[apparmor] [PATCH] apparmor: Add network debugging mode

Jeff Mahoney jeffm at suse.com
Fri Apr 6 22:18:41 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/06/2012 06:03 PM, John Johansen wrote:
> On 04/06/2012 02:30 PM, Jeff Mahoney wrote:
>> Hi all -
>> 
> Hey Jeff
> 
>> Here's a patch to implement network rule debugging for
>> apparmor_parser.
>> 
> thanks,
> 
>> I have already integrated our AppArmor network extensions with
>> 3.4-rc1 and can post those if there is interest in including them
>> upstream. We've been dragging around the network rule code for a
>> while already.
>> 
> oh please do, there are network extension/improvement patches that
> are a work in progress, if things work out we should have much
> better networking support in the 3.0 release.
> 
> Out of curiosity what patches did you use for 3.4?  I have been
> meaning to send you the revisions to the compatibility patches for
> 3.4.

I'm using the attached. They're a rework of the ones we were carrying
for 12.1 and earlier to use the new file infrastructure.

> 
>> Please CC me on replies as I'm not on the list.
>> 
>> -Jeff
>> 
>> ---
>> 
>> While integrating 3.4-rc1, I ran into a problem where network
>> rules weren't being processed. It ultimately boiled down to a
>> kernel issue but I found it useful to see what the parser thought
>> it was working with. Since the parser already has a debugging
>> mode that will show things like capabilities, it was an obvious
>> extension to add network rules.
>> 
>> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> 
> There are a couple of compile warnings that I will fix but other
> than that it looks good to me

Oops. Sorry about that. I did some last minute cleanups that removed
those two variables, and I suppose count should be unsigned.

- -Jeff

> Acked-by: John Johansen <john.johansen at canonical.com>
> 
>> --- parser/parser_misc.c |  104
>> ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file
>> changed, 103 insertions(+), 1 deletion(-)
>> 
>> --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -178,7
>> +178,13 @@ struct network_tuple {
>> 
>> /* used by af_name.h to auto generate table entries for "name",
>> AF_NAME * pair */ -#define AA_GEN_NET_ENT(name, AF) {name, AF,
>> "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram",
>> SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket",
>> SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "",
>> 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF,
>> "packet", SOCK_PACKET, "", 0xffffff}, +#define
>> AA_GEN_NET_ENT(name, AF) \ +	{name, AF, "stream",    SOCK_STREAM,
>> "", 0xffffff}, \ +	{name, AF, "dgram",     SOCK_DGRAM,     "",
>> 0xffffff}, \ +	{name, AF, "seqpacket", SOCK_SEQPACKET, "",
>> 0xffffff}, \ +	{name, AF, "rdm",       SOCK_RDM,       "",
>> 0xffffff}, \ +	{name, AF, "raw",       SOCK_RAW,       "",
>> 0xffffff}, \ +	{name, AF, "packet",    SOCK_PACKET,    "",
>> 0xffffff}, /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "",
>> 0xfffffff}, */
>> 
>> static struct network_tuple network_mappings[] = { @@ -908,6
>> +914,100 @@ void debug_capabilities(struct codomain 
>> __debug_capabilities(cod->set_caps, "Set Capabilities"); }
>> 
>> +const char *sock_types[] = { +	[0] = "none", +	[SOCK_STREAM] =
>> "stream", +	[SOCK_DGRAM] = "dgram", +	[SOCK_RAW] = "raw", +
>> [SOCK_RDM] = "rdm", +	[SOCK_SEQPACKET] = "seqpacket", +
>> [SOCK_PACKET] = "packet", +	/* +	 * See comment above +
>> [SOCK_DCCP] = "dccp", +	*/ +}; +#define ALL_TYPES 0x43e + +#undef
>> AA_GEN_NET_ENT +#define AA_GEN_NET_ENT(name, AF) [AF] = name, + 
>> +static const char *network_families[] = { +#include
>> "af_names.h" +}; + +void __debug_network(unsigned int *array,
>> const char *name) +{ +	int count =
>> sizeof(sock_types)/sizeof(sock_types[0]); +	unsigned int mask =
>> ~((1 << count) -1); +	unsigned int i, j; +	int none = 1; +	size_t
>> af_max = get_af_max(); + +	for (i = AF_UNSPEC; i < af_max; i++) +
>> if (array[i]) { +			none = 0; +			break; +		} + +	if (none) +
>> return; + +	printf("%s: ", name); + +	/* This can only be set by
>> an unqualified network rule */ +	if (array[AF_UNSPEC]) { +
>> printf("<all>\n"); +		return; +	} + +	for (i = 0; i < af_max;
>> i++) { +		if (array[i]) { +			const char *fam =
>> network_families[i]; +			int brackets = 0; +			if (fam) +
>> printf("%s ", fam); +			else +				printf("#%u ", i); + +			/* All
>> types/protocols */ +			if (array[i] == 0xffffffff || array[i] ==
>> ALL_TYPES) +				continue; + +			printf("{ "); + +			for (j = 0; j
>> < count; j++) { +				const char *type; +				if (array[i] & (1 <<
>> j)) { +					type = sock_types[j]; +					if (type) +
>> printf("%s ", type); +					else +						printf("#%u ", j); +				} 
>> +			} +			if (array[i] & mask) +				printf("#%x ", array[i] &
>> mask); + +			printf("} "); +		} +	} +	printf("\n"); +} + +void
>> debug_network(struct codomain *cod) +{ +	if
>> (cod->network_allowed) +		__debug_network(cod->network_allowed,
>> "Network"); +	if (cod->audit_network) +
>> __debug_network(cod->audit_network, "Audit Net"); +	if
>> (cod->deny_network) +		__debug_network(cod->deny_network, "Deny
>> Net"); +	if (cod->quiet_network) +
>> __debug_network(cod->quiet_network, "Quiet Net"); + +} + void
>> debug_cod_list(struct codomain *cod) { if (cod->namespace) @@
>> -925,6 +1025,8 @@ void debug_cod_list(struct codomain *cod  
>> debug_capabilities(cod);
>> 
>> +	debug_network(cod); + if (cod->entries) 
>> debug_cod_entries(cod->entries);
>> 
> 
> 


