[apparmor] [PATCH 1/4] parser: Generate accept states for denied dbus and mount rules

Tyler Hicks tyhicks at canonical.com
Thu Sep 26 23:08:07 UTC 2013 

When using the deny rule modifier, accept states were not being
generated for dbus and mount rules. This means that the actions were
being denied, but it was not possible to quiet the auditing of the
actions.

The problem is that the deny and audit members of the dbus_entry and
mnt_entry structs were being used incorrectly. The deny member is
boolean, not a bitmask. When the deny modifier is exclusively used in a
rule, the deny boolean should be true and the audit mask should be equal
to the perm mask.

Here's the old parser output for denied dbus and mount rules:

  $ dbus="/t { deny dbus, }"
  $ mount="/t { deny mount, }"
  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)

With this patch, the accept states are generated correctly with deny and
quiet masks:

  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 0/40/0/40)
  {7} (0x 0/46/0/46)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {5} (0x 0/2/0/2)

https://launchpad.net/bugs/1226356

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 parser/parser_yacc.y | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 1c45c22..3489ba6 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -658,10 +658,12 @@ rules:  rules opt_prefix mnt_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on mount rules"));
-		if ($2.deny)
-			$3->deny = $3->allow;
-		if ($2.audit)
+		if ($2.deny) {
+			$3->deny = 1;
+			$3->audit = $3->allow;
+		} else if ($2.audit) {
 			$3->audit = $3->allow;
+		}
 		$3->next = $1->mnt_ents;
 		$1->mnt_ents = $3;
 		$$ = $1;
@@ -671,10 +673,12 @@ rules:  rules opt_prefix dbus_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on dbus rules"));
-		if ($2.deny)
-			$3->deny = $3->mode;
-		if ($2.audit)
+		if ($2.deny) {
+			$3->deny = 1;
+			$3->audit = $3->mode;
+		} else if ($2.audit) {
 			$3->audit = $3->mode;
+		}
 		$3->next = $1->dbus_ents;
 		$1->dbus_ents = $3;
 		$$ = $1;
-- 
1.8.3.2

More information about the AppArmor mailing list