On Mon, Aug 25, 2014 at 05:06:17PM -0700, [email protected] wrote: > The old dfa table format has 2 64 bit permission field used to store > all of allow, quiet, audit, owner/!owner and transition mask. This leaves > 7 bits for entry + a few other special bits. > > Since policydb entries when using old style dfa permission format > don't use support the !owner permission entries we can map, the > high net work permission bits to these entries. > > This allows us to enforce base network permissions on system with > only support for the old dfa table format. > > Signed-off-by: John Johansen <[email protected]>
Sorry, I'm still not convinced with map_perms()... I did the math again
with the new values and it still looks like there's a collision.
> ---
> parser/af_unix.cc | 30 +++++++++++++++++++-----------
> 1 file changed, 19 insertions(+), 11 deletions(-)
>
> --- 2.9-test.orig/parser/af_unix.cc
> +++ 2.9-test/parser/af_unix.cc
> @@ -216,6 +216,14 @@
> }
> }
>
> +static uint32_t map_perms(uint32_t mask)
> +{
> + return (mask & 0x7f) |
> + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT
> - 8)) |
> + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) |
> /* 2 + (AA_OTHER_SHIFT - 20) */
> + ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 +
> (AA_OTHER_SHIFT - 24) */
> +}
> +
Bits 0-7 inclusive stay put
Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR
Bits 20-23 inclusive move -4 to 16-19 ACCEPT | BIND | LISTEN
Bits 24-25 inclusive move -5 to 19-20 SETOPT | GETOPT
Is this correct? It looks like AA_NET_LISTEN overlaps with AA_NET_GETOPT.
Thanks
> int unix_rule::gen_policy_re(Profile &prof)
> {
> std::ostringstream buffer, tmp;
> @@ -258,8 +266,8 @@
> if (mask & AA_NET_CREATE) {
> buf = buffer.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_CREATE,
> - audit & AA_NET_CREATE,
> + map_perms(AA_NET_CREATE),
> + map_perms(audit &
> AA_NET_CREATE),
> dfaflags))
> goto fail;
> mask &= ~AA_NET_CREATE;
> @@ -300,8 +308,8 @@
> if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) {
> buf = buffer.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - mask &
> AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD,
> - audit &
> AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD,
> + map_perms(mask &
> AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
> + map_perms(audit &
> AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
> dfaflags))
> goto fail;
> }
> @@ -312,8 +320,8 @@
> tmp << "\\x" << std::setfill('0') << std::setw(2) <<
> std::hex << CMD_ACCEPT;
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_ACCEPT,
> - audit & AA_NET_ACCEPT,
> +
> map_perms(AA_NET_ACCEPT),
> + map_perms(audit &
> AA_NET_ACCEPT),
> dfaflags))
> goto fail;
> }
> @@ -324,8 +332,8 @@
> tmp << "..";
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_LISTEN,
> - audit & AA_NET_LISTEN,
> +
> map_perms(AA_NET_LISTEN),
> + map_perms(audit &
> AA_NET_LISTEN),
> dfaflags))
> goto fail;
> }
> @@ -336,8 +344,8 @@
> tmp << "..";
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_OPT,
> - audit & AA_NET_OPT,
> + map_perms(AA_NET_OPT),
> + map_perms(audit &
> AA_NET_OPT),
> dfaflags))
> goto fail;
> }
> @@ -375,7 +383,7 @@
> }
>
> buf = buffer.str();
> - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode &
> AA_PEER_NET_PERMS, audit, dfaflags))
> + if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> map_perms(mode & AA_PEER_NET_PERMS), map_perms(audit), dfaflags))
> goto fail;
> }
>
>
>
> --
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
