[apparmor] [PATCH] update parser for 2.6.36 network

Steve Beattie steve at nxnw.org
Thu Aug 26 17:45:35 BST 2010 

On Thu, Aug 26, 2010 at 09:30:23AM -0700, John Johansen wrote:
> The upstream 2.6.36 version of apparmor doesn't support network rules.
> Add a flag to the parser controlling the output of network rules,
> and warn per profile when network rules are not going to be enforced.

Patch looks okay to me, though is there any way for userspace to
detect that the version of apparmor doesn't support network rules?
Guessing based on the non-existence of a kernel file is only going to
lead to madness as stuff gets added back in.

> ---
>  parser/parser.h           |    1 +
>  parser/parser_interface.c |    5 +++--
>  parser/parser_main.c      |    2 ++
>  3 files changed, 6 insertions(+), 2 deletions(-)
> 
> --- master-new.orig/parser/parser.h
> +++ master-new/parser/parser.h
> @@ -179,6 +179,7 @@
>  
>  #define FLAG_CHANGEHAT_1_4  2
>  #define FLAG_CHANGEHAT_1_5  3
> +extern int kernel_supports_network;
>  extern int flag_changehat_version;
>  extern int read_implies_exec;
>  extern dfaflags_t dfaflags;
> --- master-new.orig/parser/parser_interface.c
> +++ master-new/parser/parser_interface.c
> @@ -639,7 +639,7 @@
>  	if (!sd_serialize_rlimits(p, &profile->rlimits))
>  		return 0;
>  
> -	if (profile->network_allowed) {
> +	if (profile->network_allowed && kernel_supports_network) {
>  		size_t i;
>  		if (!sd_write_array(p, "net_allowed_af", get_af_max()))
>  			return 0;
> @@ -655,7 +655,8 @@
>  		}
>  		if (!sd_write_arrayend(p))
>  			return 0;
> -	}
> +	} else if (profile->network_allowed)
> +		pwarn(_("profile %s network rules not enforced\n"), profile->name);
>  
>  	/* either have a single dfa or lists of different entry types */
>  	if (regex_type == AARE_DFA) {
> --- master-new.orig/parser/parser_main.c
> +++ master-new/parser/parser_main.c
> @@ -90,6 +90,7 @@
>  char *flags_string = NULL;
>  int regex_type = AARE_DFA;
>  int perms_create = 0;		/* perms contain create flag */
> +int kernel_supports_network = 1;	/* kernel supports network rules */
>  char *profile_namespace = NULL;
>  int flag_changehat_version = FLAG_CHANGEHAT_1_5;
>  FILE *ofile = NULL;
> @@ -618,6 +619,7 @@
>  		 */
>  		regex_type = AARE_DFA;
>  		perms_create = 1;
> +		kernel_supports_network = 0;
>  	}
>  
>  	if (ms)

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100826/6efbe316/attachment.pgp

More information about the AppArmor mailing list