[apparmor] [PATCH 11/13] Add Basic infrastructure support for the policydb
John Johansen
john.johansen at canonical.com
Tue Feb 14 18:10:03 UTC 2012
On 02/14/2012 10:04 AM, Seth Arnold wrote:
> The parser/policydb.h header says to contact Novell for a copy of the GPL even though Canonical is the only listed copyright header.
whee, copy and waste and its best :)
thanks Seth
> -----Original Message-----
> From: John Johansen <john.johansen at canonical.com>
> Sender: apparmor-bounces at lists.ubuntu.com
> Date: Tue, 14 Feb 2012 09:32:33
> To: <apparmor at lists.ubuntu.com>
> Subject: [apparmor] [PATCH 11/13] Add Basic infrastructure support for the
> policydb
>
> policydb is the new matching format, that combines the matching portions
> of different rules into a single dfa/hfa. This patch only lays some ground
> work it does not add encoding of any rules into the policydb
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser.h | 8 ++++++++
> parser/parser_interface.c | 20 +++++++++++++++++---
> parser/parser_policy.c | 40 ++++++++++++++++++++++++++++++++++++++++
> parser/parser_regex.c | 42 ++++++++++++++++++++++++++++++++++++++++++
> parser/policydb.h | 40 ++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 147 insertions(+), 3 deletions(-)
> create mode 100644 parser/policydb.h
>
> diff --git a/parser/parser.h b/parser/parser.h
> index 6c1cc4f..1da5b87 100644
> --- a/parser/parser.h
> +++ b/parser/parser.h
> @@ -136,6 +136,11 @@ struct codomain {
> int dfarule_count;
> void *dfa;
> size_t dfa_size;
> +
> + aare_ruleset_t *policy_rules;
> + int policy_rule_count;
> + void *policy_dfa;
> + size_t policy_dfa_size;
> };
>
> struct sd_hat {
> @@ -275,6 +280,8 @@ extern int process_regex(struct codomain *cod);
> extern int post_process_entry(struct cod_entry *entry);
> extern void reset_regex(void);
>
> +extern int process_policydb(struct codomain *cod);
> +
> /* parser_variable.c */
> extern int process_variables(struct codomain *cod);
> extern struct var_string *split_out_var(char *string);
> @@ -348,6 +355,7 @@ extern void post_process_nt_entries(struct codomain *cod);
> extern int post_process_policy(int debug_only);
> extern int process_hat_regex(struct codomain *cod);
> extern int process_hat_variables(struct codomain *cod);
> +extern int process_hat_policydb(struct codomain *cod);
> extern int post_merge_rules(void);
> extern int merge_hat_rules(struct codomain *cod);
> extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
> diff --git a/parser/parser_interface.c b/parser/parser_interface.c
> index 6b6d57d..fdd610d 100644
> --- a/parser/parser_interface.c
> +++ b/parser/parser_interface.c
> @@ -59,6 +59,7 @@
>
> #define SUBDOMAIN_INTERFACE_VERSION 2
> #define SUBDOMAIN_INTERFACE_DFA_VERSION 5
> +#define SUBDOMAIN_INTERFACE_POLICY_DB 16
>
> int sd_serialize_codomain(int option, struct codomain *cod);
>
> @@ -654,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
> } else if (profile->network_allowed)
> pwarn(_("profile %s network rules not enforced\n"), profile->name);
>
> + if (profile->policy_dfa && regex_type == AARE_DFA) {
> + if (!sd_write_struct(p, "policydb"))
> + return 0;
> + if (!sd_serialize_dfa(p, profile->policy_dfa, profile->policy_dfa_size))
> + return 0;
> + if (!sd_write_structend(p))
> + return 0;
> + }
> +
> /* either have a single dfa or lists of different entry types */
> if (regex_type == AARE_DFA) {
> if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
> @@ -685,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
> {
> int version;
>
> - if (regex_type == AARE_DFA)
> - version = SUBDOMAIN_INTERFACE_DFA_VERSION;
> - else
> + if (regex_type == AARE_DFA) {
> + /* Not yet
> + if (profile->policy_dfa)
