[apparmor] [PATCH 3/4] parser: Clean up dbus accept state bitmasks

John Johansen john.johansen at canonical.com
Fri Sep 27 14:06:54 UTC 2013 

On 09/26/2013 04:08 PM, Tyler Hicks wrote:
> AppArmor dbus rules are split into two classes. The first is
> (send receive) rules and the second in bind rules. When the parser was
> creating its internal representation of dbus rules, it wasn't separating
> the overlapping bitmasks for (send receive) perms and bind perms.
> 
> (send receive) perms are 0x06 and bind perms are 0x40. Here's the old
> parser output for an audit dbus rule that has accept states for
> (send receive) and for bind:
> 
>   $ dbus="/t { audit dbus, }"
>   $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
>   {3} (0x 40/0/40/0)
>   {7} (0x 46/0/46/0)
> 
> The {3} state is the accept state for the bind perms. The {7} state is
> the accept state for the (send receive) perms. Note that the bind perm
> mask bled over into the (send receive) accept state's mask.
> 
> With this patch, the masks for the two accept states do not overlap:
> 
>   $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
>   {3} (0x 40/0/40/0)
>   {7} (0x 6/0/6/0)
> 
> Additionally, this patch makes the rule creation for (send receive)
> perms more strict to keep any future perm bits from unintentionally
> slipping into the (send receive) accept states.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  parser/parser_regex.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 9dd2977..8e23498 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -1129,11 +1129,17 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
>  	}
>  
>  	if (entry->mode & AA_DBUS_BIND) {
> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode & AA_DBUS_BIND, entry->audit & AA_DBUS_BIND, 2, vec, dfaflags))
> +		if (!aare_add_rule_vec(dfarules, entry->deny,
> +				       entry->mode & AA_DBUS_BIND,
> +				       entry->audit & AA_DBUS_BIND,
> +				       2, vec, dfaflags))
>  			goto fail;
>  	}
> -	if (entry->mode & ~AA_DBUS_BIND) {
> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->mode, entry->audit, 6, vec, dfaflags))
> +	if (entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
> +		if (!aare_add_rule_vec(dfarules, entry->deny,
> +				entry->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
> +				entry->audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
> +				6, vec, dfaflags))
>  			goto fail;
>  	}
>  	return TRUE;
>

More information about the AppArmor mailing list