[apparmor] [patch 06/26] Add stub rules to indicate compilation support for given features.

Steve Beattie steve at nxnw.org
Wed Apr 9 21:34:31 UTC 2014 

On Thu, Mar 27, 2014 at 08:45:19AM -0700, john.johansen at canonical.com wrote:
> Policy enforcement needs to be able to support older userspaces and
> compilers that don't know about new features. The absence of a feature
> in the policydb indicates that feature mediation is not present for
> it.
> 
> We add stub rules, that provide a none 0 start state for features that
> are supported at compile time. This can be used by the kernel to
> indicate that it should enforce a given feature. This does not indicate
> the feature is allowed, in an abscence of other rules for the feature
> the feature will be denied.
> 
> Note: this will break the minimize tests when run with kernels that
>       support mount or dbus rules. A patch to specify these features to
>       the parser is needed to fix this.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Steve Beattie <steve at nxnw.org>

(I'm still not very keen on the in-band signaling this patch
represents, but I couldn't see a way to have a permission be accepted
where it shouldn't.)

> ---
>  parser/parser_regex.c |   20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -673,6 +673,12 @@
>  	return TRUE;
>  }
>  
> +#define MAKE_STR(X) #X
> +#define CLASS_STR(X) "\\d" MAKE_STR(X)
> +
> +static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
> +static const char *mediates_dbus =  CLASS_STR(AA_CLASS_DBUS);
> +
>  int process_profile_policydb(Profile *prof)
>  {
>  	int error = -1;
> @@ -684,6 +690,20 @@
>  	if (!post_process_policydb_ents(prof))
>  		goto out;
>  
> +	/* insert entries to show indicate what compiler/policy expects
> +	 * to be supported
> +	 */
> +
> +	if (kernel_supports_mount) {
> +		if (!aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
> +			goto out;
> +		prof->policy.count++;
> +	}
> +	if (kernel_supports_dbus) {
> +		if (!aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
> +			goto out;
> +		prof->policy.count++;
> +	}
>  	if (prof->policy.count > 0) {
>  		prof->policy.dfa = aare_create_dfa(prof->policy.rules,
>  						  &prof->policy.size,

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140409/c8fcbbcf/attachment.pgp>

More information about the AppArmor mailing list