[apparmor] [PATCH] apparmor: Add network debugging mode
Jeff Mahoney
jeffm at suse.com
Fri Apr 6 22:18:41 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/06/2012 06:03 PM, John Johansen wrote:
> On 04/06/2012 02:30 PM, Jeff Mahoney wrote:
>> Hi all -
>>
> Hey Jeff
>
>> Here's a patch to implement network rule debugging for
>> apparmor_parser.
>>
> thanks,
>
>> I have already integrated our AppArmor network extensions with
>> 3.4-rc1 and can post those if there is interest in including them
>> upstream. We've been dragging around the network rule code for a
>> while already.
>>
> oh please do, there are network extension/improvement patches that
> are a work in progress, if things work out we should have much
> better networking support in the 3.0 release.
>
> Out of curiosity what patches did you use for 3.4? I have been
> meaning to send you the revisions to the compatibility patches for
> 3.4.
I'm using the attached. They're a rework of the ones we were carrying
for 12.1 and earlier to use the new file infrastructure.
>
>> Please CC me on replies as I'm not on the list.
>>
>> -Jeff
>>
>> ---
>>
>> While integrating 3.4-rc1, I ran into a problem where network
>> rules weren't being processed. It ultimately boiled down to a
>> kernel issue but I found it useful to see what the parser thought
>> it was working with. Since the parser already has a debugging
>> mode that will show things like capabilities, it was an obvious
>> extension to add network rules.
>>
>> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
>
> There are a couple of compile warnings that I will fix but other
> than that it looks good to me
Oops. Sorry about that. I did some last minute cleanups that removed
those two variables, and I suppose count should be unsigned.
- -Jeff
> Acked-by: John Johansen <john.johansen at canonical.com>
>
>> --- parser/parser_misc.c | 104
>> ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file
>> changed, 103 insertions(+), 1 deletion(-)
>>
>> --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -178,7
>> +178,13 @@ struct network_tuple {
>>
>> /* used by af_name.h to auto generate table entries for "name",
>> AF_NAME * pair */ -#define AA_GEN_NET_ENT(name, AF) {name, AF,
>> "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram",
>> SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket",
>> SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "",
>> 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF,
>> "packet", SOCK_PACKET, "", 0xffffff}, +#define
>> AA_GEN_NET_ENT(name, AF) \ + {name, AF, "stream", SOCK_STREAM,
>> "", 0xffffff}, \ + {name, AF, "dgram", SOCK_DGRAM, "",
>> 0xffffff}, \ + {name, AF, "seqpacket", SOCK_SEQPACKET, "",
>> 0xffffff}, \ + {name, AF, "rdm", SOCK_RDM, "",
>> 0xffffff}, \ + {name, AF, "raw", SOCK_RAW, "",
>> 0xffffff}, \ + {name, AF, "packet", SOCK_PACKET, "",
>> 0xffffff}, /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "",
>> 0xfffffff}, */
>>
>> static struct network_tuple network_mappings[] = { @@ -908,6
>> +914,100 @@ void debug_capabilities(struct codomain
>> __debug_capabilities(cod->set_caps, "Set Capabilities"); }
>>
>> +const char *sock_types[] = { + [0] = "none", + [SOCK_STREAM] =
>> "stream", + [SOCK_DGRAM] = "dgram", + [SOCK_RAW] = "raw", +
