The writeu16() function was returning the address of the passed in std::ostringstream and then the callers of that function were incorrectly writing that address to the rule buffer.
Signed-off-by: Tyler Hicks <[email protected]> --- Before: $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {43} (0x 46/0/0/0) {44} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {5} -> {7}: 0x1 {6} -> {2}: 0x31 1 {7} -> {8}: 0x30 0 {8} -> {9}: 0x78 x {9} -> {10}: 0x37 7 {10} -> {11}: 0x66 f {11} -> {12}: 0x66 f {12} -> {13}: 0x66 f {13} -> {14}: 0x31 1 {14} -> {15}: 0x30 0 {15} -> {16}: 0x34 4 {16} -> {17}: 0x66 f {17} -> {18}: 0x33 3 {18} -> {19}: 0x35 5 {19} -> {20}: 0x31 1 {20} -> {21}: 0x38 8 {21} -> {22}: 0x0 {22} -> {23}: 0x1 {23} -> {24}: 0x30 0 {24} -> {25}: 0x78 x {25} -> {26}: 0x37 7 {26} -> {27}: 0x66 f {27} -> {28}: 0x66 f {28} -> {29}: 0x66 f {29} -> {30}: 0x31 1 {30} -> {31}: 0x30 0 {31} -> {32}: 0x34 4 {32} -> {33}: 0x66 f {33} -> {34}: 0x33 3 {34} -> {35}: 0x35 5 {35} -> {36}: 0x31 1 {36} -> {37}: 0x38 8 {37} -> {38}: [] {38} -> {39}: [] {39} -> {40}: 0x0 {39} -> {39}: [] {40} -> {40}: 0x0 {40} -> {41}: 0x1 {40} -> {39}: [] {41} -> {42}: 0x0 {41} -> {39}: [] {42} -> {40}: 0x0 {42} -> {44}: 0x1 {42} -> {43}: [] {43} (0x 46/0/0/0) -> {40}: 0x0 {43} (0x 46/0/0/0) -> {43}: [] {44} (0x 46/0/0/0) -> {42}: 0x0 {44} (0x 46/0/0/0) -> {43}: [] After: $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {15} (0x 46/0/0/0) {16} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {5} -> {7}: 0x1 {6} -> {2}: 0x31 1 {7} -> {8}: 0x0 {8} -> {9}: 0x1 {9} -> {10}: [] {10} -> {11}: [] {11} -> {12}: 0x0 {11} -> {11}: [] {12} -> {12}: 0x0 {12} -> {13}: 0x1 {12} -> {11}: [] {13} -> {14}: 0x0 {13} -> {11}: [] {14} -> {12}: 0x0 {14} -> {16}: 0x1 {14} -> {15}: [] {15} (0x 46/0/0/0) -> {12}: 0x0 {15} (0x 46/0/0/0) -> {15}: [] {16} (0x 46/0/0/0) -> {14}: 0x0 {16} (0x 46/0/0/0) -> {15}: [] parser/af_unix.cc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 7f6c0d0..51e986f 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -189,7 +189,7 @@ static void warn_once(const char *name) warn_once(name, "extended network unix socket rules not enforced"); } -std::ostringstream &writeu16(std::ostringstream &o, int v) +static void writeu16(std::ostringstream &o, int v) { u16 tmp = htobe16((u16) v); u8 *byte1 = (u8 *)&tmp; @@ -197,7 +197,6 @@ std::ostringstream &writeu16(std::ostringstream &o, int v) o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte1); o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte2); - return o; } #define CMD_ADDR 1 @@ -256,13 +255,13 @@ int unix_rule::gen_policy_re(Profile &prof) buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NET; - buffer << writeu16(buffer, AF_UNIX); + writeu16(buffer, AF_UNIX); if (sock_type) - buffer << writeu16(buffer, sock_type_n); + writeu16(buffer, sock_type_n); else buffer << ".."; if (proto) - buffer << writeu16(buffer, proto_n); + writeu16(buffer, proto_n); else buffer << ".."; -- 2.1.0 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
