[apparmor] [PATCH 11/13] Add Basic infrastructure support for the policydb
Seth Arnold
seth.arnold at gmail.com
Tue Feb 14 18:04:03 UTC 2012
The parser/policydb.h header says to contact Novell for a copy of the GPL even though Canonical is the only listed copyright header.
-----Original Message-----
From: John Johansen <john.johansen at canonical.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Tue, 14 Feb 2012 09:32:33
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH 11/13] Add Basic infrastructure support for the
policydb
policydb is the new matching format, that combines the matching portions
of different rules into a single dfa/hfa. This patch only lays some ground
work it does not add encoding of any rules into the policydb
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser.h | 8 ++++++++
parser/parser_interface.c | 20 +++++++++++++++++---
parser/parser_policy.c | 40 ++++++++++++++++++++++++++++++++++++++++
parser/parser_regex.c | 42 ++++++++++++++++++++++++++++++++++++++++++
parser/policydb.h | 40 ++++++++++++++++++++++++++++++++++++++++
5 files changed, 147 insertions(+), 3 deletions(-)
create mode 100644 parser/policydb.h
diff --git a/parser/parser.h b/parser/parser.h
index 6c1cc4f..1da5b87 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -136,6 +136,11 @@ struct codomain {
int dfarule_count;
void *dfa;
size_t dfa_size;
+
+ aare_ruleset_t *policy_rules;
+ int policy_rule_count;
+ void *policy_dfa;
+ size_t policy_dfa_size;
};
struct sd_hat {
@@ -275,6 +280,8 @@ extern int process_regex(struct codomain *cod);
extern int post_process_entry(struct cod_entry *entry);
extern void reset_regex(void);
+extern int process_policydb(struct codomain *cod);
+
/* parser_variable.c */
extern int process_variables(struct codomain *cod);
extern struct var_string *split_out_var(char *string);
@@ -348,6 +355,7 @@ extern void post_process_nt_entries(struct codomain *cod);
extern int post_process_policy(int debug_only);
extern int process_hat_regex(struct codomain *cod);
extern int process_hat_variables(struct codomain *cod);
+extern int process_hat_policydb(struct codomain *cod);
extern int post_merge_rules(void);
extern int merge_hat_rules(struct codomain *cod);
extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index 6b6d57d..fdd610d 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -59,6 +59,7 @@
#define SUBDOMAIN_INTERFACE_VERSION 2
#define SUBDOMAIN_INTERFACE_DFA_VERSION 5
+#define SUBDOMAIN_INTERFACE_POLICY_DB 16
int sd_serialize_codomain(int option, struct codomain *cod);
@@ -654,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
} else if (profile->network_allowed)
pwarn(_("profile %s network rules not enforced\n"), profile->name);
+ if (profile->policy_dfa && regex_type == AARE_DFA) {
+ if (!sd_write_struct(p, "policydb"))
+ return 0;
+ if (!sd_serialize_dfa(p, profile->policy_dfa, profile->policy_dfa_size))
+ return 0;
+ if (!sd_write_structend(p))
+ return 0;
+ }
+
/* either have a single dfa or lists of different entry types */
if (regex_type == AARE_DFA) {
if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
@@ -685,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
{
int version;
- if (regex_type == AARE_DFA)
- version = SUBDOMAIN_INTERFACE_DFA_VERSION;
- else
+ if (regex_type == AARE_DFA) {
+ /* Not yet
+ if (profile->policy_dfa)
+ version = SUBDOMAIN_INTERFACE_POLICYDB;
+ else */
+ version = SUBDOMAIN_INTERFACE_DFA_VERSION;
+ } else
version = SUBDOMAIN_INTERFACE_VERSION;
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 1d459d9..0e4a853 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -294,6 +294,33 @@ int process_hat_regex(struct codomain *cod)
return 0;
}
+static void __process_policydb(const void *nodep, const VISIT value,
+ const int __unused depth)
+{
+ struct codomain **t = (struct codomain **) nodep;
+
+ if (value == preorder || value == endorder)
+ return;
+
+ if (process_policydb(*t) != 0) {
+ PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"),
+ (*t)->name);
+ exit(1);
+ }
+}
+
+int post_process_policydb(void)
+{
+ twalk(policy_list, __process_policydb);
+ return 0;
+}
+
+int process_hat_policydb(struct codomain *cod)
+{
+ twalk(cod->hat_table, __process_policydb);
+ return 0;
+}
+
static void __process_variables(const void *nodep, const VISIT value,
const int __unused depth)
{
@@ -706,6 +733,15 @@ int post_process_policy(int debug_only)
}
}
+ if (!debug_only) {
+ retval = post_process_policydb();
+ if (retval != 0) {
+ PERROR(_("%s: Errors found during policydb postprocess. Aborting.\n"),
+ progname);
+ return retval;
+ }
+ }
+
return retval;
}
@@ -731,6 +767,10 @@ void free_policy(struct codomain *cod)
aare_delete_ruleset(cod->dfarules);
if (cod->dfa)
free(cod->dfa);
+ if (cod->policy_rules)
+ aare_delete_ruleset(cod->policy_rules);
+ if (cod->policy_dfa)
+ free(cod->policy_dfa);
if (cod->name)
free(cod->name);
if (cod->attachment)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index f5de63a..50a5836 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -611,6 +611,48 @@ out:
return error;
}
+int post_process_policydb_ents(struct codomain *cod)
+{
+ int ret = TRUE;
+ int count = 0;
+
+ /* Add fns for rules that should be added to policydb here */
+
+ cod->policy_rule_count = count;
+ return ret;
+}
+
+int process_policydb(struct codomain *cod)
+{
+ int error = -1;
+
+ if (regex_type == AARE_DFA) {
+ cod->policy_rules = aare_new_ruleset(0);
+ if (!cod->policy_rules)
+ goto out;
+ }
+ if (!post_process_policydb_ents(cod))
+ goto out;
+
+ if (regex_type == AARE_DFA && cod->policy_rule_count > 0) {
+ cod->policy_dfa = aare_create_dfa(cod->policy_rules,
+ &cod->policy_dfa_size,
+ dfaflags);
+ aare_delete_ruleset(cod->policy_rules);
+ cod->policy_rules = NULL;
+ if (!cod->policy_dfa)
+ goto out;
+ }
+
+ if (process_hat_policydb(cod) != 0)
+ goto out;
+
+ error = 0;
+
+out:
+ return error;
+}
+
void reset_regex(void)
{
aare_reset_matchflags();
diff --git a/parser/policydb.h b/parser/policydb.h
new file mode 100644
index 0000000..b488123
--- /dev/null
+++ b/parser/policydb.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Novell, Inc.
+ */
+
+#ifndef __AA_POLICYDB_H
+#define __AA_POLICYDB_H
+
+/*
+ * Class of mediation types in the AppArmor policy db
+ */
+#define AA_CLASS_COND 0
+#define AA_CLASS_UNKNOWN 1
+#define AA_CLASS_FILE 2
+#define AA_CLASS_CAP 3
+#define AA_CLASS_NET 4
+#define AA_CLASS_RLIMITS 5
+#define AA_CLASS_DOMAIN 6
+#define AA_CLASS_MOUNT 7
+#define AA_CLASS_NS_DOMAIN 8
+#define AA_CLASS_PTRACE 9
+
+#define AA_CLASS_ENV 16
+
+#define AA_CLASS_DBUS 32
+#define AA_CLASS_X 33
+
+#endif /* __AA_POLICYDB_H */
--
1.7.9
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list