[apparmor] [patch 05/12] Make the af type protocol mappings available for use

Mon Aug 25 21:31:26 UTC 2014

On 08/25/2014 01:42 PM, Steve Beattie wrote:
> On Mon, Aug 25, 2014 at 12:47:26PM -0700, John Johansen wrote:
>> This is a fix for [patch 05/12] Make the af type protocol mappings available for use
>>
>> before the af type protocol mappings patch was applied, a single rule could
>> result in multiple rule entries being created. The af type protocol mappings
>> patch broke this by apply only the first of the mappings that could be
>> found.
>>
>> Restore the previous behavior by search through the entire table until
>> all matches have been made.
> 
> NACK.
> 

And the revised version

---

=== modified file 'parser/network.c'

--- parser/network.c	2014-08-24 07:00:28 +0000
+++ parser/network.c	2014-08-25 21:22:41 +0000
@@ -249,22 +249,27 @@
 }
 
 
-const struct network_tuple *net_find_mapping(const char *family,
+const struct network_tuple *net_find_mapping(const struct network_tuple *map,
+					     const char *family,
 					     const char *type,
 					     const char *protocol)
 {
-	int i;
+	if (!map)
+		map = network_mappings;
+	else
+		/* assumes it points to last entry returned */
+		map++;
 
-	for (i = 0; network_mappings[i].family_name; i++) {
+	for (; map->family_name; map++) {
 		if (family) {
-			PDEBUG("Checking family %s\n", network_mappings[i].family_name);
-			if (strcmp(family, network_mappings[i].family_name) != 0)
+			PDEBUG("Checking family %s\n", map->family_name);
+			if (strcmp(family, map->family_name) != 0)
 				continue;
 			PDEBUG("Found family %s\n", family);
 		}
 		if (type) {
-			PDEBUG("Checking type %s\n", network_mappings[i].type_name);
-			if (strcmp(type, network_mappings[i].type_name) != 0)
+			PDEBUG("Checking type %s\n", map->type_name);
+			if (strcmp(type, map->type_name) != 0)
 				continue;
 			PDEBUG("Found type %s\n", type);
 		}
@@ -272,12 +277,12 @@
 			/* allows the proto to be the "type", ie. tcp implies
 			 * stream */
 			if (!type) {
-				PDEBUG("Checking protocol type %s\n", network_mappings[i].type_name);
-				if (strcmp(protocol, network_mappings[i].type_name) == 0)
+				PDEBUG("Checking protocol type %s\n", map->type_name);
+				if (strcmp(protocol, map->type_name) == 0)
 					goto match;
 			}
-			PDEBUG("Checking type %s protocol %s\n", network_mappings[i].type_name, network_mappings[i].protocol_name);
-			if (strcmp(protocol, network_mappings[i].protocol_name) != 0)
+			PDEBUG("Checking type %s protocol %s\n", map->type_name, map->protocol_name);
+			if (strcmp(protocol, map->protocol_name) != 0)
 				continue;
 			/* fixme should we allow specifying protocol by #
 			 * without needing the protocol mapping? */
@@ -285,7 +290,7 @@
 
 		/* if we get this far we have a match */
 	match:
-		return &network_mappings[i];
+		return map;
 	}
 
 	return NULL;
@@ -295,9 +300,9 @@
 				       const char *protocol)
 {
 	struct aa_network_entry *new_entry, *entry = NULL;
-	const struct network_tuple *mapping = net_find_mapping(family, type, protocol);
+	const struct network_tuple *mapping = NULL;
 
-	if (mapping) {
+	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
 		new_entry = new_network_ent(mapping->family, mapping->type,
 					    mapping->protocol);
 		if (!new_entry)

=== modified file 'parser/network.h'
--- parser/network.h	2014-08-24 07:00:28 +0000
+++ parser/network.h	2014-08-25 21:05:41 +0000
@@ -88,7 +88,8 @@
 const char *net_find_type_name(int type);
 int net_find_af_val(const char *af);
 const char *net_find_af_name(unsigned int af);
-const struct network_tuple *net_find_mapping(const char *family,
+const struct network_tuple *net_find_mapping(const struct network_tuple *map,
+					     const char *family,
 					     const char *type,
 					     const char *protocol);
 


