[apparmor] [PATCH] apparmor: Add network debugging mode
Jeff Mahoney
jeffm at suse.com
Fri Apr 6 21:30:10 UTC 2012
Hi all -
Here's a patch to implement network rule debugging for apparmor_parser.
I have already integrated our AppArmor network extensions with 3.4-rc1
and can post those if there is interest in including them upstream.
We've been dragging around the network rule code for a while already.
Please CC me on replies as I'm not on the list.
-Jeff
---
While integrating 3.4-rc1, I ran into a problem where network rules
weren't being processed. It ultimately boiled down to a kernel issue
but I found it useful to see what the parser thought it was working
with. Since the parser already has a debugging mode that will show things
like capabilities, it was an obvious extension to add network rules.
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
---
parser/parser_misc.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 103 insertions(+), 1 deletion(-)
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -178,7 +178,13 @@ struct network_tuple {
/* used by af_name.h to auto generate table entries for "name", AF_NAME
* pair */
-#define AA_GEN_NET_ENT(name, AF) {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
+#define AA_GEN_NET_ENT(name, AF) \
+ {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \
+ {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \
+ {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
+ {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \
+ {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \
+ {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
/*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
static struct network_tuple network_mappings[] = {
@@ -908,6 +914,100 @@ void debug_capabilities(struct codomain
__debug_capabilities(cod->set_caps, "Set Capabilities");
}
+const char *sock_types[] = {
+ [0] = "none",
+ [SOCK_STREAM] = "stream",
+ [SOCK_DGRAM] = "dgram",
+ [SOCK_RAW] = "raw",
+ [SOCK_RDM] = "rdm",
+ [SOCK_SEQPACKET] = "seqpacket",
+ [SOCK_PACKET] = "packet",
+ /*
+ * See comment above
+ [SOCK_DCCP] = "dccp",
+ */
+};
+#define ALL_TYPES 0x43e
+
+#undef AA_GEN_NET_ENT
+#define AA_GEN_NET_ENT(name, AF) [AF] = name,
+
+static const char *network_families[] = {
+#include "af_names.h"
+};
+
+void __debug_network(unsigned int *array, const char *name)
+{
+ int count = sizeof(sock_types)/sizeof(sock_types[0]);
+ unsigned int mask = ~((1 << count) -1);
+ unsigned int i, j;
+ int none = 1;
+ size_t af_max = get_af_max();
+
+ for (i = AF_UNSPEC; i < af_max; i++)
+ if (array[i]) {
+ none = 0;
+ break;
+ }
+
+ if (none)
+ return;
+
+ printf("%s: ", name);
+
+ /* This can only be set by an unqualified network rule */
+ if (array[AF_UNSPEC]) {
+ printf("<all>\n");
+ return;
+ }
+
+ for (i = 0; i < af_max; i++) {
+ if (array[i]) {
+ const char *fam = network_families[i];
+ int brackets = 0;
+ if (fam)
+ printf("%s ", fam);
+ else
+ printf("#%u ", i);
+
+ /* All types/protocols */
+ if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
+ continue;
+
+ printf("{ ");
+
+ for (j = 0; j < count; j++) {
+ const char *type;
+ if (array[i] & (1 << j)) {
+ type = sock_types[j];
+ if (type)
+ printf("%s ", type);
+ else
+ printf("#%u ", j);
+ }
+ }
+ if (array[i] & mask)
+ printf("#%x ", array[i] & mask);
+
+ printf("} ");
+ }
+ }
+ printf("\n");
+}
+
+void debug_network(struct codomain *cod)
+{
+ if (cod->network_allowed)
+ __debug_network(cod->network_allowed, "Network");
+ if (cod->audit_network)
+ __debug_network(cod->audit_network, "Audit Net");
+ if (cod->deny_network)
+ __debug_network(cod->deny_network, "Deny Net");
+ if (cod->quiet_network)
+ __debug_network(cod->quiet_network, "Quiet Net");
+
+}
+
void debug_cod_list(struct codomain *cod)
{
if (cod->namespace)
@@ -925,6 +1025,8 @@ void debug_cod_list(struct codomain *cod
debug_capabilities(cod);
+ debug_network(cod);
+
if (cod->entries)
debug_cod_entries(cod->entries);
More information about the AppArmor
mailing list