[apparmor] [patch 02/26] Add stub rules to indicate compilation support for given features.
Seth Arnold
seth.arnold at canonical.com
Tue Apr 15 22:42:45 UTC 2014
On Tue, Apr 15, 2014 at 10:22:09AM -0700, john.johansen at canonical.com wrote:
> Policy enforcement needs to be able to support older userspaces and
> compilers that don't know about new features. The absence of a feature
> in the policydb indicates that feature mediation is not present for
> it.
>
> We add stub rules, that provide a none 0 start state for features that
> are supported at compile time. This can be used by the kernel to
> indicate that it should enforce a given feature. This does not indicate
> the feature is allowed, in an abscence of other rules for the feature
> the feature will be denied.
>
> Note: this will break the minimize tests when run with kernels that
> support mount or dbus rules. A patch to specify these features to
> the parser is needed to fix this.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
-- at least if you're comfortable with the questions I've raised :)
Thanks
>
> ---
> parser/parser_regex.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -673,6 +673,12 @@
> return TRUE;
> }
>
> +#define MAKE_STR(X) #X
> +#define CLASS_STR(X) "\\d" MAKE_STR(X)
> +
> +static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
> +static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
> +
Do we need to go to some effort to provide namespacing for these rules?
For the future, we need to ensure e.g. that no AA_CLASS_FOO ever equals
47, or we'll encode a rule for "/".
> int process_profile_policydb(Profile *prof)
> {
> int error = -1;
> @@ -684,6 +690,20 @@
> if (!post_process_policydb_ents(prof))
> goto out;
>
> + /* insert entries to show indicate what compiler/policy expects
"show indicate", one or the other is redundant :)
> + * to be supported
> + */
> +
> + if (kernel_supports_mount) {
> + if (!aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
> + goto out;
> + prof->policy.count++;
> + }
> + if (kernel_supports_dbus) {
> + if (!aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
> + goto out;
> + prof->policy.count++;
> + }
> if (prof->policy.count > 0) {
> prof->policy.dfa = aare_create_dfa(prof->policy.rules,
> &prof->policy.size,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140415/e37d31bb/attachment.pgp>
More information about the AppArmor
mailing list