> + version = SUBDOMAIN_INTERFACE_POLICYDB;
> + else */
> + version = SUBDOMAIN_INTERFACE_DFA_VERSION;
> + } else
> version = SUBDOMAIN_INTERFACE_VERSION;
>
>
> diff --git a/parser/parser_policy.c b/parser/parser_policy.c
> index 1d459d9..0e4a853 100644
> --- a/parser/parser_policy.c
> +++ b/parser/parser_policy.c
> @@ -294,6 +294,33 @@ int process_hat_regex(struct codomain *cod)
> return 0;
> }
>
> +static void __process_policydb(const void *nodep, const VISIT value,
> + const int __unused depth)
> +{
> + struct codomain **t = (struct codomain **) nodep;
> +
> + if (value == preorder || value == endorder)
> + return;
> +
> + if (process_policydb(*t) != 0) {
> + PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"),
> + (*t)->name);
> + exit(1);
> + }
> +}
> +
> +int post_process_policydb(void)
> +{
> + twalk(policy_list, __process_policydb);
> + return 0;
> +}
> +
> +int process_hat_policydb(struct codomain *cod)
> +{
> + twalk(cod->hat_table, __process_policydb);
> + return 0;
> +}
> +
> static void __process_variables(const void *nodep, const VISIT value,
> const int __unused depth)
> {
> @@ -706,6 +733,15 @@ int post_process_policy(int debug_only)
> }
> }
>
> + if (!debug_only) {
> + retval = post_process_policydb();
> + if (retval != 0) {
> + PERROR(_("%s: Errors found during policydb postprocess. Aborting.\n"),
> + progname);
> + return retval;
> + }
> + }
> +
> return retval;
> }
>
> @@ -731,6 +767,10 @@ void free_policy(struct codomain *cod)
> aare_delete_ruleset(cod->dfarules);
> if (cod->dfa)
> free(cod->dfa);
> + if (cod->policy_rules)
> + aare_delete_ruleset(cod->policy_rules);
> + if (cod->policy_dfa)
> + free(cod->policy_dfa);
> if (cod->name)
> free(cod->name);
> if (cod->attachment)
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index f5de63a..50a5836 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -611,6 +611,48 @@ out:
> return error;
> }
>
> +int post_process_policydb_ents(struct codomain *cod)
> +{
> + int ret = TRUE;
> + int count = 0;
> +
> + /* Add fns for rules that should be added to policydb here */
> +
> + cod->policy_rule_count = count;
> + return ret;
> +}
> +
> +int process_policydb(struct codomain *cod)
> +{
> + int error = -1;
> +
> + if (regex_type == AARE_DFA) {
> + cod->policy_rules = aare_new_ruleset(0);
> + if (!cod->policy_rules)
> + goto out;
> + }
> + if (!post_process_policydb_ents(cod))
> + goto out;
> +
> + if (regex_type == AARE_DFA && cod->policy_rule_count > 0) {
> + cod->policy_dfa = aare_create_dfa(cod->policy_rules,
> + &cod->policy_dfa_size,
> + dfaflags);
> + aare_delete_ruleset(cod->policy_rules);
> + cod->policy_rules = NULL;
> + if (!cod->policy_dfa)
> + goto out;
> + }
> +
> + if (process_hat_policydb(cod) != 0)
> + goto out;
> +
> + error = 0;
> +
> +out:
> + return error;
> +}
> +
> void reset_regex(void)
> {
> aare_reset_matchflags();
> diff --git a/parser/policydb.h b/parser/policydb.h
> new file mode 100644
> index 0000000..b488123
> --- /dev/null
> +++ b/parser/policydb.h
> @@ -0,0 +1,40 @@
> +/*
> + * Copyright 2009-2010 Canonical Ltd.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, contact Novell, Inc.
> + */
> +
> +#ifndef __AA_POLICYDB_H
> +#define __AA_POLICYDB_H
> +
> +/*
> + * Class of mediation types in the AppArmor policy db
> + */
> +#define AA_CLASS_COND 0
> +#define AA_CLASS_UNKNOWN 1
> +#define AA_CLASS_FILE 2
> +#define AA_CLASS_CAP 3
> +#define AA_CLASS_NET 4
> +#define AA_CLASS_RLIMITS 5
> +#define AA_CLASS_DOMAIN 6
> +#define AA_CLASS_MOUNT 7
> +#define AA_CLASS_NS_DOMAIN 8
> +#define AA_CLASS_PTRACE 9
> +
> +#define AA_CLASS_ENV 16
> +
> +#define AA_CLASS_DBUS 32
> +#define AA_CLASS_X 33
> +
> +#endif /* __AA_POLICYDB_H */
More information about the AppArmor
mailing list