + * Check if we have an expression with or without wildcards. This > + * determines how exec modifiers are merged in accept_perms() based > + * on how we split permission bitmasks here. > + */ > + exact_match = 1; > + for (depth_first_traversal i(tree); i && exact_match; i++) { > + if (dynamic_cast<StarNode *>(*i) || > + dynamic_cast<PlusNode *>(*i) || > + dynamic_cast<AnyCharNode *>(*i) || > + dynamic_cast<CharSetNode *>(*i) || > + dynamic_cast<NotCharSetNode *>(*i)) > + exact_match = 0; > + } > + > + if (reverse) > + flip_tree(tree); > + > + accept = convert_file_perms(deny, perms, audit, exact_match); > + > if (flags & DFA_DUMP_RULE_EXPR) { > cerr << "rule: "; > cerr << rulev[0]; > @@ -206,7 +215,7 @@ > tree->dump(cerr); > if (deny) > cerr << " deny"; > - cerr << " (0x" << hex << allow <<"/" << audit << dec << ")"; > + cerr << " (0x" << hex << perms <<"/" << audit << dec << ")"; > accept->dump(cerr); > cerr << "\n\n"; > } > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor >
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
