[apparmor] [patch 2/5] group network rule bits into their own file
john.johansen at canonical.com
john.johansen at canonical.com
Wed Aug 6 12:32:46 UTC 2014
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/Makefile | 11 +
parser/network.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++
parser/network.h | 78 +++++++++++
parser/parser.h | 30 ----
parser/parser_misc.c | 308 ----------------------------------------------
parser/profile.h | 24 ---
6 files changed, 424 insertions(+), 363 deletions(-)
--- 2.9-test.orig/parser/Makefile
+++ 2.9-test/parser/Makefile
@@ -79,10 +79,10 @@
SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
parser_main.c parser_misc.c parser_merge.c parser_symtab.c \
parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
- parser_alias.c common_optarg.c lib.c \
+ parser_alias.c common_optarg.c lib.c network.c \
mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc
HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
- rule.h common_optarg.h signal.h ptrace.h
+ rule.h common_optarg.h signal.h ptrace.h network.h
TOOLS = apparmor_parser
OBJECTS = $(SRCS:.c=.o)
@@ -197,7 +197,7 @@
parser_lex.o: parser_lex.c parser.h parser_yacc.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
-parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h af_names.h cap_names.h $(APPARMOR_H)
+parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h cap_names.h $(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_yacc.o: parser_yacc.c parser_yacc.h $(APPARMOR_H)
@@ -251,7 +251,10 @@
ptrace.o: ptrace.c ptrace.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
-profile.o: profile.cc profile.h parser.h
+network.o: network.c network.h parser.h immunix.h parser_yacc.h rule.h af_names.h $(APPARMOR_H)
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
+
+profile.o: profile.cc profile.h parser.h network.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
rule.o: rule.c rule.h policydb.h
--- /dev/null
+++ 2.9-test/parser/network.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2014
+ * Canonical, Ltd. (All rights reserved)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Novell, Inc. or Canonical
+ * Ltd.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/apparmor.h>
+
+#include <iomanip>
+#include <string>
+#include <sstream>
+#include <map>
+
+#include "parser.h"
+#include "profile.h"
+#include "parser_yacc.h"
+#include "network.h"
+
+
+/* Bleah C++ doesn't have non-trivial designated initializers so we just
+ * have to make sure these are in order. This means we are more brittle
+ * but there isn't much we can do.
+ */
+const char *sock_types[] = {
+ "none", /* 0 */
+ "stream", /* 1 [SOCK_STREAM] */
+ "dgram", /* 2 [SOCK_DGRAM] */
+ "raw", /* 3 [SOCK_RAW] */
+ "rdm", /* 4 [SOCK_RDM] */
+ "seqpacket", /* 5 [SOCK_SEQPACKET] */
+ "dccp", /* 6 [SOCK_DCCP] */
+ "invalid", /* 7 */
+ "invalid", /* 8 */
+ "invalid", /* 9 */
+ "packet", /* 10 [SOCK_PACKET] */
+ /*
+ * See comment above
+ */
+};
+
+struct network_tuple {
+ const char *family_name;
+ unsigned int family;
+ const char *type_name;
+ unsigned int type;
+ const char *protocol_name;
+ unsigned int protocol;
+};
+
+/* FIXME: currently just treating as a bit mask this will have to change
+ * set up a table of mappings, there can be several mappings for a
+ * given match.
+ * currently the mapping does not set the protocol for stream/dgram to
+ * anything other than 0.
+ * network inet tcp -> network inet stream 0 instead of
+ * network inet raw tcp.
