[apparmor] [PATCH 1/4] parser: Generate accept states for denied dbus and mount rules
John Johansen
john.johansen at canonical.com
Fri Sep 27 13:51:20 UTC 2013
On 09/26/2013 04:08 PM, Tyler Hicks wrote:
> When using the deny rule modifier, accept states were not being
> generated for dbus and mount rules. This means that the actions were
> being denied, but it was not possible to quiet the auditing of the
> actions.
>
> The problem is that the deny and audit members of the dbus_entry and
> mnt_entry structs were being used incorrectly. The deny member is
> boolean, not a bitmask. When the deny modifier is exclusively used in a
> rule, the deny boolean should be true and the audit mask should be equal
> to the perm mask.
>
ugh, yes :(
So this is something I think we need to cleanup. The backend needs to treat
all of these as bit masks, and doing something in the front end is just
confusing.
But that is another patch
> Here's the old parser output for denied dbus and mount rules:
>
> $ dbus="/t { deny dbus, }"
> $ mount="/t { deny mount, }"
> $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
> {1} <== (allow/deny/audit/quiet)
> $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
> {1} <== (allow/deny/audit/quiet)
>
> With this patch, the accept states are generated correctly with deny and
> quiet masks:
>
> $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
> {1} <== (allow/deny/audit/quiet)
> {3} (0x 0/40/0/40)
> {7} (0x 0/46/0/46)
> $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
> {1} <== (allow/deny/audit/quiet)
> {5} (0x 0/2/0/2)
>
> https://launchpad.net/bugs/1226356
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_yacc.y | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 1c45c22..3489ba6 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -658,10 +658,12 @@ rules: rules opt_prefix mnt_rule
> {
> if ($2.owner)
> yyerror(_("owner prefix not allow on mount rules"));
> - if ($2.deny)
> - $3->deny = $3->allow;
> - if ($2.audit)
> + if ($2.deny) {
> + $3->deny = 1;
> + $3->audit = $3->allow;
> + } else if ($2.audit) {
> $3->audit = $3->allow;
> + }
> $3->next = $1->mnt_ents;
> $1->mnt_ents = $3;
> $$ = $1;
> @@ -671,10 +673,12 @@ rules: rules opt_prefix dbus_rule
> {
> if ($2.owner)
> yyerror(_("owner prefix not allow on dbus rules"));
> - if ($2.deny)
> - $3->deny = $3->mode;
> - if ($2.audit)
> + if ($2.deny) {
> + $3->deny = 1;
> + $3->audit = $3->mode;
> + } else if ($2.audit) {
> $3->audit = $3->mode;
> + }
> $3->next = $1->dbus_ents;
> $1->dbus_ents = $3;
> $$ = $1;
>
More information about the AppArmor
mailing list