[apparmor] [PATCH 05/11] Fix two x transition conflict bugs.

Tue Dec 14 08:58:42 GMT 2010

The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition.  This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.

The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions.  The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.

This would result in the first rule being processed defining what the
transition type was for all following rules of the type following.  So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/immunix.h               |    4 ++--
 parser/libapparmor_re/regexp.y |   10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/parser/immunix.h b/parser/immunix.h
index b6483c1..0d1729f 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -148,12 +148,12 @@ enum pattern_t {
 #include <stdio.h>
 static inline int is_merged_x_consistent(int a, int b)
 {
-	if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+	if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
 { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
 		return 0;
 }
-	if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+	if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
 { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
 		return 0;
diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y
index 022becc..c07b1cf 100644
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -2836,9 +2836,9 @@ extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
 #define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
 MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
 DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2)	/* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
 
 extern "C" void aare_reset_matchflags(void)
 {
@@ -2900,8 +2900,8 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 	flip_tree(tree);
 
 
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
 
 //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 //	fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
-- 
1.7.1