+ * some entries are just provided for completeness at this time
+ */
+/* values stolen from /etc/protocols - needs to change */
+#define RAW_TCP 6
+#define RAW_UDP 17
+#define RAW_ICMP 1
+#define RAW_ICMPv6 58
+
+/* used by af_name.h to auto generate table entries for "name", AF_NAME
+ * pair */
+#define AA_GEN_NET_ENT(name, AF) \
+ {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \
+ {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \
+ {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
+ {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \
+ {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \
+ {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
+/*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
+
+static struct network_tuple network_mappings[] = {
+ /* basic types */
+ #include "af_names.h"
+/* FIXME: af_names.h is missing AF_LLC, AF_TIPC */
+ /* mapped types */
+ {"inet", AF_INET, "raw", SOCK_RAW,
+ "tcp", 1 << RAW_TCP},
+ {"inet", AF_INET, "raw", SOCK_RAW,
+ "udp", 1 << RAW_UDP},
+ {"inet", AF_INET, "raw", SOCK_RAW,
+ "icmp", 1 << RAW_ICMP},
+ {"inet", AF_INET, "tcp", SOCK_STREAM,
+ "", 0xffffffff}, /* should we give raw tcp too? */
+ {"inet", AF_INET, "udp", SOCK_DGRAM,
+ "", 0xffffffff}, /* should these be open masks? */
+ {"inet", AF_INET, "icmp", SOCK_RAW,
+ "", 1 << RAW_ICMP},
+ {"inet6", AF_INET6, "tcp", SOCK_STREAM,
+ "", 0xffffffff},
+ {"inet6", AF_INET6, "udp", SOCK_DGRAM,
+ "", 0xffffffff},
+/* what do we do with icmp on inet6?
+ {"inet6", AF_INET, "icmp", SOCK_RAW, 0},
+ {"inet6", AF_INET, "icmpv6", SOCK_RAW, 0},
+*/
+ /* terminate */
+ {NULL, 0, NULL, 0, NULL, 0}
+};
+
+/* The apparmor kernel patches up until 2.6.38 didn't handle networking
+ * tables with sizes > AF_MAX correctly. This could happen when the
+ * parser was built against newer kernel headers and then used to load
+ * policy on an older kernel. This could happen during upgrades or
+ * in multi-kernel boot systems.
+ *
+ * Try to detect the running kernel version and use that to determine
+ * AF_MAX
+ */
+#define PROC_VERSION "/proc/sys/kernel/osrelease"
+static size_t kernel_af_max(void) {
+ char buffer[32];
+ int major;
+ int fd, res;
+
+ if (!net_af_max_override) {
+ return 0;
+ }
+ /* the override parameter is specifying the max value */
+ if (net_af_max_override > 0)
+ return net_af_max_override;
+
+ fd = open(PROC_VERSION, O_RDONLY);
+ if (!fd)
+ /* fall back to default provided during build */
+ return 0;
+ res = read(fd, &buffer, sizeof(buffer) - 1);
+ close(fd);
+ if (res <= 0)
+ return 0;
+ buffer[res] = '\0';
+ res = sscanf(buffer, "2.6.%d", &major);
+ if (res != 1)
+ return 0;
+
+ switch(major) {
+ case 24:
+ case 25:
+ case 26:
+ return 34;
+ case 27:
+ return 35;
+ case 28:
+ case 29:
+ case 30:
+ return 36;
+ case 31:
+ case 32:
+ case 33:
+ case 34:
+ case 35:
+ return 37;
+ case 36:
+ case 37:
+ return 38;
+ /* kernels .38 and later should handle this correctly so no
+ * static mapping needed
+ */
+ default:
+ return 0;
+ }
+}
+
+/* Yuck. We grab AF_* values to define above from linux/socket.h because
+ * they are more accurate than sys/socket.h for what the kernel actually
+ * supports. However, we can't just include linux/socket.h directly,
+ * because the AF_* definitions are protected with an ifdef KERNEL
+ * wrapper, but we don't want to define that because that can cause
+ * other redefinitions from glibc. However, because the kernel may have
+ * more definitions than glibc, we need make sure AF_MAX reflects this,
+ * hence the wrapping function.
