On 08/26/2014 11:30 PM, Seth Arnold wrote: > On Mon, Aug 25, 2014 at 05:06:17PM -0700, [email protected] wrote: >> The old dfa table format has 2 64 bit permission field used to store >> all of allow, quiet, audit, owner/!owner and transition mask. This leaves >> 7 bits for entry + a few other special bits. >> >> Since policydb entries when using old style dfa permission format >> don't use support the !owner permission entries we can map, the >> high net work permission bits to these entries. >> >> This allows us to enforce base network permissions on system with >> only support for the old dfa table format. >> >> Signed-off-by: John Johansen <[email protected]> > > Sorry, I'm still not convinced with map_perms()... I did the math again > with the new values and it still looks like there's a collision. > >> --- >> parser/af_unix.cc | 30 +++++++++++++++++++----------- >> 1 file changed, 19 insertions(+), 11 deletions(-) >> >> --- 2.9-test.orig/parser/af_unix.cc >> +++ 2.9-test/parser/af_unix.cc >> @@ -216,6 +216,14 @@ >> } >> } >> >> +static uint32_t map_perms(uint32_t mask) >> +{ >> + return (mask & 0x7f) | >> + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT >> - 8)) | >> + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | >> /* 2 + (AA_OTHER_SHIFT - 20) */ >> + ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + >> (AA_OTHER_SHIFT - 24) */ >> +} >> + > > Bits 0-7 inclusive stay put > Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR > Bits 20-23 inclusive move -4 to 16-19 ACCEPT | BIND | LISTEN > Bits 24-25 inclusive move -5 to 19-20 SETOPT | GETOPT > > Is this correct? It looks like AA_NET_LISTEN overlaps with AA_NET_GETOPT. > No your counting is off 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23)
23 is skipped, hence the need to shift 5 for 24-25 instead of 4 24-25 inclusive move -5 to 19-20 obviously the comments could be fixed to list the bit positions as above -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