- -- 
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPf2vBAAoJEB57S2MheeWydnIP/08C9dRwklkI/Z0EvFYMCwB3
yiN1A45h1bEuyOGDeonekyCmVD03XlagBSiRLFptM3qLDYeI7l3HarckhaI4nU81
+PXZkmnDyBq3hhaxGCZuD+Ajkq3OpP8YfDF0oH3/cZzK8RRyNXD9E/vaDverj3Y3
iWhH7BNzPAUEc8OaBhkJ2cPMFhPEfHfUnvwHO6w/e/d5rYcWJaUBJmb0CaWhAKW4
9YQN5rI+V7NMf5EFeZoPVMl7/PaKLdW2IK4Nw3BvthNSirRjpFQLRhaaKLqQW5Nb
Cg/qDYbZgNMDVly9z0yWawyHb4VEbLqeWqNbd2V2BS4R6rncti/F9kcL4tIYqi0P
R7Dw7t4923QD6/RQ4RC00F7iKQvsKNwZc5Y8JAYitnTLZQa8eSmTMv3w4G7hilPa
U0HW9msPhC410IYzxf5ZxiXznnWnbVVJ5G9bkzVslLk5GrGxGLb8s/nFiV/eOdFB
4kBBo3DJQLq1nYFuk3WQfMQs8y2dz/y7TW/ph5LjtON1N5MM2Yd1cGACw2al7fhE
PUkApZU00mtcIasbdXcZ2PIu5/7PfsFXe8XkWifcw46LWNuO5jQ52Z+AHImAZkEY
RtlYtYmljqS5W80BwnCfw2IF9wEkYnn5WU89glCCFF9+JJfG7GAFdMfsyK2Ifbac
WWolrtGLdaXdQ1QVSS8N
=RwLl
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: apparmor-compatibility-patch-for-v5-network-control
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/c57b145b/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: apparmor-profiles-seq_file
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/c57b145b/attachment-0003.ksh>

More information about the AppArmor mailing list