>> [SOCK_RDM] = "rdm", + [SOCK_SEQPACKET] = "seqpacket", +
>> [SOCK_PACKET] = "packet", + /* + * See comment above +
>> [SOCK_DCCP] = "dccp", + */ +}; +#define ALL_TYPES 0x43e + +#undef
>> AA_GEN_NET_ENT +#define AA_GEN_NET_ENT(name, AF) [AF] = name, +
>> +static const char *network_families[] = { +#include
>> "af_names.h" +}; + +void __debug_network(unsigned int *array,
>> const char *name) +{ + int count =
>> sizeof(sock_types)/sizeof(sock_types[0]); + unsigned int mask =
>> ~((1 << count) -1); + unsigned int i, j; + int none = 1; + size_t
>> af_max = get_af_max(); + + for (i = AF_UNSPEC; i < af_max; i++) +
>> if (array[i]) { + none = 0; + break; + } + + if (none) +
>> return; + + printf("%s: ", name); + + /* This can only be set by
>> an unqualified network rule */ + if (array[AF_UNSPEC]) { +
>> printf("<all>\n"); + return; + } + + for (i = 0; i < af_max;
>> i++) { + if (array[i]) { + const char *fam =
>> network_families[i]; + int brackets = 0; + if (fam) +
>> printf("%s ", fam); + else + printf("#%u ", i); + + /* All
>> types/protocols */ + if (array[i] == 0xffffffff || array[i] ==
>> ALL_TYPES) + continue; + + printf("{ "); + + for (j = 0; j
>> < count; j++) { + const char *type; + if (array[i] & (1 <<
>> j)) { + type = sock_types[j]; + if (type) +
>> printf("%s ", type); + else + printf("#%u ", j); + }
>> + } + if (array[i] & mask) + printf("#%x ", array[i] &
>> mask); + + printf("} "); + } + } + printf("\n"); +} + +void
>> debug_network(struct codomain *cod) +{ + if
>> (cod->network_allowed) + __debug_network(cod->network_allowed,
>> "Network"); + if (cod->audit_network) +
>> __debug_network(cod->audit_network, "Audit Net"); + if
>> (cod->deny_network) + __debug_network(cod->deny_network, "Deny
>> Net"); + if (cod->quiet_network) +
>> __debug_network(cod->quiet_network, "Quiet Net"); + +} + void
>> debug_cod_list(struct codomain *cod) { if (cod->namespace) @@
>> -925,6 +1025,8 @@ void debug_cod_list(struct codomain *cod
>> debug_capabilities(cod);
>>
>> + debug_network(cod); + if (cod->entries)
>> debug_cod_entries(cod->entries);
>>
>
>
- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPf2vBAAoJEB57S2MheeWydnIP/08C9dRwklkI/Z0EvFYMCwB3
yiN1A45h1bEuyOGDeonekyCmVD03XlagBSiRLFptM3qLDYeI7l3HarckhaI4nU81
+PXZkmnDyBq3hhaxGCZuD+Ajkq3OpP8YfDF0oH3/cZzK8RRyNXD9E/vaDverj3Y3
iWhH7BNzPAUEc8OaBhkJ2cPMFhPEfHfUnvwHO6w/e/d5rYcWJaUBJmb0CaWhAKW4
9YQN5rI+V7NMf5EFeZoPVMl7/PaKLdW2IK4Nw3BvthNSirRjpFQLRhaaKLqQW5Nb
Cg/qDYbZgNMDVly9z0yWawyHb4VEbLqeWqNbd2V2BS4R6rncti/F9kcL4tIYqi0P
R7Dw7t4923QD6/RQ4RC00F7iKQvsKNwZc5Y8JAYitnTLZQa8eSmTMv3w4G7hilPa
U0HW9msPhC410IYzxf5ZxiXznnWnbVVJ5G9bkzVslLk5GrGxGLb8s/nFiV/eOdFB
4kBBo3DJQLq1nYFuk3WQfMQs8y2dz/y7TW/ph5LjtON1N5MM2Yd1cGACw2al7fhE
PUkApZU00mtcIasbdXcZ2PIu5/7PfsFXe8XkWifcw46LWNuO5jQ52Z+AHImAZkEY
RtlYtYmljqS5W80BwnCfw2IF9wEkYnn5WU89glCCFF9+JJfG7GAFdMfsyK2Ifbac
WWolrtGLdaXdQ1QVSS8N
=RwLl
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: apparmor-compatibility-patch-for-v5-network-control
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/c57b145b/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: apparmor-profiles-seq_file
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/c57b145b/attachment-0003.ksh>
More information about the AppArmor
mailing list