+ */
+size_t get_af_max() {
+ size_t af_max;
+ /* HACK: declare that version without "create" had a static AF_MAX */
+ if (!perms_create && !net_af_max_override)
+ net_af_max_override = -1;
+
+#if AA_AF_MAX > AF_MAX
+ af_max = AA_AF_MAX;
+#else
+ af_max = AF_MAX;
+#endif
+
+ /* HACK: some kernels didn't handle network tables from parsers
+ * compiled against newer kernel headers as they are larger than
+ * the running kernel expected. If net_override is defined check
+ * to see if there is a static max specified for that kernel
+ */
+ if (net_af_max_override) {
+ size_t max = kernel_af_max();
+ if (max && max < af_max)
+ return max;
+ }
+
+ return af_max;
+}
+struct aa_network_entry *new_network_ent(unsigned int family,
+ unsigned int type,
+ unsigned int protocol)
+{
+ struct aa_network_entry *new_entry;
+ new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct aa_network_entry));
+ if (new_entry) {
+ new_entry->family = family;
+ new_entry->type = type;
+ new_entry->protocol = protocol;
+ new_entry->next = NULL;
+ }
+ return new_entry;
+}
+
+struct aa_network_entry *network_entry(const char *family, const char *type,
+ const char *protocol)
+{
+ int i;
+ struct aa_network_entry *new_entry, *entry = NULL;
+
+ for (i = 0; network_mappings[i].family_name; i++) {
+ if (family) {
+ PDEBUG("Checking family %s\n", network_mappings[i].family_name);
+ if (strcmp(family, network_mappings[i].family_name) != 0)
+ continue;
+ PDEBUG("Found family %s\n", family);
+ }
+ if (type) {
+ PDEBUG("Checking type %s\n", network_mappings[i].type_name);
+ if (strcmp(type, network_mappings[i].type_name) != 0)
+ continue;
+ PDEBUG("Found type %s\n", type);
+ }
+ if (protocol) {
+ PDEBUG("Checking protocol type %s\n", network_mappings[i].protocol_name);
+ if (strcmp(type, network_mappings[i].protocol_name) != 0)
+ continue;
+ /* fixme should we allow specifying protocol by #
+ * without needing the protocol mapping? */
+ }
+ /* if here we have a match */
+ new_entry = new_network_ent(network_mappings[i].family,
+ network_mappings[i].type,
+ network_mappings[i].protocol);
+ if (!new_entry)
+ yyerror(_("Memory allocation error."));
+ new_entry->next = entry;
+ entry = new_entry;
+ }
+
+ return entry;
+};
+
+#define ALL_TYPES 0x43e
+
+/* another case of C++ not supporting non-trivial designated initializers */
+#undef AA_GEN_NET_ENT
+#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
+
+static const char *network_families[] = {
+#include "af_names.h"
+};
+
+void __debug_network(unsigned int *array, const char *name)
+{
+ unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]);
+ unsigned int mask = ~((1 << count) -1);
+ unsigned int i, j;
+ int none = 1;
+ size_t af_max = get_af_max();
+
+ for (i = AF_UNSPEC; i < af_max; i++)
+ if (array[i]) {
+ none = 0;
+ break;
+ }
+
+ if (none)
+ return;
+
+ printf("%s: ", name);
+
+ /* This can only be set by an unqualified network rule */
+ if (array[AF_UNSPEC]) {
+ printf("<all>\n");
+ return;
+ }
+
+ for (i = 0; i < af_max; i++) {
+ if (array[i]) {
+ const char *fam = network_families[i];
+ if (fam)
+ printf("%s ", fam);
+ else
+ printf("#%u ", i);
+
+ /* All types/protocols */
+ if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
+ continue;
+
+ printf("{ ");
+
+ for (j = 0; j < count; j++) {
+ const char *type;
+ if (array[i] & (1 << j)) {
+ type = sock_types[j];
+ if (type)
+ printf("%s ", type);
+ else
+ printf("#%u ", j);
+ }
+ }
+ if (array[i] & mask)
+ printf("#%x ", array[i] & mask);
+
+ printf("} ");
+ }
+ }
+ printf("\n");
+}
--- /dev/null
+++ 2.9-test/parser/network.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2014
+ * Canonical, Ltd. (All rights reserved)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Novell, Inc. or Canonical
+ * Ltd.
