[apparmor] [PATCH 11/13] Add Basic infrastructure support for the policydb

Seth Arnold seth.arnold at gmail.com
Tue Feb 14 18:04:03 UTC 2012 

The parser/policydb.h header says to contact Novell for a copy of the GPL even though Canonical is the only listed copyright header.
-----Original Message-----
From: John Johansen <john.johansen at canonical.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Tue, 14 Feb 2012 09:32:33 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH 11/13] Add Basic infrastructure support for the
	policydb

policydb is the new matching format, that combines the matching portions
of different rules into a single dfa/hfa.  This patch only lays some ground
work it does not add encoding of any rules into the policydb

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser.h           |    8 ++++++++
 parser/parser_interface.c |   20 +++++++++++++++++---
 parser/parser_policy.c    |   40 ++++++++++++++++++++++++++++++++++++++++
 parser/parser_regex.c     |   42 ++++++++++++++++++++++++++++++++++++++++++
 parser/policydb.h         |   40 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 147 insertions(+), 3 deletions(-)
 create mode 100644 parser/policydb.h

diff --git a/parser/parser.h b/parser/parser.h
index 6c1cc4f..1da5b87 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -136,6 +136,11 @@ struct codomain {
 	int dfarule_count;
 	void *dfa;
 	size_t dfa_size;
+
+	aare_ruleset_t *policy_rules;
+	int policy_rule_count;
+	void *policy_dfa;
+	size_t policy_dfa_size;
 };
 
 struct sd_hat {
@@ -275,6 +280,8 @@ extern int process_regex(struct codomain *cod);
 extern int post_process_entry(struct cod_entry *entry);
 extern void reset_regex(void);
 
+extern int process_policydb(struct codomain *cod);
+
 /* parser_variable.c */
 extern int process_variables(struct codomain *cod);
 extern struct var_string *split_out_var(char *string);
@@ -348,6 +355,7 @@ extern void post_process_nt_entries(struct codomain *cod);
 extern int post_process_policy(int debug_only);
 extern int process_hat_regex(struct codomain *cod);
 extern int process_hat_variables(struct codomain *cod);
+extern int process_hat_policydb(struct codomain *cod);
 extern int post_merge_rules(void);
 extern int merge_hat_rules(struct codomain *cod);
 extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index 6b6d57d..fdd610d 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -59,6 +59,7 @@
 
 #define SUBDOMAIN_INTERFACE_VERSION 2
 #define SUBDOMAIN_INTERFACE_DFA_VERSION 5
+#define SUBDOMAIN_INTERFACE_POLICY_DB 16
 
 int sd_serialize_codomain(int option, struct codomain *cod);
 
@@ -654,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 	} else if (profile->network_allowed)
 		pwarn(_("profile %s network rules not enforced\n"), profile->name);
 
+	if (profile->policy_dfa && regex_type == AARE_DFA) {
+		if (!sd_write_struct(p, "policydb"))
+			return 0;
+		if (!sd_serialize_dfa(p, profile->policy_dfa, profile->policy_dfa_size))
+			return 0;
+		if (!sd_write_structend(p))
+			return 0;
+	}
+
 	/* either have a single dfa or lists of different entry types */
 	if (regex_type == AARE_DFA) {
 		if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
@@ -685,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
 {
 	int version;
 
-	if (regex_type == AARE_DFA)
-		version = SUBDOMAIN_INTERFACE_DFA_VERSION;
-	else
+	if (regex_type == AARE_DFA) {
+		/* Not yet
+		if (profile->policy_dfa)
+			version = SUBDOMAIN_INTERFACE_POLICYDB;
+		else */
+			version = SUBDOMAIN_INTERFACE_DFA_VERSION;
+	} else
 		version = SUBDOMAIN_INTERFACE_VERSION;
 
 
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 1d459d9..0e4a853 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -294,6 +294,33 @@ int process_hat_regex(struct codomain *cod)
 	return 0;
 }
 
