[apparmor] [patch 05/12] Make the af type protocol mappings available for use

Steve Beattie steve at nxnw.org
Mon Aug 25 22:08:58 UTC 2014 

On Mon, Aug 25, 2014 at 02:31:26PM -0700, John Johansen wrote:
> On 08/25/2014 01:42 PM, Steve Beattie wrote:
> > On Mon, Aug 25, 2014 at 12:47:26PM -0700, John Johansen wrote:
> >> This is a fix for [patch 05/12] Make the af type protocol mappings available for use
> >>
> >> before the af type protocol mappings patch was applied, a single rule could
> >> result in multiple rule entries being created. The af type protocol mappings
> >> patch broke this by apply only the first of the mappings that could be
> >> found.
> >>
> >> Restore the previous behavior by search through the entire table until
> >> all matches have been made.
> > 
> > NACK.
> > 
> 
> And the revised version

This looks good to me: Acked-by: Steve Beattie <steve at nxnw.org>

> === modified file 'parser/network.c'
> --- parser/network.c	2014-08-24 07:00:28 +0000
> +++ parser/network.c	2014-08-25 21:22:41 +0000
> @@ -249,22 +249,27 @@
>  }
>  
>  
> -const struct network_tuple *net_find_mapping(const char *family,
> +const struct network_tuple *net_find_mapping(const struct network_tuple *map,
> +					     const char *family,
>  					     const char *type,
>  					     const char *protocol)
>  {
> -	int i;
> +	if (!map)
> +		map = network_mappings;
> +	else
> +		/* assumes it points to last entry returned */
> +		map++;
>  
> -	for (i = 0; network_mappings[i].family_name; i++) {
> +	for (; map->family_name; map++) {
>  		if (family) {
> -			PDEBUG("Checking family %s\n", network_mappings[i].family_name);
> -			if (strcmp(family, network_mappings[i].family_name) != 0)
> +			PDEBUG("Checking family %s\n", map->family_name);
> +			if (strcmp(family, map->family_name) != 0)
>  				continue;
>  			PDEBUG("Found family %s\n", family);
>  		}
>  		if (type) {
> -			PDEBUG("Checking type %s\n", network_mappings[i].type_name);
> -			if (strcmp(type, network_mappings[i].type_name) != 0)
> +			PDEBUG("Checking type %s\n", map->type_name);
> +			if (strcmp(type, map->type_name) != 0)
>  				continue;
>  			PDEBUG("Found type %s\n", type);
>  		}
> @@ -272,12 +277,12 @@
>  			/* allows the proto to be the "type", ie. tcp implies
>  			 * stream */
>  			if (!type) {
> -				PDEBUG("Checking protocol type %s\n", network_mappings[i].type_name);
> -				if (strcmp(protocol, network_mappings[i].type_name) == 0)
> +				PDEBUG("Checking protocol type %s\n", map->type_name);
> +				if (strcmp(protocol, map->type_name) == 0)
>  					goto match;
>  			}
> -			PDEBUG("Checking type %s protocol %s\n", network_mappings[i].type_name, network_mappings[i].protocol_name);
> -			if (strcmp(protocol, network_mappings[i].protocol_name) != 0)
> +			PDEBUG("Checking type %s protocol %s\n", map->type_name, map->protocol_name);
> +			if (strcmp(protocol, map->protocol_name) != 0)
>  				continue;
>  			/* fixme should we allow specifying protocol by #
>  			 * without needing the protocol mapping? */
> @@ -285,7 +290,7 @@
>  
>  		/* if we get this far we have a match */
>  	match:
> -		return &network_mappings[i];
> +		return map;
>  	}
>  
>  	return NULL;
> @@ -295,9 +300,9 @@
>  				       const char *protocol)
>  {
>  	struct aa_network_entry *new_entry, *entry = NULL;
> -	const struct network_tuple *mapping = net_find_mapping(family, type, protocol);
> +	const struct network_tuple *mapping = NULL;
>  
> -	if (mapping) {
> +	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
>  		new_entry = new_network_ent(mapping->family, mapping->type,
>  					    mapping->protocol);
>  		if (!new_entry)
> 
> === modified file 'parser/network.h'
> --- parser/network.h	2014-08-24 07:00:28 +0000
> +++ parser/network.h	2014-08-25 21:05:41 +0000
> @@ -88,7 +88,8 @@
>  const char *net_find_type_name(int type);
>  int net_find_af_val(const char *af);
>  const char *net_find_af_name(unsigned int af);
> -const struct network_tuple *net_find_mapping(const char *family,
> +const struct network_tuple *net_find_mapping(const struct network_tuple *map,
> +					     const char *family,
>  					     const char *type,
>  					     const char *protocol);
>  
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140825/c3781dc4/attachment.pgp>

More information about the AppArmor mailing list