+ */
+
+#ifndef __AA_NETWORK_H
+#define __AA_NETWORK_H
+
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <linux/socket.h>
+#include <linux/limits.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <libintl.h>
+
+#include "parser.h"
+#include "rule.h"
+#include "profile.h"
+
+/* supported AF protocols */
+struct aa_network_entry {
+ unsigned int family;
+ unsigned int type;
+ unsigned int protocol;
+
+ struct aa_network_entry *next;
+};
+
+extern struct aa_network_entry *new_network_ent(unsigned int family,
+ unsigned int type,
+ unsigned int protocol);
+extern struct aa_network_entry *network_entry(const char *family,
+ const char *type,
+ const char *protocol);
+extern size_t get_af_max(void);
+
+void __debug_network(unsigned int *array, const char *name);
+
+struct network {
+ unsigned int *allow; /* array of type masks
+ * indexed by AF_FAMILY */
+ unsigned int *audit;
+ unsigned int *deny;
+ unsigned int *quiet;
+
+ network(void) { allow = audit = deny = quiet = NULL; }
+
+ void dump(void) {
+ if (allow)
+ __debug_network(allow, "Network");
+ if (audit)
+ __debug_network(audit, "Audit Net");
+ if (deny)
+ __debug_network(deny, "Deny Net");
+ if (quiet)
+ __debug_network(quiet, "Quiet Net");
+ }
+};
+
+#endif /* __AA_NETWORK_H */
--- 2.9-test.orig/parser/parser.h
+++ 2.9-test/parser/parser.h
@@ -25,7 +25,6 @@
#include <endian.h>
#include <string.h>
-#include <netinet/in.h>
#include <sys/resource.h>
#include <libintl.h>
@@ -108,15 +107,6 @@
struct cod_entry *next;
};
-/* supported AF protocols */
-struct aa_network_entry {
- unsigned int family;
- unsigned int type;
- unsigned int protocol;
-
- struct aa_network_entry *next;
-};
-
struct aa_rlimits {
unsigned int specified; /* limits that are set */
rlim_t limits[RLIMIT_NLIMITS];
@@ -132,18 +122,6 @@
unsigned int hat_magic;
};
-/* describe an ip address */
-struct ipv4_desc {
- struct in_addr addr;
- unsigned long mask;
- unsigned short port[2];
-};
-
-struct ipv4_endpoints {
- struct ipv4_desc * src;
- struct ipv4_desc * dest;
-};
-
struct var_string {
char *prefix;
char *var;
@@ -391,20 +369,12 @@
extern int parse_mode(const char *mode);
extern int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail);
extern struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id);
-extern struct aa_network_entry *new_network_ent(unsigned int family,
- unsigned int type,
- unsigned int protocol);
-extern struct aa_network_entry *network_entry(const char *family,
- const char *type,
- const char *protocol);
-extern size_t get_af_max(void);
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
extern int str_to_boolean(const char* str);
extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
extern void free_cod_entries(struct cod_entry *list);
extern void __debug_capabilities(uint64_t capset, const char *name);
-void __debug_network(unsigned int *array, const char *name);
void debug_cod_entries(struct cod_entry *list);
--- 2.9-test.orig/parser/parser_misc.c
+++ 2.9-test/parser/parser_misc.c
@@ -26,10 +26,6 @@
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
-#include <netinet/in.h>
-#include <linux/socket.h>
-#include <linux/limits.h>
-#include <arpa/inet.h>
#include <linux/capability.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -229,221 +225,6 @@
return get_table_token("rlimit", rlimit_table, name);
}
-struct network_tuple {
- const char *family_name;
- unsigned int family;
- const char *type_name;
- unsigned int type;
- const char *protocol_name;
- unsigned int protocol;
-};
-
-/* FIXME: currently just treating as a bit mask this will have to change
- * set up a table of mappings, there can be several mappings for a
- * given match.
- * currently the mapping does not set the protocol for stream/dgram to
- * anything other than 0.
- * network inet tcp -> network inet stream 0 instead of
- * network inet raw tcp.
- * some entries are just provided for completeness at this time
- */
-/* values stolen from /etc/protocols - needs to change */
-#define RAW_TCP 6
-#define RAW_UDP 17
-#define RAW_ICMP 1
-#define RAW_ICMPv6 58
-
-/* used by af_name.h to auto generate table entries for "name", AF_NAME
- * pair */
-#define AA_GEN_NET_ENT(name, AF) \
- {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \
- {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \
- {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
- {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \
- {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \
- {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
-/*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
-
-static struct network_tuple network_mappings[] = {
- /* basic types */
- #include "af_names.h"
-/* FIXME: af_names.h is missing AF_LLC, AF_TIPC */
- /* mapped types */
- {"inet", AF_INET, "raw", SOCK_RAW,
- "tcp", 1 << RAW_TCP},
- {"inet", AF_INET, "raw", SOCK_RAW,
- "udp", 1 << RAW_UDP},
- {"inet", AF_INET, "raw", SOCK_RAW,
- "icmp", 1 << RAW_ICMP},
- {"inet", AF_INET, "tcp", SOCK_STREAM,
- "", 0xffffffff}, /* should we give raw tcp too? */
- {"inet", AF_INET, "udp", SOCK_DGRAM,
- "", 0xffffffff}, /* should these be open masks? */
- {"inet", AF_INET, "icmp", SOCK_RAW,
- "", 1 << RAW_ICMP},
- {"inet6", AF_INET6, "tcp", SOCK_STREAM,
- "", 0xffffffff},
- {"inet6", AF_INET6, "udp", SOCK_DGRAM,
- "", 0xffffffff},
-/* what do we do with icmp on inet6?