+static void __process_policydb(const void *nodep, const VISIT value,
+			       const int __unused depth)
+{
+	struct codomain **t = (struct codomain **) nodep;
+
+	if (value == preorder || value == endorder)
+		return;
+
+	if (process_policydb(*t) != 0) {
+		PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"),
+		       (*t)->name);
+		exit(1);
+	}
+}
+
+int post_process_policydb(void)
+{
+	twalk(policy_list, __process_policydb);
+	return 0;
+}
+
+int process_hat_policydb(struct codomain *cod)
+{
+	twalk(cod->hat_table, __process_policydb);
+	return 0;
+}
+
 static void __process_variables(const void *nodep, const VISIT value,
 				const int __unused depth)
 {
@@ -706,6 +733,15 @@ int post_process_policy(int debug_only)
 		}
 	}
 
+	if (!debug_only) {
+		retval = post_process_policydb();
+		if (retval != 0) {
+			PERROR(_("%s: Errors found during policydb postprocess.  Aborting.\n"),
+			       progname);
+			return retval;
+		}
+	}
+
 	return retval;
 }
 
@@ -731,6 +767,10 @@ void free_policy(struct codomain *cod)
 		aare_delete_ruleset(cod->dfarules);
 	if (cod->dfa)
 		free(cod->dfa);
+	if (cod->policy_rules)
+		aare_delete_ruleset(cod->policy_rules);
+	if (cod->policy_dfa)
+		free(cod->policy_dfa);
 	if (cod->name)
 		free(cod->name);
 	if (cod->attachment)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index f5de63a..50a5836 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -611,6 +611,48 @@ out:
 	return error;
 }
 
+int post_process_policydb_ents(struct codomain *cod)
+{
+	int ret = TRUE;
+	int count = 0;
+
+	/* Add fns for rules that should be added to policydb here */
+
+	cod->policy_rule_count = count;
+	return ret;
+}
+
+int process_policydb(struct codomain *cod)
+{
+	int error = -1;
+
+	if (regex_type == AARE_DFA) {
+		cod->policy_rules = aare_new_ruleset(0);
+		if (!cod->policy_rules)
+			goto out;
+	}
+	if (!post_process_policydb_ents(cod))
+		goto out;
+
+	if (regex_type == AARE_DFA && cod->policy_rule_count > 0) {
+		cod->policy_dfa = aare_create_dfa(cod->policy_rules,
+						  &cod->policy_dfa_size,
+						  dfaflags);
+		aare_delete_ruleset(cod->policy_rules);
+		cod->policy_rules = NULL;
+		if (!cod->policy_dfa)
+			goto out;
+	}
+
+	if (process_hat_policydb(cod) != 0)
+		goto out;
+
+	error = 0;
+
+out:
+	return error;
+}
+
 void reset_regex(void)
 {
 	aare_reset_matchflags();
diff --git a/parser/policydb.h b/parser/policydb.h
new file mode 100644
index 0000000..b488123
--- /dev/null
+++ b/parser/policydb.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Novell, Inc.
+ */
+
+#ifndef __AA_POLICYDB_H
+#define __AA_POLICYDB_H
+
+/*
+ * Class of mediation types in the AppArmor policy db
+ */
+#define AA_CLASS_COND		0
+#define AA_CLASS_UNKNOWN	1
+#define AA_CLASS_FILE		2
+#define AA_CLASS_CAP		3
+#define AA_CLASS_NET		4
+#define AA_CLASS_RLIMITS	5
+#define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
+#define AA_CLASS_NS_DOMAIN	8
+#define AA_CLASS_PTRACE		9
+
+#define AA_CLASS_ENV		16
+
+#define AA_CLASS_DBUS		32
+#define AA_CLASS_X		33
+
+#endif /* __AA_POLICYDB_H */
-- 
1.7.9


-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list