[apparmor] [PATCH] parser: Fix AF_UNIX stub rule creation

[John Johansen]

On 08/26/2014 02:46 AM, Tyler Hicks wrote:
> The patch titled "parser: Add support for unix domain socket rules."
> modified the code the creates the stub rules for rule types that the
> parser supports.
> 
> It added new stub rules for extended network and AF_UNIX rule types but
> it also changed the stub rules for all existing rule types. That change
> causes the kernel to not enforce some rule types.
> 
> This patch fixes the stub rule creation so that existing rule types
> continue to be enforced, as well as AF_UNIX rule types when the parser
> and kernel both support them.
> 
> Here's the DFA states generated before applying the patch mentioned
> above:
> 
> $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
> {1} <== (allow/deny/audit/quiet)
> {3} (0x 10004/0/0/0)
> 
> {1} -> {2}: 0x2f /
> {2} -> {3}: 0x66 f
> 
> {1} <== (allow/deny/audit/quiet)
> {2} (0x 4/0/0/0)
> 
> {1} -> {2}: 0x2
> {1} -> {2}: 0x7
> {1} -> {2}: 0x9
> {1} -> {2}: 0xa
> {1} -> {2}: 0x20 \
> 
> Here are the DFA states generated after applying the patch mentioned
> above:
> 
> $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
> {1} <== (allow/deny/audit/quiet)
> {3} (0x 10004/0/0/0)
> 
> {1} -> {2}: 0x2f /
> {2} -> {3}: 0x66 f
> 
> {1} <== (allow/deny/audit/quiet)
> {4} (0x 4/0/0/0)
> 
> {1} -> {2}: 0x0
> {1} -> {3}: 0x34 4
> {2} -> {4}: 0x2
> {2} -> {4}: 0x4
> {2} -> {4}: 0x7
> {2} -> {4}: 0x9
> {2} -> {4}: 0xa
> {2} -> {4}: 0x20 \
> {3} -> {4}: 0x31 1
> 
> Here are DFA states generated after applying this patch:
> 
> $ echo "/t { /f r, }" | ./apparmor_parser -qQD dfa-states
> {1} <== (allow/deny/audit/quiet)
> {3} (0x 10004/0/0/0)
> 
> {1} -> {2}: 0x2f /
> {2} -> {3}: 0x66 f
> 
> {1} <== (allow/deny/audit/quiet)
> {2} (0x 4/0/0/0)
> 
> {1} -> {2}: 0x2
> {1} -> {2}: 0x4
> {1} -> {2}: 0x7
> {1} -> {2}: 0x9
> {1} -> {2}: 0xa
> {1} -> {2}: 0x20 \
> {1} -> {3}: 0x34 4
> {3} -> {4}: 0x0
> {4} -> {2}: 0x31 1
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Looks good, thanks Tyler

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
> 
> Note that I mostly guessed at the magic byte sequence to use for
> CLASS_SUB_STR(). I'm expecting John to verify its correctness. I have verified
> that the AF_UNIX mediation kernel code correctly detects the presence of the
> stub rule and enforces AF_UNIX mediation appropriately.
> 
>  parser/parser_regex.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index b0735bc..77ed6c9 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -665,9 +665,10 @@ int post_process_policydb_ents(Profile *prof)
>  	return TRUE;
>  }
>  
> -#define MAKE_STR(A) #A
> -#define CLASS_STR(X) "\\000\\d" MAKE_STR(X)
> -#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_STR(Y)
> +#define MAKE_STR(X) #X
> +#define CLASS_STR(X) "\\d" MAKE_STR(X)
> +#define MAKE_SUB_STR(X) "\\000" MAKE_STR(X)
> +#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_SUB_STR(Y)
>  
>  static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
>  static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
>