[apparmor] [patch 12/12] map the net permission set into a form compatible with the old dfa table
Seth Arnold
seth.arnold at canonical.com
Wed Aug 27 06:30:15 UTC 2014
On Mon, Aug 25, 2014 at 05:06:17PM -0700, john.johansen at canonical.com wrote:
> The old dfa table format has 2 64 bit permission field used to store
> all of allow, quiet, audit, owner/!owner and transition mask. This leaves
> 7 bits for entry + a few other special bits.
>
> Since policydb entries when using old style dfa permission format
> don't use support the !owner permission entries we can map, the
> high net work permission bits to these entries.
>
> This allows us to enforce base network permissions on system with
> only support for the old dfa table format.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Sorry, I'm still not convinced with map_perms()... I did the math again
with the new values and it still looks like there's a collision.
> ---
> parser/af_unix.cc | 30 +++++++++++++++++++-----------
> 1 file changed, 19 insertions(+), 11 deletions(-)
>
> --- 2.9-test.orig/parser/af_unix.cc
> +++ 2.9-test/parser/af_unix.cc
> @@ -216,6 +216,14 @@
> }
> }
>
> +static uint32_t map_perms(uint32_t mask)
> +{
> + return (mask & 0x7f) |
> + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
> + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
> + ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
> +}
> +
Bits 0-7 inclusive stay put
Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR
Bits 20-23 inclusive move -4 to 16-19 ACCEPT | BIND | LISTEN
Bits 24-25 inclusive move -5 to 19-20 SETOPT | GETOPT
Is this correct? It looks like AA_NET_LISTEN overlaps with AA_NET_GETOPT.
Thanks
> int unix_rule::gen_policy_re(Profile &prof)
> {
> std::ostringstream buffer, tmp;
> @@ -258,8 +266,8 @@
> if (mask & AA_NET_CREATE) {
> buf = buffer.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_CREATE,
> - audit & AA_NET_CREATE,
> + map_perms(AA_NET_CREATE),
> + map_perms(audit & AA_NET_CREATE),
> dfaflags))
> goto fail;
> mask &= ~AA_NET_CREATE;
> @@ -300,8 +308,8 @@
> if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) {
> buf = buffer.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD,
> - audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD,
> + map_perms(mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
> + map_perms(audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
> dfaflags))
> goto fail;
> }
> @@ -312,8 +320,8 @@
> tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ACCEPT;
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_ACCEPT,
> - audit & AA_NET_ACCEPT,
> + map_perms(AA_NET_ACCEPT),
> + map_perms(audit & AA_NET_ACCEPT),
> dfaflags))
> goto fail;
> }
> @@ -324,8 +332,8 @@
> tmp << "..";
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_LISTEN,
> - audit & AA_NET_LISTEN,
> + map_perms(AA_NET_LISTEN),
> + map_perms(audit & AA_NET_LISTEN),
> dfaflags))
> goto fail;
> }
> @@ -336,8 +344,8 @@
> tmp << "..";
> buf = tmp.str();
> if (!prof.policy.rules->add_rule(buf.c_str(), deny,
> - AA_NET_OPT,
> - audit & AA_NET_OPT,
> + map_perms(AA_NET_OPT),
> + map_perms(audit & AA_NET_OPT),
> dfaflags))
> goto fail;
> }
> @@ -375,7 +383,7 @@
> }
>
> buf = buffer.str();
> - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode & AA_PEER_NET_PERMS, audit, dfaflags))
> + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mode & AA_PEER_NET_PERMS), map_perms(audit), dfaflags))
> goto fail;
> }
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140826/998e0d89/attachment.pgp>
More information about the AppArmor
mailing list