- {"inet6", AF_INET, "icmp", SOCK_RAW, 0},
- {"inet6", AF_INET, "icmpv6", SOCK_RAW, 0},
-*/
- /* terminate */
- {NULL, 0, NULL, 0, NULL, 0}
-};
-
-/* The apparmor kernel patches up until 2.6.38 didn't handle networking
- * tables with sizes > AF_MAX correctly. This could happen when the
- * parser was built against newer kernel headers and then used to load
- * policy on an older kernel. This could happen during upgrades or
- * in multi-kernel boot systems.
- *
- * Try to detect the running kernel version and use that to determine
- * AF_MAX
- */
-#define PROC_VERSION "/proc/sys/kernel/osrelease"
-static size_t kernel_af_max(void) {
- char buffer[32];
- int major;
- int fd, res;
-
- if (!net_af_max_override) {
- return 0;
- }
- /* the override parameter is specifying the max value */
- if (net_af_max_override > 0)
- return net_af_max_override;
-
- fd = open(PROC_VERSION, O_RDONLY);
- if (!fd)
- /* fall back to default provided during build */
- return 0;
- res = read(fd, &buffer, sizeof(buffer) - 1);
- close(fd);
- if (res <= 0)
- return 0;
- buffer[res] = '\0';
- res = sscanf(buffer, "2.6.%d", &major);
- if (res != 1)
- return 0;
-
- switch(major) {
- case 24:
- case 25:
- case 26:
- return 34;
- case 27:
- return 35;
- case 28:
- case 29:
- case 30:
- return 36;
- case 31:
- case 32:
- case 33:
- case 34:
- case 35:
- return 37;
- case 36:
- case 37:
- return 38;
- /* kernels .38 and later should handle this correctly so no
- * static mapping needed
- */
- default:
- return 0;
- }
-}
-
-/* Yuck. We grab AF_* values to define above from linux/socket.h because
- * they are more accurate than sys/socket.h for what the kernel actually
- * supports. However, we can't just include linux/socket.h directly,
- * because the AF_* definitions are protected with an ifdef KERNEL
- * wrapper, but we don't want to define that because that can cause
- * other redefinitions from glibc. However, because the kernel may have
- * more definitions than glibc, we need make sure AF_MAX reflects this,
- * hence the wrapping function.
- */
-size_t get_af_max() {
- size_t af_max;
- /* HACK: declare that version without "create" had a static AF_MAX */
- if (!perms_create && !net_af_max_override)
- net_af_max_override = -1;
-
-#if AA_AF_MAX > AF_MAX
- af_max = AA_AF_MAX;
-#else
- af_max = AF_MAX;
-#endif
-
- /* HACK: some kernels didn't handle network tables from parsers
- * compiled against newer kernel headers as they are larger than
- * the running kernel expected. If net_override is defined check
- * to see if there is a static max specified for that kernel
- */
- if (net_af_max_override) {
- size_t max = kernel_af_max();
- if (max && max < af_max)
- return max;
- }
-
- return af_max;
-}
-struct aa_network_entry *new_network_ent(unsigned int family,
- unsigned int type,
- unsigned int protocol)
-{
- struct aa_network_entry *new_entry;
- new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct aa_network_entry));
- if (new_entry) {
- new_entry->family = family;
- new_entry->type = type;
- new_entry->protocol = protocol;
- new_entry->next = NULL;
- }
- return new_entry;
-}
-
-struct aa_network_entry *network_entry(const char *family, const char *type,
- const char *protocol)
-{
- int i;
- struct aa_network_entry *new_entry, *entry = NULL;
-
- for (i = 0; network_mappings[i].family_name; i++) {
- if (family) {
- PDEBUG("Checking family %s\n", network_mappings[i].family_name);
- if (strcmp(family, network_mappings[i].family_name) != 0)
- continue;
- PDEBUG("Found family %s\n", family);
- }
- if (type) {
- PDEBUG("Checking type %s\n", network_mappings[i].type_name);
- if (strcmp(type, network_mappings[i].type_name) != 0)
- continue;
- PDEBUG("Found type %s\n", type);
- }
- if (protocol) {
- PDEBUG("Checking protocol type %s\n", network_mappings[i].protocol_name);
- if (strcmp(type, network_mappings[i].protocol_name) != 0)
- continue;
- /* fixme should we allow specifying protocol by #
- * without needing the protocol mapping? */
- }
- /* if here we have a match */
- new_entry = new_network_ent(network_mappings[i].family,
- network_mappings[i].type,
- network_mappings[i].protocol);
- if (!new_entry)
- yyerror(_("Memory allocation error."));
- new_entry->next = entry;
- entry = new_entry;
- }
-
- return entry;
-};
-
char *processunquoted(const char *string, int len)
{
char *buffer, *s;
@@ -1004,95 +785,6 @@
printf("\n");
}
-/* Bleah C++ doesn't have non-trivial designated initializers so we just
- * have to make sure these are in order. This means we are more brittle
- * but there isn't much we can do.
