[apparmor] [patch 02/26] Add stub rules to indicate compilation support for given features.

Seth Arnold seth.arnold at canonical.com
Tue Apr 15 22:42:45 UTC 2014 

On Tue, Apr 15, 2014 at 10:22:09AM -0700, john.johansen at canonical.com wrote:
> Policy enforcement needs to be able to support older userspaces and
> compilers that don't know about new features. The absence of a feature
> in the policydb indicates that feature mediation is not present for
> it.
> 
> We add stub rules, that provide a none 0 start state for features that
> are supported at compile time. This can be used by the kernel to
> indicate that it should enforce a given feature. This does not indicate
> the feature is allowed, in an abscence of other rules for the feature
> the feature will be denied.
> 
> Note: this will break the minimize tests when run with kernels that
>       support mount or dbus rules. A patch to specify these features to
>       the parser is needed to fix this.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>
-- at least if you're comfortable with the questions I've raised :)

Thanks

> 
> ---
>  parser/parser_regex.c |   20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -673,6 +673,12 @@
>  	return TRUE;
>  }
>  
> +#define MAKE_STR(X) #X
> +#define CLASS_STR(X) "\\d" MAKE_STR(X)
> +
> +static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
> +static const char *mediates_dbus =  CLASS_STR(AA_CLASS_DBUS);
> +

Do we need to go to some effort to provide namespacing for these rules?
For the future, we need to ensure e.g. that no AA_CLASS_FOO ever equals
47, or we'll encode a rule for "/".

>  int process_profile_policydb(Profile *prof)
>  {
>  	int error = -1;
> @@ -684,6 +690,20 @@
>  	if (!post_process_policydb_ents(prof))
>  		goto out;
>  
> +	/* insert entries to show indicate what compiler/policy expects

"show indicate", one or the other is redundant :)

> +	 * to be supported
> +	 */
> +
> +	if (kernel_supports_mount) {
> +		if (!aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
> +			goto out;
> +		prof->policy.count++;
> +	}
> +	if (kernel_supports_dbus) {
> +		if (!aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
> +			goto out;
> +		prof->policy.count++;
> +	}
>  	if (prof->policy.count > 0) {
>  		prof->policy.dfa = aare_create_dfa(prof->policy.rules,
>  						  &prof->policy.size,
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140415/e37d31bb/attachment.pgp>

More information about the AppArmor mailing list