- */
-const char *sock_types[] = {
- "none", /* 0 */
- "stream", /* 1 [SOCK_STREAM] */
- "dgram", /* 2 [SOCK_DGRAM] */
- "raw", /* 3 [SOCK_RAW] */
- "rdm", /* 4 [SOCK_RDM] */
- "seqpacket", /* 5 [SOCK_SEQPACKET] */
- "dccp", /* 6 [SOCK_DCCP] */
- "invalid", /* 7 */
- "invalid", /* 8 */
- "invalid", /* 9 */
- "packet", /* 10 [SOCK_PACKET] */
- /*
- * See comment above
- */
-};
-#define ALL_TYPES 0x43e
-
-/* another case of C++ not supporting non-trivial designated initializers */
-#undef AA_GEN_NET_ENT
-#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
-
-static const char *network_families[] = {
-#include "af_names.h"
-};
-
-void __debug_network(unsigned int *array, const char *name)
-{
- unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]);
- unsigned int mask = ~((1 << count) -1);
- unsigned int i, j;
- int none = 1;
- size_t af_max = get_af_max();
-
- for (i = AF_UNSPEC; i < af_max; i++)
- if (array[i]) {
- none = 0;
- break;
- }
-
- if (none)
- return;
-
- printf("%s: ", name);
-
- /* This can only be set by an unqualified network rule */
- if (array[AF_UNSPEC]) {
- printf("<all>\n");
- return;
- }
-
- for (i = 0; i < af_max; i++) {
- if (array[i]) {
- const char *fam = network_families[i];
- if (fam)
- printf("%s ", fam);
- else
- printf("#%u ", i);
-
- /* All types/protocols */
- if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
- continue;
-
- printf("{ ");
-
- for (j = 0; j < count; j++) {
- const char *type;
- if (array[i] & (1 << j)) {
- type = sock_types[j];
- if (type)
- printf("%s ", type);
- else
- printf("#%u ", j);
- }
- }
- if (array[i] & mask)
- printf("#%x ", array[i] & mask);
-
- printf("} ");
- }
- }
- printf("\n");
-}
-
-
struct value_list *new_value_list(char *value)
{
struct value_list *val = (struct value_list *) calloc(1, sizeof(struct value_list));
--- 2.9-test.orig/parser/profile.h
+++ 2.9-test/parser/profile.h
@@ -21,6 +21,7 @@
#include "parser.h"
#include "rule.h"
#include "libapparmor_re/aare_rules.h"
+#include "network.h"
class Profile;
@@ -101,27 +102,6 @@
};
};
-struct network {
- unsigned int *allow; /* array of type masks
- * indexed by AF_FAMILY */
- unsigned int *audit;
- unsigned int *deny;
- unsigned int *quiet;
-
- network(void) { allow = audit = deny = quiet = NULL; }
-
- void dump(void) {
- if (allow)
- __debug_network(allow, "Network");
- if (audit)
- __debug_network(audit, "Audit Net");
- if (deny)
- __debug_network(deny, "Deny Net");
- if (quiet)
- __debug_network(quiet, "Quiet Net");
- }
-};
-
struct dfa_stuff {
aare_rules *rules;
void *dfa;
@@ -231,6 +211,8 @@
hat_table.dump();
}
+ bool alloc_net_table();
+
std::string* get_name(bool fqp)
{
std::string *buf;
More information about the AppArmor
mailing list